In Java, I am building a stand alone web service client that manipulates records in a cloud based CRM by using its SOAP API. I generated my classes using the wsimport utility with WSDLs that all have addresses prefixed with https in the port binding section of the WSDL. Is Java handling behind the scenes all the wire-level security simply because the address is https? If so, how can I confirm that the SOAP message is being encrypted? My code does work, and I have not needed to worry about security until now, because I am developing in a staging environment with temporary passwords.
Thank you for your help!
Putting https in the URL will almost always do the trick. Even if your code is not capable of https, the webserver at the other end will almost never allow you to talk in HTTP when using the HTTPS port. At least, I've never seen one that does.
It's not a 100% guarantee that you'd bet your business on, but it is close.
If the code you write works on any website that does require https, you are the rest of the way there in terms of assurances.
You can confirm the traffic is encrypted by running a traffic analyzer aka packet sniffer.
I am quite new to web services, JAX-WS etc. so maybe noob question...
So, I want to implement a web service to make two systems communicate. The "client" system is interested in events that are generated on the "server" system. But the "client system" is itself a server for a different app. The server is Java (WAR in tomcat). The client is .Net.
There should be just one client system, but several client processes inside the client system, each interested in distinct categories of events.
I will implement the server-side, and a test client. Somebody else will implement the .Net code.
The running sequence should be along this line :
Server is running...
Client initiates conversation, "registers" to the server, and requests some initial data.
Server keeps a list of registered clients' endpoints
In the server there is a listener that is notified when certain events happen. It will then go through the list of registered clients and forwards the event to each of them
At some point, the client can "unregister" no notify the server that it doesn't want to receive events any more.
First, does it sound like something reasonably doable ?
And is there a standard built-in mechanism, using SOAP (JAX-WS on the server, whatever is available with .Net n the client) - that the server can use to obtain a callback endpoint from the client ?
For example, I did something very similar using RMI, in this case the client can just send a remote reference to itself, that the server can just store ant refer to later.
Finally, is there a standard library to store endpoints references, make (collective) callbacks, and maybe keep the list up-to-date, removing the clients that don't respond so some "ping" call ?
Note for clarity : I need more than just asynchronous method with callback: one message from the client will generate many callback messages from server to client.
Seems you wish to implement a notification facility to inform arbitrary anonymous clients.
I suggest you first consider how you would pass the information using SOAP messages. Then you can consider how to achieve this using java - JAX-WS or additional non-standard libraries. The point is there may be significant limitations or assumptions required to transfer SOAP messages. E.g. firewalls might block your HTTP messages, clients might "just clients" with no ability to act in a server role to recieve SOAP notification requests
Note: An async callback mechanism is defined in JAX-WS 2.0, where the service obtains the endpoint reference of the client. This is the same sort of functionality provided by WebLogic/Fusion proprietary solution described by Deepak Bala. Websphere has a similar proprietary async solution. None of these meet your requirements, because they only allow a single response per request.
SOAP Options:
Proprietary SOAP messages - the "100% Do-It-Yourself Option"
You design full SOAP payload schemas and message exchange pattern.
You can push the notification from the server to the client if you know the client's SOAP endpoint address. The client can transfer it's SOAP endpoint address within original SOAP request payload. Sometime later the server can send a SOAP request to the client.
Problems/Assumptions: (1) need a SOAP/HTTP communication path for requests from server-to-client - not guaranteed when firewalls exist; (2) the client needs to be aware of your notification schema - in fact the client needs to act as a Service endpoint to recieve the SOAP notification request. That's two big assumptions IF you are trying to support arbitrary anonymous clients - that's not something SOAP "just supports" both ends need to design all this in detail. In fact to do this in a service typesafe manner, the client should actually declare it's own service WSDL interface so that you can invoke it. (3) As hinted earlier, many clients are "just clients" - they might not have a HTTP server to accept SOAP requests.
So for proprietary "push" notifications to work, both sides need to servers and both need to publish their SOA interfaces.
Alternatively, you can pull the notification to the client. The client can use a notification request to the server that is either blocking or polling. The server can respond with the notification or nothing or error.
Problems/Assumptions: (1) HTTP servers (i.e. the SOAP server) do not support blocking requests, as a rule, meaning you must poll; (2) the client needs to be aware of your notification schema - in fact the client needs to act as a Service endpoint to recieve the SOAP notification request. That's two very big assumptions for an arbitrary anonymous client - that's not something SOAP "just supports" both ends need to design all this in detail. In fact to do this in a service typesafe manner, the client should actually declare it's own service WSDL interface so that you can invoke it.
