MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_NextPart_01C3BF07.6A19D520" This document is a Single File Web Page, also known as a Web Archive file. If you are seeing this message, your browser or editor doesn't support Web Archive files. Please download a browser that supports Web Archive, such as Microsoft Internet Explorer. ------=_NextPart_01C3BF07.6A19D520 Content-Location: file:///C:/A8E93E31/UsageScenarios-1.01.htm Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset="us-ascii"
WS-I Usage Scenarios Document Status: Final Specific= ation Version: 1.01 Date: <= st1:date ls=3D"trans" Month=3D"12" Day=3D"9" Year=3D"2003" w:st=3D"on">December 9,= 2003 Editors: Scott Werden, WRQ &nbs= p; Colleen Evans, Sonic Software &nbs=
p;
Marc Goodner, |
|
|
|
Notice
The material contained herein is not a license, either expressly or impliedly, to any intellectual property owned or controlled by= any of the authors or developers of this material or WS-I. The material contain= ed herein is provided on an "AS IS" basis and to the maximum extent permitted by applicable law, this material is provided AS IS AND WITH ALL FAULTS, and the authors and developers of this material and WS-I hereby disclaim all other warranties and conditions, either express, implied or statutory, including, but not limited to, any (if any) implied warranties, duties or conditions of merchantability, of fitness for a particular purpos= e, of accuracy or completeness of responses, of results, of workmanlike effort= , of lack of viruses, and of lack of negligence. ALSO, THERE IS NO WARRANTY OR CONDITION OF TITLE, QUIET ENJOYMENT, QUIET POSSESSION, CORRESPONDENCE TO DESCRIPTION OR NON-INFRINGEMENT WITH REGARD TO THIS MATERIAL.
IN NO EVENT WILL ANY AUTHOR OR DEVELOPER OF THIS MATER= IAL OR WS-I BE LIABLE TO ANY OTHER PARTY FOR THE COST OF PROCURING SUBSTITUTE GOOD= S OR SERVICES, LOST PROFITS, LOSS OF USE, LOSS OF DATA, OR ANY INCIDENTAL, CONSEQUENTIAL, DIRECT, INDIRECT, OR SPECIAL DAMAGES WHETHER UNDER CONTRACT, TORT, WARRANTY, OR OTHERWISE, ARISING IN ANY WAY OUT OF THIS OR ANY OTHER AGREEMENT RELATING TO THIS MATERIAL, WHETHER OR NOT SUCH PARTY HAD ADVANCE NOTICE OF THE POSSIBILITY OF SUCH DAMAGES.
Status of this
Document
This is a final specification. Readers should refer to the WS-I.org web site for errata and updates.=
Table of Cont=
ents
1&= nbsp; Introduction<= o:p>
1.1&= nbsp; How to use this document<= o:p>
2&= nbsp; Usage Scenario Taxonomy<= o:p>
2.1&= nbsp; Web Service Stack<= o:p>
2.2&= nbsp; Activities = <= o:p>
2.2.1&= nbsp; Data Layer Activities<= o:p>
2.2.2&= nbsp; SOAP Message Layer Activities<= o:p>
2.2.3&= nbsp; Transport Layer Activities<= o:p>
2.2.4&= nbsp; Web Service Actors<= o:p>
2.3&= nbsp; Security<= o:p>
3&= nbsp; Usage Scenarios<= o:p>
3.1&= nbsp; One-way<= o:p>
3.1.1&= nbsp; Description<= o:p>
3.1.2&= nbsp; Flow<= o:p>
3.1.3&= nbsp; Flow Constraints<= o:p>
3.1.4&= nbsp; Description Constraints<= o:p>
3.1.5&= nbsp; UDDI = <= o:p>
3.1.6&= nbsp; Security<= o:p>
3.2&= nbsp; Synchronous Request/Response<= o:p>
3.2.1&= nbsp; Description<= o:p>
3.2.2&= nbsp; Flow<= o:p>
3.2.3&= nbsp; Flow Constraints<= o:p>
3.2.4&= nbsp; Description Constraints: WSDL<= o:p>
3.2.5&= nbsp; UDDI = <= o:p>
3.2.6&= nbsp; Security<= o:p>
