Webservice without public WSDL is an anti pattern? - web-services

I had an endless argument with a friend recently. Our company exposes web services endpoints without their WSDL. WSDLs are hidden inside the system.
Some colleague say "it's better for the security". I say WHAAAAT ?
Another argument is "You don't need to expose the WSDL, because it is only used at development time".
So basically they say that when someone consume our web service, there is always a time where you pass the WSDL by email, in order to let them build a client. Once you are in prod, the WSDL is no longer used.
So, please, tell me I'm right. Tell me that when you expose a service to the outside world, you MUST expose the contract with the endpoint. It's THE RULE. talking about development is irrelevant here, right ?
My friend says that I'm biased because I wrote a dynamic gateway, so I need the WSDL at runtime, and this kind of scenario is very rare.
What really pisses me off in all of this is that the WSDL is considered as the .lib and .h of a .DLL or .SO, it's "just a thing required at development time".
I don't know what it is for CORBA and IDL... Does the IDL was exposed to the public at runtime ?
So, what is the right thing here ? I'm lost. The client is intended to receive the WSDL at runtime right ? Or not ? It should perform some kind of validation at runtime right ?

You are wrong. Making a good interface can take a lot of effort, years of experience, and the WSDL is a very detailed description of the service. If that is a secret, so be it. As authentication might be included, there is also a potential security issue.
I would like to argue that you should NEVER download the WSDL from a service if you can get the original instead. The online WSDLs are sometimes generated by the SOAP framework and things documentation will often not be included. Furthermore the endpoint address should always be explicitly set, never use the value which might be included in the WSDL.
In fact the right way to communicate the service definiton is not only a well-defined set of WSDL / XSDs but also with concrete request/response examples in including error responses.
Relying on downloading a WSDL to bootstrap your service is a receipt for disaster (if this stops your app from starting).

Related

Best practice: WebLogic SOAP service -- should WSDL be visible?

I am going to deploy a SOAP web service on a WebLogic server.
The endpoint of the service is something like:
http://myserver.mycompany.com:1234/MyService-0.0.1-SNAPSHOT/MyServiceService
However, if (using a browser), I navigate to either
http://myserver.mycompany.com:1234/MyService-0.0.1-SNAPSHOT/MyServiceService?WSDL
-- or --
http://myserver.mycompany.com:1234/MyService-0.0.1-SNAPSHOT/MyServiceService?xsd=1
I can see the WSDL or schema file, respectively, for the service.
My group does not deploy a lot of web services (we're a back-office group and use Oracle Middleware to automate what little services we do provide), so a question has come up regarding whether exposing the WSDL file and schema file is "best practice".
Is it OK for these files to be visible, or should access to them be shutdown somehow? Conversely, is it even possible to restrict access to them, or would that interfere with clients trying to access the service?
This is an old question, but anyway.
It depends, but in my projects it was considered a bad practice to do so. You should always do Contract first, don't base your WSDL on your code or most likely you will end up with a WSDL that is somehow dependent on the programming language used for the implementation.
I don't know how Weblogic behaves but I remember that Jboss (5) used to generate the WSDL from the code any way and serve that. Even when we did Contract (WSDL) first development. So you would end up with little differences in these WSDLs which may cause problems. Exchange of the WSDL and the XML Schema files should be done by other means. It is possible to restrict access to any URI on Weblogic.
Another aspect is, that if you don't remove these, we found the developers on the clientside will start pointing their development-tools and implementation to these endpoints to get the WSDLs. This will most likely also cause problems and at least (a lot) unnecessary downloads of these files. As most frameworks will (need to) read the WSDL every time they instantiate the client-code. By not providing these endpoints, you keep the clients from these bad practices.

Does the existence of a .wsdl file mean files must be generated?

When I'm tasked with dealing with connecting to web services, I've always found the appropriate .wsdl file, ran WSDL2Java.bat, and incorporated those Java files into my Java project. Then I've successfully completed my project that needs to access data via web services.
My question is, are there other ways to use the .wsdl file to access web services? ( I'm not talking about creating classes for different languages ). For example, I have documentation describing one company's web services. The examples it shows in it's documentation are essentially dumps of HTTP Post requests. Is this "web services"? It looks to me that the .wsdl file is merely used as a reference to make the correct Post requests. I could just make text templates and plug in the right values, and send them out, right? I really feel like I'm missing something here.
Am I a web-services illiterati?
To call a SOAP web service over HTTP you just need to send it a properly formatted XML with a POST request. That's it! How you build the request is irrelevant as long as it conforms to the SOAP protocol and the payload corresponds to a proper web service operation that exists on the particular web service you are calling.
But how do you know how to build the proper payload?
The web service needs to have some sort of documentation otherwise you don't know what to put inside the XML. The documentation can be whatever you like as long as people can use it to build valid requests. WSDL fits this criteria but has an extra advantage: you can feed it to a tool that generates code. That code knows how to handle all the SOAP details and exposes objects and methods to your application.
What would you prefer? Generating code from the WSDL in a few minutes and be able to call whatever operation on the web service or, build the requests and parse the responses by hand and spend hours or days doing so. What would your boss or company prefer? :)
It looks to me that the .wsdl file is merely used as a reference to make the correct Post requests. I could just make text templates and plug in the right values, and send them out, right?
Right! But you also have to consider your productivity as an employee in one case as opposed to the other.

Is it mandatory to have a WSDL definition accessible using ?wsdl?