Same as above, but make include WS-addressing data in SOAP headers to inform either side of the other's endpoint address.
Basically the same Problems/Assumptions as the first option. WS-addressing addresses will help you intelligently route SOAP messages to the right URL address, but no more.
Use WS-notification
This spec was designed for your scenario.
WS-BaseNotification sub-standard would meet your needs. It provides WSDL port definitions for notification producers and consumers. It provides a WS- standards compliant solution for subscription from a consumer to a producer, and a notification from producers to consumers.
Problems/Limitations: (1) It does NOT define the format of notification payloads. The Notification payload is application-domain specific (proprietary design). The standard does not define any “standard” or “built-in” notification situations or messages. (2) It has the same problems with HTTP notifications passing through firewalls as mentioned above.
(3) WS-Notification is not a supported standard of Java EE/JAX-WS (but there are plenty of app servers, open source and commercial, that support it as an extension).
Use a message queuing solution (e.g. JMS) with traffic encapsulated in HTTP
This requires proprietary design of payloads passing between client and server and back - forming contracts between the two sides. An advantage is that the client can be a pure client, with a message listener invoked in a thread when a message is recieved.
Problems/Limitations: (1) It has the same problems with HTTP notifications passing through firewalls as mentioned above. (2) Is a do-it-yourself implementation. (3) Uses more technology then you currently use.
End Result:
You need at least part of your solution to be a proprietary design - the SOAP/WS standards do not meet your full requirements. In theory this proprietary design could leverage a product to provide much of the legwork, BUT the notification schema design would need to be created and integrated by you.
IF you wish to push notifications, you need some sort of contract for notifications passing to the client, the client needs to act as a SOA server, and you need the firewalls openned for your traffic. Most corporations disallow HTTP requests leaving a server and passing to a client - you normally need an extremely good reason to open firewall ports and even then, many corporations will disallow it...
IF you wish to have clients polling for notifications, you just need a basic WSDL interface on the server side that can be called frequently by clients.
Future Option: HTML5 Web Sockets
IF your client is a HTML5 app, then web sockets enabled servers can push traffic to the browser - and there is some chance corporations will open firewalls. SOAP messages could travel over HTTP web sockets, enabling you to push notifications.
Async clients are supported for WSDL based services through the use of polling and callbacks. In your case I think the requirement is relatively more complicated.
The Oracle fusion middleware doc page has a scenario outlined that will help you. It details a method that allows clients to send requests which generate a HTTP 202 (accepted) and the clients then wait for a response on message queues. In your case the scenario can be tweaked from the one shown below.
Initiate several response queues for each category of callback. The clients can filter them by supplying a client and category ID for the queue. This will serve as a callback mechanism for each client or the processes that are governed under each client. The MDB can be backed by a file store or DB store to ensure reliability and one-time delivery.
Of course you do not need Oracle fusionware to implement this. You can use RabbitMQ or Redis (with transactions) to acknowledge receipt of a message on the client. If your client wishes to un-register it make a call and stop listening to the queue.
I'm unaware of any industry standard that will fit your scenario, but I believe this solution should work well for you.
Have you considered the simpler approach of "pub-sub" using a messaging product ?
(Such as MQ, EMS, or ActiveMQ)
The requirements you describe does not seem to fit "classic" request/reply sync/async SOAP Web Service scenarios.
In a Pub/Sub solution, the client(s) subscribe to a topic once, and the publisher(s) (in your case, the Server) can post any number of relevant messages to all subscribers.
As a bonus, most messaging products include support for "durable subscribers", so the client can be off-line at times and receive all messages after re-connection.
In your case, the server could house a (free) ActiveMQ Server... Providing most of the feature you seem to seek.
If you go that way, I suggest you pick a JMS compliant product with support for .Net.
For those getting here from search engines:
You can use a WebHook for Web APIs nowadays, which works essentially as OP described.
In REST for example, the client will have an HTTP endpoint itself that is dedicated to receiving POST events/notifications from the actual server. The client registers his endpoint with the actual server by giving it an URI on his notification endpoint. From that point on, the actual server can POST to the client’s notification endpoint. It is essentially a convoluted callback, if you are familiar with async terminology.
Maybe Java or .Net have libraries for WebHooks by now.
That said, SSE and Websockets standards provide actual push and real-time messages while being compatible with HTTP and most browsers.
Long polling variations were also used in the past, and are now sometimes called Comet as an aggregate.
