data transport

[Lew]

Security = authentication + confidentiality + integrity

* Authentication: use a shared secret, digital signatures or whatever
is appropriate to your situation.

* Confidentiality: let HTTPS take care of that.

* Integrity: Use a hash, signed if needed.

Just some random thoughts. Bear in mind that Usenet advice is often only
worth what you pay for it

Non-repudiability.

 

[Daniel Pitts]

Begging the question: placing the conclusion as the premise of the argument.

"If the two messages are equivalent" is the point at issue, isn't it?

I was only giving things that could be measured against the format of
a message. I wasn't arguing for any side or another.

Also, the messages being equivalent doesn't imply anything about the
format the messages are in.

 

[Lew]

Also, the messages being equivalent doesn't imply anything about the
format the messages are in.

I was speaking to non-equivalence of the formats. That was the point.
Responses to the argument that sidestep that point miss the point.

My point is that using XML and SOAP as the transport mechanism for
interprocess communication gives advantages that the OP might have overlooked,
or that others facing the same issue might overlook. To dismiss these formats
because they are "bloated" misses the issue of what that "bloat" cost earns in
return. Likewise to issue an unsupported claim that they're somehow too
complicated to use misses the point that they really are not too complicated,
when compared to custom solutions that have to handle the same issues.
Usually the custom solutions are at least as complicated, and much buggier,
than the standards available through more thoroughly-tested third-party
libraries, most of which in this case are free of monetary license fees.

The differences in format are precisely the differences that matter, in this
analysis. Calling the content "equivalent" is a straw-man argument against a
proposal regarding format differences.

 

[Daniel Pitts]

I was speaking to non-equivalence of the formats. That was the point.
Responses to the argument that sidestep that point miss the point.

My point is that using XML and SOAP as the transport mechanism for
interprocess communication gives advantages that the OP might have overlooked,
or that others facing the same issue might overlook. To dismiss these formats
because they are "bloated" misses the issue of what that "bloat" cost earns in
return. Likewise to issue an unsupported claim that they're somehow too
complicated to use misses the point that they really are not too complicated,
when compared to custom solutions that have to handle the same issues.
Usually the custom solutions are at least as complicated, and much buggier,
than the standards available through more thoroughly-tested third-party
libraries, most of which in this case are free of monetary license fees.

The differences in format are precisely the differences that matter, in this
analysis. Calling the content "equivalent" is a straw-man argument against a
proposal regarding format differences.

And my point was that while the *message* (payload) contains
equivalent information, the *format* (structure) can have different
abilities. It was the same argument you made, just phrased
differently.

 

[Lew]

And my point was that while the *message* (payload) contains
equivalent information, the *format* (structure) can have different
abilities. It was the same argument you made, just phrased
differently.

Oh, I see. In that case, you make a very good point.

Sorry for the misunderstanding.

 

[=?ISO-8859-1?Q?Arne_Vajh=F8j?=]

There is an ambiguity. Which did he mean?

1. pass must less useful information over the wire in a given time.

1. pass fewer bits over the wire to express the same message.

If there is an ambiguity then it is good manners to assume
it being the correct !

And not "Huh?" it.

Especially when the correct interpretation seems much more
likely considering the context.

It is very rude to slam people for your far out interpretation
of what they posted.

Arne

PS: I am pretty sure that you just misread what you commented
on and just don't have the character to admit it, but if
you prefer to be considered rude instead of admitting to
miss a type of double negation, then fine.

 

[Guest]

If it takes twice as many bits to send a message, but the format is
three times as useful, what's the balance sheet?

I think useful is a rather meaningless term in this context.

Arne

 

[=?ISO-8859-1?Q?Arne_Vajh=F8j?=]

Possibly in flexibility, scalability, extensibility, and backward
compatibility. Along with a lot of other 'bilities not otherwise
listed

What about bullshitability ?



XML is a subset of binary formats so can not be more flexible.

Both binary formats and XML should scale linear.

And I do not see any difference in extensibility and backward
compatibility.

The main benefits I see with XML is:
- library & tool support, you don't need to write the code
somebody else already have
- interoperability, it does not matter if it Java on Windows/x86
or COBOL on z/OS / zSeries

For some types of XML you could add readability by humands, but
web services XML does not really fullfill that !