Is it mandated by any standard that a web service should provide a WSDL by appending ?wsdl to the endpoint address?
Is it OK if the WSDL is hosted at a different URL (without appending ?wsdl)?
For example:
Endpoint: http://abc.xyz.com/MyService
WSDL: http://abc.xyz.com/MyServiceDefinition.pqr
Note that I'm even using a different extension for the WSDL definition.
Does using this approach violate any standards or one can host the thing the way they want?
Is it mandatory to have a WSDL definition accessible using ?wsdl?
No, it's not.
A WSDL is used to describe a web service contract and is provided because it allows tools to automate generation of client stub code for calling the specified web service. Exposing the WSDL at the same location as the web service with ?wsdl appended to it is just very handy and that's the convention everybody uses.
People and tools look for the WSDL at that location and frameworks automatically expose it at that location but it's just a convention. As to my knowledge this isn't specified in any specification (or at least none that I could find).
Sometimes though you don't want to provide a WSDL that everybody can look at and try to create a client because it's a private web service and you only want to give access to your partners, not to everybody. At that point you can disallow the ?wsdl URL and provide the WSDL only to your partners by using an alternative channel. You can even e-mail it if you don't want it exposed online.
So you can choose whatever channel to expose it. Just remember that because people and tools are following this convention they are used to see it there and some (poorly written) tools might choke in a different extension, for example.
P.S. One other thing I wanted to mention - which isn't strictly related to this answer but kinda reinforces the convention - is the new ?singleWsdl option in WCF 4.5.
WCF, as most other tools, exposes the WSDL at the ?wsdl address but uses xsd:import statements with external schemas. Some frameworks were not able to process WSDL with imported dependencies so people started to write customizations over WCF to have a flat WSDL exposed, so much so that in the latest version of WCF Microsoft decided to add this feature out of the box.
But for backward compatibility they needed to keep the ?wsdl endpoint as it was (returning a WSDL document with xsd:import statements inside) and were forced to add a new query parameter for the flat WSDL: ?singleWsdl. I'm sure this idea will be picked up by other web service vendors and providers as well.
No, Its not mandatory to have ?wsdl access, but its recommended way.
Its worth noting that most clients will try to append "?wsdl" to your URL and will try to access WSDL file, Hence its highly recommended to setup it.

SharePoint services WSDL specification

What is the reason why hitting, for example, http:///_vti_bin/UserGroup.asmx?wsdl gives me a not full wsdl specification (if compared with http://msdn.microsoft.com/en-us/library/dd965659%28v=office.12%29.aspx)?
What I mean about not full: it does not contain some of complex types definition, e.g. User (unlike the full one), so this types are no generated by the wsdl.exe.
I have a question in regard of this: is it safe to generate c# web service stub basing on specification from MSDN or this approach is dangerous due to possible changes in contract?
For your first question as to the WSDL not being the same: it really should be equivalent and contain all the types! Whenever you append /_vti_bin/UserGroup.asmx?wsdl to your site's URL, SharePoint should definitely display the FULL WSDL, including the complex type definitions, etc. I just tried it now against my own SharePoint instance and the WSDL returned from http:// mysite.com/ ...snip... /pierre/_vti_bin/UserGroup.asmx?wsdl is pretty much the same size as the one from http://msdn.microsoft.com/en-us/library/dd965659%28v=office.12%29.aspx and a quick check to make sure complex types are in both places confirm that.
To answer your second question: I think you should NOT create your Web Service stubs and skeletons based on the WSDL in the documentation. Instead use the WSDL returned from your site. If you're not getting all the complex types in the WSDL returned from SharePoint, you should fix that issue first.
First thing I would try: download SOAPui (free) and simply plugin the URL that ends with ?wsdl and create sample requests. Maybe you'll run into access issues (UAG or other) but at least you'll know that the WSDL is well formed. If SOAPui can generate the client code based on the WSDL, you can too (using wsdl2java or the wsdl2dotnet equivalent; I can't remember the name of the .net version).
And yes, it's dangerous to copy the WSDL from the docs but I'd be more worried about some things being abbreviated or documentation going stale, etc.
As for the contract changing, I'm using the UserGroup.asmx?wsdl endpoint since 2009 and it still works on newer versions of SharePoint (even after the upgrade to SP2010). And I'm using java as the client code. Microsoft really nailed the Web Services in SharePoint, it was surprisingly easy to integrate our java stack and make calls to/from the SharePoint web services. And it was also very inter-operable with the other tools we use to test Web Services like SOAPui, etc.

How should I compensate for a bad WSDL?

I've come across several examples of SOAP-based web services where automated tooling fails to build a client that works.
Investigating these examples leads me to believe that the WSDL the service uses to describe itself doesn't quite match the service that's being provided. Maybe a wrong type somewhere, a different data structure - something.
I'm unsure what the most appropriate response is - if we assume that the obvious one (get the provider to fix their stuff) isn't available.
Some options I can think of:
Make a fixed WSDL?
Hack the generated code?
Any other options?
No good options?
What good experiences have people had? What works in a real environment?
Thanks
I'd try for the first option, make a fixed wsdl. If that doesn't work then you could fall back on hacking the generated code.
Of course if the service is radically different from the WSDL you might not have much luck with those 2 options.
If you're lucky there's another way. Some web service frameworks support returning a dynamically generated WSDL.
I know with an AXIS 1.4 service you can do a GET on the service url + '?WSDL' and get back a dynamically generated WSDL.
e.g. http://foo.com/service/?WSDL
First I would try to confirm if the tool created a correct binding for the WSDL. If the WSDL is correct and the tool generates bad bindings which do not result in correct SOAP request / response processing, the tool author might provide a fix or a workaround.