3.3&= nbsp; Basic Callback<= o:p>
3.3.1&= nbsp; Description<= o:p>
3.3.2&= nbsp; Details = <= o:p>
3.3.3&= nbsp; Flow<= o:p>
3.3.4&= nbsp; Flow Constraints<= o:p>
3.3.5&= nbsp; Description Constraints<= o:p>
3.3.6&= nbsp; UDDI = <= o:p>
3.3.7&= nbsp; Security<= o:p>
4&= nbsp; Appendix 1 – Security<= o:p>
4.1&= nbsp; Authentication<= o:p>
4.1.1&= nbsp; Request Authentication<= o:p>
4.1.2&= nbsp; Response Authentication<= o:p>
4.2&= nbsp; Authorization<= o:p>
4.2.1&= nbsp; Request Authorization<= o:p>
4.3&= nbsp; Confidentiality<= o:p>
4.4&= nbsp; Data Integrity<= o:p>
4.5&= nbsp; Replay<= o:p>
4.6&= nbsp; Logging and Auditing<= o:p>
4.7&= nbsp; Other Risks<= o:p>
5&= nbsp; Appendix 2 – Constraints<= o:p>
5.1&= nbsp; Write XML<= o:p>
5.2&= nbsp; Process XML<= o:p>
5.3&= nbsp; Write SOAP Envelope<= o:p>
5.4&= nbsp; Process SOAP Envelope<= o:p>
5.5&= nbsp; Write SOAP Body<= o:p>
5.6&= nbsp; Process SOAP Body<= o:p>
5.7&= nbsp; Write SOAP Header<= o:p>
5.8&= nbsp; Process SOAP Header<= o:p>
5.9&= nbsp; Send HTTP<= o:p>
5.10&= nbsp; Receive HTTP<= o:p>
5.11&= nbsp; General WSDL Constraints<= o:p>
5.12&= nbsp; Constraints on WSDL types<= o:p>
5.13&= nbsp; Constraints on WSDL messages<= o:p>
5.14&= nbsp; Constraints on WSDL portTypes<= o:p>
5.15&= nbsp; Constraints on WSDL Bindings<= o:p>
5.16&= nbsp; Constraints on WSDL Port<= o:p>
5.17&= nbsp; General UDDI constraints<= o:p>
6&= nbsp; References = <= o:p>
Table of Figu=
res
Figure 2‑1 Web services stack<= o:p>
Figure 3‑1 One-way Sequence<= o:p>
Figure 3‑2 One-way Request<= o:p>
Figure 3‑3 One-way Acknowledgement <= o:p>
Figure 3‑4 Synchronous Request/Response Sequence. <= o:p>
Figure 3‑5 Synchronous Request<= o:p>
Figure 3‑6 Synchronous Response<= o:p>
Figure 3‑7 Basic Callback Sequence. <= o:p>
Figure 3‑8 Basic Callback Consumer Request <= o:p>
Figure 3‑9 Basic Callback Provider Acknowledgement <= o:p>
Figure 3‑10 Basic Callback Provider Response. <= o:p>
Figure 3‑11 Basic Callback Consumer Acknowledgement <= o:p>
Revision Hist=
ory
Version 1.0  = ; Original version
Version 1.01 &nbs= p; Revisions to Board Approval Draft to reflect late changes to the Basic Profile 1.0
WS-I Usage
Scenarios define the use of Web services in structured interactions, identifying
basic interoperability requirements for such interactions and mapping the f=
low
of a scenario to the requirements of the WS-I Basic Profile 1.0 (hereafter,
Basic Profile) [1]. Scenarios =
are
independent of any application domain. WS-I Use Cases employ Scenarios to m=
odel
high-level definitions of specific applications.
The scenarios presented here can be composed or extended. That is, t=
hey
describe fundamental Web service design patterns that can be combined and b=
uilt
upon like building blocks. For example, the Synchronous Request/Response
scenario describes a basic exchange and can be expanded by adding SOAP head=
ers.
The only requirement is that the extensions must also conform to the Basic
Profile.
This docume=
nt
describes the WS-I Usage Scenarios to be used with the Basic Profile. The B=
asic
Profile constraints and requirements are referenced directly and the reader=
is
expected to use the Basic Profile in conjunction with this document to
interpret the referenced information.