Arne

an IBM

 

[=?ISO-8859-1?Q?Arne_Vajh=F8j?=]

My question remains, though. The use of a heavy weight wire
format like XML and an equally heavy weight, inelegant infrastructure
like Web Services requires more defense than "It's a standard."
Lighter weight, more efficient solutions are available and should be
considered.

In some contexts "standard" is by far the most important criteria.

A number of companies that I've worked with use Web Services to
expose interfaces outside their firewalls, but use technologies like
Jini internally. In practice that approach provides significant
benefits, including addressing all the NFRs ("ilities") mentioned by
Mr. Pitts.

Web services are certainly not a good solution for all scenarios.

But they have their place.

Arne

 

[Guest]

My point is that using XML and SOAP as the transport mechanism for
interprocess communication gives advantages that the OP might have
overlooked, or that others facing the same issue might overlook. To
dismiss these formats because they are "bloated" misses the issue of
what that "bloat" cost earns in return. Likewise to issue an
unsupported claim that they're somehow too complicated to use misses the
point that they really are not too complicated, when compared to custom
solutions that have to handle the same issues. Usually the custom
solutions are at least as complicated, and much buggier, than the
standards available through more thoroughly-tested third-party
libraries, most of which in this case are free of monetary license fees.

Web services has somehow gotten the reputation of being complex
in the Java world.

Not very justified in my opinion.

In a J2EE 1.4 and higher app server you just add a few lines
to a deployment descriptor and voila a web services is created.

In Axis 1.x you just rename a class file from .java to .jws and
sump it into the Axis web app and voila it is a web service.

Ofcourse if people start wanting to write and read XML manually
it soon becomes complex.

But they should not.

Arne

 

[=?ISO-8859-1?Q?Arne_Vajh=F8j?=]

Most of the time the nested structure of XML is not being used. You
are just sending identical rows of data. You might as well be using
SQL, CSV or a fixed binary format.

XML does not pay until you turn on nesting, multiple values per field
or you only specify a few of many possible fields.

I disagree.

The tools support is much better for XML than for CSV.

XML is not so painful now that parsing is built in to the JRE.
Previously, you had the overhead of having to download the
parsing class library too even for a tiny XML file.

That is mostly an applet problem.

The overhead by adding Xerces to a server app was minimal
(not to mention that J2EE servers already came with it bundled).

Arne

 

[RedGrittyBrick]

Web services has somehow gotten the reputation of being complex
in the Java world.

Not very justified in my opinion.

In a J2EE 1.4 and higher app server you just add a few lines
to a deployment descriptor and voila a web services is created.

In Axis 1.x you just rename a class file from .java to .jws and
sump it into the Axis web app and voila it is a web service.

Ofcourse if people start wanting to write and read XML manually
it soon becomes complex.

But they should not.

I think you're describing developing a web service given a certain
toolset that implements the standards.

The standards themselves *are* complex. The set of Java classes that
implement those standards *do* form a quite large and complex API.




My irritation with Web-services in Java is from implementing JSE clients
not JEE servers. For this the developer toolset seems much more complex.

* There isn't a set of web-service classes for clients included in JSE
1.6 (AFAIK).

* Hence you have to evaluate and select a toolkit to use. I found this
non trivial. Axis, XFire/CXF, ...

* As soon as you want to use something like WS-Security with PKCS12
files, I find things get more complex for the developer. WSS4J, ...

* Because what is going on under the covers is so complex, it can be
quite difficult to debug client/server interoperability issues.


Using web-services should give you significant benefits but in many
cases it does not. A small change to the interface will result in a new
WSDL or whatever and your old server or old client will not simply
ignore a new extraneous XML element received. This may be a good thing
but it makes it harder to build in flexibility and backwards-compatibility.

Part of the problem with CSV (say) is having both ends agree on the
implicit meaning of the columns. The tagnames in XML should overcome
that issue but in practice they do not. Inserting a new column in CSV
requires that both ends definition be updated. Inserting a new element
in XML also, in practice, seems to require that both ends are given an
updated XSD, WSDL or other definition and rebuilt. XML ought to be more
self explanatory than CSV (or JSON) but in practice it is equally
useless without an external definition in XSD or some other form.

