In lightweight SOAs I've seen many designs that have a Web Server receives Client requests and send responses that are dependent upon responses from other services. I've also seen this done incorrectly resulting in unacceptable latency issues.
For Example:
Assume:
We have 1 Web API Server and 1 Service A API.
Web Server performs basic User Auth and other User functionality.
Service A performs database operations.
ZeroMQ (ZMQ, 0MQ, etc) REQ/RES user for service messaging
Work Flow:
Client makes request to Web API Server API.
Web Server performs database operations (auth etc).
Web Server makes request to Service A API.
Service A performs database operations.
Service A responds with data to Web Server.
Web Server receives response and sends response to client.
This pattern is different from the typical offline message queue processing work flow. As well it includes a request to a single service (A)
While trying to maintain separate system services is this a correct usage pattern with ZeroMQ?
I'm trying to figure out if ZeroMQ can be used to make service requests and send the results to client web service requests without significant performance issues.
Related
I need to build some web services in a WebLogic application server. This server lies between a mobile app and Oracle ERP. Basically, after the mobile app "login" to the Oracle ERP via a web service call on the application server, a session should be maintained on the application server. One reason is this:
Every time a web service is called by the mobile app, it needs to return a random challenge token. This is a requirement by our internal security. Within the same session, when the same mobile app calls the same web service (or a different web service) on the application server, it needs to pass the challenge token that it received previously. The application server will then have to check that the token is the same one that it returned previously to the mobile client.
We have discussed about using JAX-RS for communication between mobile app and the web services. However, I have read that JAX-RS is supposed to be stateless. In this case, how can I maintain a session such that the application knows the challenge token that it returned to a client previously? There is no database for the application by the way. Normally for a web application, it can just save the challenge token to a session object, but how do you do so for a web service?
If JAX-RS cannot maintain session, then what about JAX-WS?
Thanks.
Is it possible to block connections to a web service (server) from outside its domain?
For example consider a web app that fetches data from Twitter's API using Twitter's "application only auth". The web app's client uses AJAX to call it's own server, which in turn calls Twitter's API with Twitter's token.
While the token is never exposed to the client side code is there anything to stop an outside server side app from calling the web app's server using the URLs used by the client and for example exhausting the Twitter tokens rate limits?
Is it possible to block connections to a web service (server) from outside its domain?
Certainly. Set your web server's access control lists to drop connections from outside of your IP range. Alternately, install a firewall. That's very straightforward, but I suspect you mean something else by "outside its domain?"
From your description, you seem to be really asking whether you verify that you're only talking to your own client application. As a general rule, no. You can authenticate users. That's easy. If the user isn't logged in and authorized to use your service, you don't forward requests to Twitter. But you can't authenticate applications.
If you're going to accept any user who shows up, you can't stop them from using whatever client they want. There is no way to ensure that it is your unmodified client if you've allowed it to be run on their machine. They can always modify it, and they can always send you arbitrary traffic from other programs and you can't tell the difference. On the network, bytes are bytes.
It's not all hopeless; there are things you can do. See https://stackoverflow.com/a/9183066/97337 for another version of this question, and links to several other versions of the question. (They're not exactly duplicates in how they're asked, but they all wind up being basically the same answer.)
You should secure your web service with user and password security or certificate security. The basic idea is that the web service client must authenticate in order to call your web service.
Here are some technics (there are others or variations):
1) HTTP basic authentication and HTTPS
2) Mutual SSL authentication - Also called two-way authentication, is a process in which both entities authenticate with each other. The server presents a certificate to the client and the client present a certificate to the server.
3) With SOAP web services you can use WS-Security standard.
4) OAuth framework
5) With Rest services you can use options 1), 2), 4). Or implement one by your own. This are good recomendations.
As you can see, there are a lot of ways to secure a web service.
I wish to create a one way integration between a system that can only send SOAP requests and a system that can only respond to REST requests. I know very little about web services as it is not my specialty. But the source system can be configured to send a SOAP request to any WSDL and the 'destination' system has a REST API and provides me with a simple URL to which I can send requests to 'trigger' an event.
I would have thought it would be simple to find some web service that can receive the SOAP requests from the source system, which would be a simple request to send a REST request to the destination system.
Like some sort of intermediary, not actually converting the requests directly but forming a similar function. Is there anything that can do this?
I built a web service using soap can i consume that service in another application using Rest Services that is by using get or Post Http methods?
Like wise Can i consume service using soap that is build using Rest
Both REST and SOAP protocols are published and consumed over HTTP. SOAP adds a layer on top of it for encoding data, that is not used on REST services nor clients.
So, for SOAP services use a SOAP client, and for REST services use a REST client. However, if you need to integrate different types of services, you could build an app that has both REST and SOAP clients, and publishes the result either as a SOAP service, a REST service, or both.
To casify web service I am planning to follow the following:
I have a application that requests for a web service, the web service will only server the client if the application passes a valid ticket string.
The Java application sends a username/password combination to the CAS server using restful API.
The CAS server replies with a ticket on successful authentication.
The application sends the ticket my web service and ask for some data for some data.
The web service receives the ticket and sends the ticket to the CAS server to validate it.
If the CAS server returns a username/ or any kind of message that confirms the validity of the ticket, the web service replies back to the application a response to fulfill the application request.
The CAS server is returning the ticket to the application,the application posts the ticket string to web service, the web server accepts the ticket string. Now how do I send the ticket to CAS server for validation? Any ideas? Also is there any better way to casify the Web service?
I tried to draw what I want to archive:
Since this is a java based application you can use the filters that are available with CAS to do the validation & authentication.