The three scenarios presented in this document are int= ended to provide sufficient information so that a user of this document can create WS-I compliant Web service applications using one of more of the scenarios.= All applicable guidelines and restrictions for the messages and service descrip= tion instances for each scenario are provided.
The Usage Scenario taxonomy defines a structure for ap= plying the Basic Profile constraints. The taxonomy consists of a Web services stack and a set of activities, grouped by the layers of the stack, that a Web ser= vice instance executes as part of the Web service Usage Scenario. The constraint= s of the Basic Profile are applied to each activity as well as to the optional components of the scenario, e.g., the WSDL for the description of the Web service instance. There are two types of constraints on scenarios:
The following are attributes of WS-I Usage Scenarios:<= /p>
The Usage Scenario taxonomy is based on a Web services stack. Each layer of the stack represents one of the fundamental functional areas of a Web service instance. Not all possible functional areas are represented (e.g., security or coordination), only the most basic. These la= yers are depicted in the following diagram.
=
Figure 2‑1 Web services stack
A Web service application may include several logical = layers incorporating functions such as the Web service instance and application business logic. The Bas= ic Profile and Usage Scenarios do not address application business logic except where the functionality of any part of the Web services stack is implemented within the business logic.
The details of each layer of the Web service stack are= :
Data Layer
The data layer translates the application specific dat= a into the model chosen for the specific Web service. The data layer includes the functions necessary to support flexible data typing. This layer maps to the= wsdl:types and wsdl:message definitions within a WSDL document.
SOAP Message Layer
The SOAP message layer is the infrastructure that proc= esses SOAP messages, dispatches them, and may optionally fulfill Quality of Servi= ce requirements. On the sending side the message layer writes SOAP messages, b= ased on the data model defined in portTypes and bindings. On the receiving side = the message layer processes the SOAP messages and dispatches requests to the correct application or method.
Transport Layer
The transport layer sends and receives messages. For t=
he
Basic Profile, this includes only HTTP client and
A set of activities is defined for each layer of the W= eb service stack. Activities are the fundamental operations that comprise a Web service. A single activity has several constraints applied to it from the B= asic Profile. For example, one act= ivity might be “Send HTTP” and the specifications and guidelines for = how to fulfill that activity come from the SOAP 1.1 and HTTP sections of the Ba= sic Profile.
The following table summarizes these activities.
Layer |
Activity |
Data Layer |
Write XML Process XML |
SOAP Message Layer |
Write SOAP envelope Process SOAP envelope Write SOAP body Process SOAP body Write SOAP header Process SOAP header |
Transport Layer |
Send HTTP Receive HTTP |
Table 1
- Activities grouped by Web services stack layer
The following activities are part of the Data layer:= p>
Write XML
Application-level messages that are to be exchanged du= ring a Web services interaction must be written to a serialized form that can be transported with the underlying transport protocol. These messages use the = data types and formats declared in the data model documentation (i.e., WSDL or Schema). Writing the message = data is the responsibility of the application component sending a message to a recipient.
Process XML
Application-level messages that are exchanged in a Web services interaction are passed to application components responsible for receiving, interpreting and acting upon the received messages. Application components process mes= sage data according to the types and formats declared in the data model documentation.
The following activities are executed with the SOAP Me= ssage Layer.
SOAP envelope
The SOAP envelope is the container for all the ot=
her
SOAP message parts, including the payload.
SOAP body
The SOAP body is used for transporting application-spe= cific information included in the application message data. The activities in this layer are different from the data payload writing and processing activities described in the Data Layer activities section.
SOAP header
The SOAP header provides a modular mechanism for exten= ding a SOAP message.
SOAP messages may be sent using the HTTP or HTTPS tran= sport protocols.
In WS-I Web services scenarios there are two high level actors. These are not related to SOAP Actors as defined in SOAP 1.1.
Consumer
A Consumer is responsible for making requests of a ser= vice implemented by a Provider.
Provider
A Provider is responsible for listening for and proces= sing Consumer service requests.
Usage scenarios do not explicitly address authenticati= on, authorization, identification, or privacy. However, some of those concerns = can be addressed with existing technologies that are compatible with the Basic Profile. For example, the HTTPS binding can be used rather than the un-encrypted HTTP binding. Application level security can always be added within the message layer and this would be entirely transparent to the Basic Profile.