Oh dear, I seem to have worked myself up into an anti-web-services rant.
I'd better stop here

 

[Patrick May]

I think you're describing developing a web service given a certain
toolset that implements the standards.

The standards themselves *are* complex. The set of Java classes that
implement those standards *do* form a quite large and complex API. [ . . . ]
* Because what is going on under the covers is so complex, it can be
quite difficult to debug client/server interoperability issues.

This is a very important point. Complexity has a significant
cost.

Using web-services should give you significant benefits but in many
cases it does not.

[ More excellent points elided. ]

Oh dear, I seem to have worked myself up into an anti-web-services
rant. I'd better stop here

I'll take a turn, then. ;-)

I was discussing the ridiculous complexity of the WS death star
with a woman who was involved in several of the "standards". I
suggested that the WS-* teams would have produced a better quality
product if they'd followed the IETF process of requiring at least two
independent and interoperable implementations for any standard to be
approved. Implementation has a way of reducing unnecessary complexity
that is completely lacking when the only output required is a
document. Her response was "Don't worry about the complexity, there
will be tools to hide that."

This is broken on multiple levels. First, it amounts to a near
complete abdication of responsibility. Waving the magic wand of tool
support merely pushes the real work off to someone else. Second, it
is an admission of failure. If significant tool support is required
simply to use the technology then either the correct abstractions have
not been found or (inclusive) the underlying language(s) are
insufficiently expressive for the problem domain. In the case of Web
Services, I suspect both are true.

We need to be able to manage complexity, not just "hide" it
behind black box tools. Failure to do so results in exactly the
issues identified by Mr. Brick, of which difficulty in debugging is
just the tip of the iceberg.

The WS-* suite is a teetering edifice of components that range
from the gratuitously heavyweight through the poorly thought out to
the utterly unproven. If you can keep your balance long enough to
stand at the top, you'll hear the chaotic winds at the edge of
manageable complexity. Stay there too long and you'll realize you've
gone past that edge.

Regards,

Patrick

 

[Guest]

I think you're describing developing a web service given a certain
toolset that implements the standards.

The standards themselves *are* complex. The set of Java classes that
implement those standards *do* form a quite large and complex API.

Yes.

Using web service toolkits are simple.

Creating one is work - a lot of work !

My irritation with Web-services in Java is from implementing JSE clients
not JEE servers. For this the developer toolset seems much more complex.

Is it ?

You give your IDE the URL of the WSDL, it generates a stub class
and you call that.

JBuilder, Eclipse, Visual Studio etc..

* There isn't a set of web-service classes for clients included in JSE
1.6 (AFAIK).

I thought WS client support was in 1.6 as well.

* Hence you have to evaluate and select a toolkit to use. I found this
non trivial. Axis, XFire/CXF, ...

We like Java because we have choices.

We hate Java because we have choices.

* As soon as you want to use something like WS-Security with PKCS12
files, I find things get more complex for the developer. WSS4J, ...

True.

But I do not consider it surprisingly that doing complex stuff becomes
complex.

Using web-services should give you significant benefits but in many
cases it does not. A small change to the interface will result in a new
WSDL or whatever and your old server or old client will not simply
ignore a new extraneous XML element received. This may be a good thing
but it makes it harder to build in flexibility and backwards-compatibility.

Part of the problem with CSV (say) is having both ends agree on the
implicit meaning of the columns. The tagnames in XML should overcome
that issue but in practice they do not. Inserting a new column in CSV
requires that both ends definition be updated. Inserting a new element
in XML also, in practice, seems to require that both ends are given an
updated XSD, WSDL or other definition and rebuilt. XML ought to be more
self explanatory than CSV (or JSON) but in practice it is equally
useless without an external definition in XSD or some other form.

For CSV you need to modify the code.

For XML you just need to rebuild (whicg regenerates the stub).

And there are versioning patterns that can be used to reduce
the problem.

Arne

 

[Lew]

But I do not consider it surprisingly that doing complex stuff becomes
complex.

I agree wholeheartedly - it's why we have jobs, after all - but OTOH it's hard
not to sympathize with the urge to leaner, more elegant code and protocols.