I currently have an TCP Java socket communication implementation in which I have a server that is listening to a port (let's say port 5478). Then I need an Android client to remotely connect to the Java server and send a SQL query, than will then be executed on the server side database and then I want to send a list of results back to the Android client (already implemented with a custom Java class named Result that implements Serializable). I do this by sending an ArrayList of Result to the Android client. The Java server is always listening to the port and supports multiple clients trough multiple Threads. How can I migrate this implementation to a more secure platform and what is the best way to do it? I don't need to respect HTTP protocol to afford this communication. Is Tomcat the best solution?
Thanks
I would use Servlet3.0 as part of tomcat.
Then from android you just have to send http requests to the server using a URL and the servlet can database them. You can also serialize the data as well if you need to.
I hope that answers your question.
~ Dan
//EDIT:
Once you have set up eclipse and tomcat, you can start writing servlets. First - you have to configure the server to use servlets for certain addresses, for example localhost:8080/myServlet - that means that anything you send to local host triggers the servlet. The code for your first servelet looks like this:
public class ExampServlet extends HttpServlet {
public void doPost(HttpServletRequest request,
HttpServletResponse response)
throws ServletException, IOException
{
Your doPost method is what gets called when you perform a http post request on the address the servlet is listening on. Then, all you have to do it put some code in to read the request to get the data out of the message body. Basically you read your request object that gets passed in, and you write to your response object to send the response back to the client. There are plenty of guides out there. I followed something like this to get started:
http://www.coreservlets.com/Apache-Tomcat-Tutorial/tomcat-7-with-eclipse.html
Hope that helps :)
~ Dan
Tomcat is an Servlet container + webserver. If you plan to move to tomcat then you are implicitly moving to http. And yes, if you want a secure communication .. you can create a soap based webservice(apache axis) and host it on https.
I'm not sure how mutch additional security tomcat is able to provide for your application. Two tings come to mind:
Enforcing authentication and some access rules. This is not too hart to implement and heavily depends on the rule quality. However it may help f you use it. It's often replaced by own imlpementations. However, to get securty you need encryption i.e. https. Or it's possible to steel the session and gain the rights bound to it.
Request to file mapping. This in fact somewhat more complicated. You shouldn't code this on your own. It's more complicated than it looks at first sight.
However, one of the biggest security wholes ever is directly executing code you got from somewhere. For example SQL statements. Ok it's secure as long as your databse rights are set perfectly...
Developing a securly encrypted protocol is not simple either.
However, the major win on switching to tomcat (or whatever) might be scaleability for free. And I think implementing servlets is much simpler than programming against sockets. And there are many great to tools fo working with http(s) though ven it might be more complicated than yours, it's pretty simple to deal with.
Unfortunately I can't answer our question. I don't know what's the best solution is. But I think there's at least some potential for wins.
I have a third party server that is periodically sending http post request messages to an URL(can be configured). In my application I am reading data by starting a jetty server and listening for data on the configured URL.
Wondering if it is possible to listen for the data sent by the server without starting any server like the jetty?
You can always create a socket yourself and listen at port 80 (or something similar) for HTTP requests. See http://download.oracle.com/javase/6/docs/api/java/net/ServerSocket.html
But there are several problems: Theres a lot of overhead that you need to do yourself. Parse the HTTP request, extract the headers and the body and depending on the headers you need to do certain things like caching, authentication, etc. And that's a lot of stuff you need to implement. Using an existing web server is usually a better idea, since the people who wrote it (usually) know exactly what they are doing.
Another option is the Apache HttpCore library (http://hc.apache.org/httpcomponents-core-ga/index.html). You can use it to write your own Http Server... But again, there's still a lot of stuff you need to take care of ...
If you want to do it for learning purposes, go ahead and implement it yourself. When it is for production, stick with the commonly used web servers.
I have the following requirement:
I need to create a socket server that listens fro incoming requests. The socket clients are written in C. The clients send JSON data.
The client input needs to be redirected to different sources. for example there might be a need to call an internal or external web service(SOAP, JAX-WS).
My question is, what is the best way to achieve such a communication?
I would implement the redirecting service as an observer and notify him when your observable (the socket server that listens) is called. If you're not familiar with that pattern, have a look at http://en.wikipedia.org/wiki/Observer_pattern. You basically keep up the information flow by pushing your information further down the chain of processes instead of pulling it actively by your redirecting service.
I hope you didn't need any help with the SOAP, JAX-WS stuff - your requirement doesn't change anything compared to the way you would normally implement such a service. (If you're as lazy as me, go with the wsimport commandline application ^^)