Countermeasures are best applied through a risk assess= ment of your Web service application. To assist in this process please see the Security Appendix below for more detailed information on common threats and Basic Profile compliant mitigation strategies. Each Usage Scenario includes= a section detailing additional concerns as well as the identified common thre= ats most relevant to the given scenario.
This section defines the three Usage Scenarios develop= ed to complement the Basic Profile:
A Consumer sends a request message to a Provider. The Provider receives the me= ssage and processes it.
The exchange is one way; no SOAP response message from= the Provider is generated or expected. The underlying transport is not required to guarantee delivery of the message to the Provider. Rega= rdless of the protocol implemented by the transport layer, the Consumer receives no acknowledgement above the transport layer that the message was successfully sent, delivered to the intended destination, or received by the Provider.= p>
This Scenario applies to situations where information = loss is inconsequential (for example, in a status monitoring scenario where peri= odic status update events are provided such that if one update event is lost, a subsequent update event will convey correct status).
Figure 3‑1 One-way Sequence
High-level flow:
Assumptions:
The detailed flow for this scenario, using the activit= ies defined in Section 2.2, is described below. Each bulleted item represents the activities performed within one layer of the stack required to complete= the flow. The order of activities within a Consumer or Provider is not signific= ant. Each activity has constraints imposed upon it from the Basic Profile.
Figure 3‑2 One-way Request
The Consumer initiates a SOAP request:
The Provider receives the SOAP request:
Figure 3‑3 One-way Acknowledgement
The Provider sends the acknowledgement:
The Consumer receives the acknowledgement:
The following are the flow constraints upon this Usage Scenario.
A SOAP Fault cannot be generated in this scenario since there is no SOAP response message. If any error occurs in the Provider, the Provider and Consumer must respectively abide by R2714.
Use of a SOAP header is optional for this scenari=
o.
If it is used, it must follow the constraints for the Write SOAP Header and
Process SOAP Header activities, as defined in Section 5.7
and 5.8,
respectively.
The WSDL should have at least the following content wi=
thin
its definitions for the One-way Scenario. Not all sections are required, bu=
t if
present in the WSDL, each should follow the guidelines as presented below.
General constraints on the WSDL are described in Section 5.11. Other constraints imposed upon the WSDL by the B=
asic
Profile are listed below.
This section is not required and if present, will be dependent upon the specifics of the data model.
Constraints on WSDL types are listed in Section <=
/span>5.12.
Message format will be dependent upon the data model (doc/literal or rpc/literal). Only one message is defined: one input.
Document messages parts are composed from Schema eleme= nt definitions (see R2204)
<wsdl:message …>
&nb=
sp; =
<wsdl:part
name=3D”Input” element=3D”..”>
</wsdl:message>
RPC messages parts are composed from Schema type declarations (see R2203)
<wsdl:message …>
&nb=
sp; =
<wsdl:part
name=3D”Input“ type=3D”..” />
</wsdl:message>
Other constraints are listed in Section =
span>5.13.
The one-way transmission primitive must be used. Gramm= ar is:
<wsdl:portType ..>
<wsdl=
:operation
…>
&nb=
sp; =
&nb=
sp; <wsdl:input
…/>
&nb=
sp; =
</wsdl:operation>
</wsdl:portType>
Other constraints are listed in Section =
span>5.14.
The wsdl:bin= ding section must use the SOAP binding extension with HTTP transport. The same operation type defined in wsdl:po= rtType must be used in the binding section.
<wsdl:binding …>
&=
nbsp; <soap:binding
style=3D”rpc|document” transport=3Dhttp://schemas.xmlsoap.org/so=
ap/http>
&nb= sp; <wsdl:input …>
&nb= sp; </wsdl:input&= gt;
&nb= sp; </soap:binding>
</wsdl:binding>
Other constraints are listed in Section =
span>5.15.
The soap:add= ress element must be specified along with the URL for the endpoint:
<wsdl:port>
&nb= sp; <soap:address location=3D”uri” />
</wsdl:port>
Other constraints are listed in Section =
span>5.16.
Advertisement of Web services patterned after this sce=
nario
adheres to the “Using
WSDL in a UDDI Registry, Version 1.07” Best Practice document.
General UDDI Constraints are listed in Section =
span>5.17.