XML has its own elegance, considering for example that as a protocol it's
utterly semantically void, and certainly its costs. Not every XML dialect
(what old-time SGMLers style "XML languages" and I (very) loosely call
"schemas") is equally well designed. Unquestionably XML carries more bits per
message than most custom, certainly most binary protocols.

The hybrid approach mentioned upthread is very promising. This posits a lean
protocol "inside" where one controlls the software, and XML (SOAP) as the
/lingua franca/ for "outside" communication.

It seems smart to balance the protocols like that, considering the overhead of
managing two approaches. If an organization discovers later that the XML
approach buys advantages that even benefit the intranet, they could switch
over without too much trouble if they've designed their architecture right.

I argue the XML side not because it's always correct but to point up why it
serves a purpose. As Arne points out, service-to-service communication and
other models of inter-system interaction have a complex world to handle in the
first place.

The good news is that most web-service toolkits do make it easier to put
together straightforward web-service applications. At least IMHO. Up to a
point. I'm still working on figuring out the complex parts.

The real test of a toolkit is Hippocratic and utilitarian:
- Does it make my job harder?
More accurately: In what ways does it make my job harder?
- (In what ways) does it make my job easier?

 

[Roedy Green]

If there is an ambiguity then it is good manners to assume
it being the correct !

Not in a scientific discussion. I misunderstood the message until I
realised it was ambiguous. So might others. The proper thing to do is
point out the ambiguity and ask the speaker to resolve it
definitively.

I wish I could punch the lights out of foolish vendors when I report
ambiguities in their program prompts and they respond telling me they
are not ambiguous if you look at them in a particular way.

 

[Roedy Green]

If there is an ambiguity then it is good manners to assume
it being the correct !

On the other paw, in the political groups there are "lawyers" who
drive you nuts by deliberately misinterpreting perfectly clear
language in some insane way, thus proving you incompetent.

 

[Roedy Green]

Not in a scientific discussion. I misunderstood the message until I
realised it was ambiguous. So might others. The proper thing to do is
point out the ambiguity and ask the speaker to resolve it
definitively.

Experiments show that people grasp a small fraction of what you tell
them, and retain even less. Yet when we write posts, we tend to
assume:
1. everyone reads it.
2. everyone reads all of it.
3. everyone understands it

So I have a high tolerance for anything that increases the odds, e.g.
1. clarifying ambiguity.
2. getting feedback that you understood someone.
3. getting feedback that someone else understands you.
4. repetition of important ideas in various different ways.

 

[RedGrittyBrick]

Is it ?

You give your IDE the URL of the WSDL, it generates a stub class
and you call that.

JBuilder, Eclipse, Visual Studio etc..


I thought WS client support was in 1.6 as well.

I didn't realise this (Doh!) Thanks for spurring me to go and have a
look. I downloaded JDK 6 Update 3.

Googling found
http://weblogs.java.net/blog/vivekp/archive/2006/12/webservices_in.html
which didn't work (the apt tool must have changed and is no longer needed)

Googling also found
http://java.sun.com/developer/technicalArticles/J2SE/jax_ws_2/
Which is netbeans oriented (I use Eclipse) but, in combination with
Vivek's article I managed to get a simple example working (see later).

So yes, JDK 6 has usable web-services capability built in at last!
From my very brief play with it, it seems comparable to that supplied
with Mono (C#). This is good as far as I am concerned.

We like Java because we have choices.

We hate Java because we have choices.

What irritated me was actually that (until 6) there wasn't a *default*
WS toolkit included in the JDK. Choices are good, but we newbies like to
have a default toolkit we can immediately get started with, without
having to choose, download and install extras.

True.

But I do not consider it surprisingly that doing complex stuff becomes
complex.

The WS edifice has become a bit like ISO OSI - there are many different
ways to achieve any task. The Java WS API has to be flexible enough to
cope with this. This leads to complexity that could otherwise have been
avoided.

For example:
RPC/Encoded, Doc/Literal, Doc/Literal/Wrapped?
Inclusive canonicalisation or exclusive?
Standalone, Enveloping or Enveloped signatures?
RSA or DSA?
SHA1 or MD5?