This section identifies the threats most relevant to t= his Usage Scenario as described in Appendix 1 where additional information on B= asic Profile compliant countermeasures may also be found.
Additional constraints may apply if HTTPS is used to implement security. These are Profile requirements: R5000, R5001, R5010, .<= span style=3D'mso-spacerun:yes'> Appendix 1 has additional guidelin= es on Security.
As of this writing no specific threat has been identif= ied as being singularly relevant to this Usage Scenario.
A Consumer sends a request message to a Provider. The Provider receives the message, processes it, and sends back a response.
The following diagram shows the high-level interactions between a Consumer and a Provider in the Synchronous Request/Response Usage Scenario.
Figure=
3‑4 Synchronous Request/Response Sequ=
ence
High-level
flow=
:
1. Consumer invokes the service by sendin=
g a
SOAP message bound to an HTTP request to the Provider
2. Provider executes the service and send=
s a
SOAP message bound to an HTTP response to the Consumer
Assumptions:
The detailed flow for this scenario, using the activit= ies defined in Section 2.2, is described below. Each bulleted item represents the activities performed within one layer of the stack required to complete= the flow. The order of activities within a Consumer or Provider is not signific= ant. Each activity has constraints imposed upon it from the Basic Profile.
Figure = 3‑5 Synchronous Request
The Consumer initiates a SOAP request:
The Provider receives the SOAP request:
Figure 3‑6 Synchronous Response
The Provider generates a SOAP response:
The Consumer receives the SOAP response:
The following activities have the referenced constrain= ts in this Usage Scenario.
Errors that occur during SOAP processing are communica= ted with a SOAP Fault message, as per the SOAP 1.1 specification. This scenario supports SOAP Faults through composition, that is, all the constraints described in sections 3.2.3 and 3.3.4.1 apply, plus the additional constraints imposed up= on the following Activities.
The Web service Provider must abide by the following restrictions and guidelines from the Basic Profile:
The Web service Consumer must follow the following restrictions and guidelines from the Basic Profile:
Use of a SOAP header is optional for this scenari=
o.
If it is used, it must follow the constraints for the Write SOAP Header and
Process SOAP Header activities, as defined in Sections 5.7
and 5.8,
respectively.
The WSDL should have at least the following content wi=
thin
its definitions for the Synchronous Request/Response Scenario. Not all sect=
ions
are required, but if present in the WSDL, each should follow the guidelines=
as
presented below. General constraints on the WSDL are described in Section <=
span
style=3D'mso-field-code:" REF _Ref24415586 \\r \\h "'>5.11. Other constraints imposed upon the WSDL by the B=
asic
Profile are listed below.
This WSDL section is not required, and if present, wil= l be dependent upon the specifics of the data model.
Constraints on types are listed in Section 5.12.
Message format will be dependent upon the data model (doc/literal or rpc/literal). At least two messages must be defined: one in= put and one output. Optionally, a fault message may also be defined.
Document message parts are composed from Schema element definitions (see R2204)
<wsdl:message …>
&nb=
sp; =
<wsdl:part
name=3D”..” element=3D”..”>
&nb=
sp; =
<wsdl:part
name=3D”..” element=3D”..”/>
</wsdl:message>
RPC message parts are composed from Schema type declar= ations (see R2203)
<wsdl:message …>
&nb=
sp; =
<wsdl:part
name=3D” “ type=3D”..” />
&nb=
sp; =
<wsdl:part
name=3D” “ type=3D”..”/>
</wsdl:message>
Constraints on messages are listed in Section 5.13.
The request/response transmission primitive must be us= ed. Grammar is:
<wsdl:portType ..>
<wsdl=
:operation
…>
&nb=
sp; =
&nb=
sp; <wsdl:input
…/>
&nb=
sp; =
&nb=
sp; <wsdl:output
…/>
&nb=
sp; =
</wsdl:operation>
</wsdl:portType>
Constraints on portTypes are listed in Section = span>5.14.
The wsdl:bin= ding section must use the SOAP binding extension with HTTP transport. The same operation defined in wsdl:portTyp= e must be used in the binding section.
<wsdl:binding …>
&=
nbsp; <soap:binding
style=3D”rpc|document” transport=3Dhttp://schemas.xmlsoap.org/so=
ap/http>
&nb= sp; <wsdl:input …>
&nb= sp; </wsdl:input&= gt;
&nb= sp; <wsdl:output …>
&nb= sp; </wsdl:output= >
&nb= sp; </soap:binding>
</wsdl:binding>
Constraints on bindings are listed in Section 5.15.
The soap:add= ress element must be specified along with the URL for the endpoint:
<wsdl:port>
&nb= sp; <soap:address location=3D”uri” />
</wsdl:port>
Constraints on port definitions are listed in Sec=
tion
5.16.
Advertisement of Web services patterned after this sce=
nario
adheres to the “Using
WSDL in a UDDI Registry, Version 1.07” Best Practice document.
Advertising Web services in this way e=
nables
discovery using the inquiry patterns supported by the UDDI Inquiry API set =
(see
http://www.uddi.org/pubs/ProgrammersAPI-V2.04-Published-20020719.pdf). These include the browse pattern, =
the
drill-down pattern and the invocation pattern.
General UDDI Constraints are listed in Section =
span>5.17.
This section identifies the threats most relevant to t= his Usage Scenario as described in Appendix 1 where additional information on B= asic Profile compliant countermeasures may also be found.
Additional constraints may apply if HTTPS is used to implement security. These are Basic Profile requirements: R5000, R5001, R5010. Appendix 1 has additio= nal guidelines on Security.
As of this writing no specific threat has been identif= ied as being singularly relevant to this Usage Scenario.
The Basic Callback scenario facilitates a form of asynchronous message exchange for Web services. This is accomplished through the composition of two synchronous request/response pairs. The messages are related via correlation information that is provided by the Consumer. The Consumer also provides the endpoint information for the callback service location to the Provider. The definition of the callback service is defined by the Provider in the publis= hed Web service description and implemented by the Consumer.
At runtime a Consumer sends the initial SOAP request i= n a request/response sequence to the Provider, which in turn sends back an immediate acknowledgement of receipt. At a later point in time the Provider will initiate the final request/response sequence to the Consumer containing the response data for the initial request sent by the Consumer. The following diagram shows the high-level interactions between a Consumer and a Provider in the Basic Call= back Usage Scenario.
Figure 3‑7 Basic Callback Sequence
High-level flow:
Assumptions:
The Basic Callback scenario is built upon two correlat=
ed
synchronous request/response interactions. Since a Consumer and a Provider =
may
have many outstanding requests, there needs to be a mechanism for each part=
y to
unambiguously identify which callback goes with which initial request. This=
can
be achieved using some business data in the SOAP payload, such as a purchase
order number, that can be used to correlate the callback with the request, =
or
through using some form of message id.
In order to invoke the callback service, the Consumer = must communicate the callback endpoint to the Provider. This can be conveyed at runtime in= the initial SOAP message sent by the Consumer to the Provider, during deploymen= t, or using a discovery mechanism agreed to by both parties.
The Web service description for both the initial and f= inal request/response pairs (i.e., portTypes) may be defined in a single WSDL document. Although it is not a requirement to do so, placing them in the sa= me document will communicate the contract and the expectations on the client m= ore effectively. In loosely coupled situations where two businesses may not wan= t to maintain a single document, the initial and final request/response pairs sh= ould be described in separate WSDL documents.&n= bsp; In either case, portTypes for both the Provider and Consumer Web services shall be defined. The description MAY contain ports for the Provid= er Web services, and DOES NOT contain defined ports for the Consumer Web servi= ces. Since the final service address is not known beforehand, a WSDL port cannot= be defined for the final request/response portType. It is, instead communicate= d by the Consumer as described above.
The detailed flow for this scenario, using the activit= ies defined in Section 2.2, is described below. Each bulleted item represents the activities performed within one layer of the stack required to complete= the flow. The order of activities within a Consumer or Provider is not signific= ant. Each activity has constraints imposed upon it from the Basic Profile.
Figure 3‑8 Basic Callback Consumer Request=
The Consumer initiates a SOAP request:
The Provider receives the initial SOAP request:
Figure 3‑9 Basic Callback Provider Acknowledgemen= t
The Provider generates the acknowledgement (response) message:
The Consumer receives the acknowledgement (response) message:
Figure 3‑10 Basic Callback Provider Response
The Provider initiates a SOAP request:
The Consumer receives the SOAP request:
Figure 3‑11 Basic Callback Consumer Acknowledgemen= t
The Consumer then generates the acknowledgement (respo= nse) message:
The Provider receives the SOAP acknowledgement (respon= se) message:
The following activities have the referenced constrain= ts in this Usage Scenario.