Actually the whole canonicalisation step seems unecessary for most Web
Services - few apps forward the XML payload, transform the structure,
reorder the attributes arbitrarily, rename the namespaces and still need
to verify the signature at the end of that process. IIRC
canonicalization leaves whitespace unchanged, and that (at least line
endings) is the part I'd expect to be most likely to be affected by the
transport.

For CSV you need to modify the code.

For XML you just need to rebuild (whicg regenerates the stub).

I sometimes wonder if a 'csvgen' tool to create CSVDL and a
corresponding 'csvdlimport' stubmaker would illustrate the pointlessness
of some of the complexity in SOAP/XML/HTTPS based web-services.

P.S. For anyone new to WS in Java 6, here's my slightly modified source
from the above references. Built & run using command line as shown in
comments.

------------------------- 8< ---------------------
package hello;

import javax.jws.WebService;
import javax.xml.ws.Endpoint;

/*
* From http://java.sun.com/developer/technicalArticles/J2SE/jax_ws_2/
*
* > javac hello/CircleFunctions.java
* > wsgen -cp . hello.CircleFunctions
* > java hello/CircleFunctions
*
*/

@WebService
public class CircleFunctions {
public double getArea(double r) {
return java.lang.Math.PI * (r * r);
}
public double getCircumference(double r) {
return 2 * java.lang.Math.PI * r;
}
public static void main(String[] args) {
Endpoint.publish("http://localhost:8080/"
+ "WebServiceExample/circlefunctions",
new CircleFunctions());
}
}
------------------------- 8< ---------------------
package client;
/*
*
* From http://java.sun.com/developer/technicalArticles/J2SE/jax_ws_2/
*
* Slightly adapted by RedGrittyBrick
*
* > wsimport -p client -keep \
* http://localhost:8080/WebServiceExample/circlefunctions?WSDL
* > javac -cp . client/CircleClient.java
* > java client/CircleClient
* Result = 28.274333882308138
* Done
*
*/

class CircleClient {
public static void main(String[] args) {
try {
double radius = 3.0;
CircleFunctionsService service =
new CircleFunctionsService();
CircleFunctions port = service.getCircleFunctionsPort();
double result = port.getArea(radius);
System.out.println("Result = "+result);
} catch (Exception ex) {
System.out.println("Exception ");
}
System.out.println("Done");
}
}
------------------------- 8< ---------------------

I'm pretty sure that in C# you don't have this obscure "port" step. The
equivalent C# code is usually like this ...
CircleFunctionsService service =
new CircleFunctionsService();
double result = service.getArea(radius);
Java likes to be that bit more complicated


P.P.S. Don't take this rant too seriously

 

[Guest]

I didn't realise this (Doh!) Thanks for spurring me to go and have a
look. I downloaded JDK 6 Update 3.

So yes, JDK 6 has usable web-services capability built in at last!
From my very brief play with it, it seems comparable to that supplied
with Mono (C#). This is good as far as I am concerned.


What irritated me was actually that (until 6) there wasn't a *default*
WS toolkit included in the JDK. Choices are good, but we newbies like to
have a default toolkit we can immediately get started with, without
having to choose, download and install extras.

Hm. I am not too happy about too many "beginner" implementations
as part of the JDK. It is not that hard to download. And you will
usually want the best very soon.

I can see the point in adding WS to JDK though. Applets. Downloading
all the Axis or whatever jars to run an applet using WS calls would
be a waste of bandwidth.

The WS edifice has become a bit like ISO OSI - there are many different
ways to achieve any task. The Java WS API has to be flexible enough to
cope with this. This leads to complexity that could otherwise have been
avoided.

Web service are portable between technologies. That is only possible
if everyone supports them. To get everyone support you need to give
them some influence.

The result is some rather complex machinery. But as long the tools
can make it invisible, then I can live with that.

I sometimes wonder if a 'csvgen' tool to create CSVDL and a
corresponding 'csvdlimport' stubmaker would illustrate the pointlessness
of some of the complexity in SOAP/XML/HTTPS based web-services.

Put some IBM'ers and MS'ers in a committee to agree on that
standard and it will end up just as complex.

I'm pretty sure that in C# you don't have this obscure "port" step. The
equivalent C# code is usually like this ...

That is correct.

Arne