Constraints = for Fault generation and behavior as described in the Synchronous Request / Response Scenario 3.2.3.= 1 also apply to this scenario.
For the Basic Callback scenario, the WSDL must have at= least the following content within its definitions. Not all sections are required, but if present in the WSDL, each should follow the guidelines as presented below. The WSDL defined below is contained within a single document, and describes both the Initial and the Final request/response sequences of the Basic Callback. Constraints imposed upon the WSDL by the Basic Profile are = also listed.
General constraints on the WSDL are described in Secti=
on 5.11. Other constraints imposed upon the WSDL by the B=
asic
Profile are listed below.
Application Data
This section will be dependent upon the specifics of t= he data model and often contains correlation information in addition to application data types.
Message format will be dependent upon the data model (= doc/literal or rpc/literal). The following messages and parts are typically defined for this Usage Scenario:
Below are some general issues concerning differences b= etween Document and RPC style messages. For simplicity all required messages for t= his scenario have been defined as Document style, but this is not a requirement= .
Document messages
Document message parts are composed from Schema element definitions (see R2204)
<wsdl:message …>
&nb= sp; <wsdl:part name=3D”InitialRequest” element=3D”..”>
</wsdl:message>
RPC messages
RPC message parts are composed from Schema type declar= ations (see R2203)
However, parts to be used in SOAP headers or faults MU= ST be defined as elements
<wsdl:message …>
&nb= sp; <wsdl:part name=3D”InitialRequest“ type=3D”..” />
</wsdl:message>
Constraints on messages are listed in Section
The request/response transmission primitive must be us= ed for both the Initial and Final sequences.
<wsdl:portType name=3D"ProviderPortType">= p>
&nb= sp; <wsdl:operation name=3D"…">
&nb= sp; <wsdl:input= 8230;
&nb= sp; </wsdl:input&= gt;
&nb= sp; <wsdl:output&= #8230;
&nb= sp; </wsdl:output= >
&nb= sp; </wsdl:operation>
</wsdl:portType>
<wsdl:portType name=3D"ConsumerPortType">= p>
&nb= sp; <wsdl:operation name=3D"…">
&nb= sp; <wsdl:input= 8230;
&nb= sp; </wsdl:input&= gt;
&nb= sp; <wsdl:output&= #8230;
&nb= sp; </wsdl:input&= gt;
&nb= sp; </wsdl:operation>
</wsdl:portType>
Constraints on portTypes are listed in Section =
span>5.14.
The wsdl:bin= ding section must use the SOAP binding extension with HTTP transport. The same operation defined in wsdl:portTyp= e must be used in the binding section. Two bindings will be defined, one for = the Initial sequence, one for the Final.
<wsdl:binding name=3D"ProviderSoapBinding" type=3D"tns:ProviderPortType">
<soap:binding style=3D"document|rpc" transport=3D"http://schemas.xmlsoap.org/soap/http"/>
<wsdl:operation name=3D"…">
&nb= sp; <soap:operation/>
&nb= sp; <wsdl:input…
&nb= sp; </wsdl:input>
&nb= sp; <wsdl:output…
&nb= sp; </wsdl:output>
</wsdl:operation>
</wsdl:binding>
<wsdl:binding name=3D"ConsumerSoapBinding" type=3D"tns:ConsumerPortType">
<soap:binding style=3D"document|rpc" transport=3D"http://schemas.xmlsoap.org/soap/http"/>
<wsdl:operation name=3D"submitFinalReq">
&nb= sp; <soap:operation/>
&nb= sp; <wsdl:input…
&nb= sp; </wsdl:input>
&nb= sp; <wsdl:output…
&nb= sp; </wsdl:output>
</wsdl:operation>
</wsdl:binding>
Constraints on bindings are listed in Section 5.15.
Only one port will be defined: that for the Initial Request/Response. The Final sequence has an unspecified port-binding. The <= span style=3D'font-family:"Courier New"'>soap:address element must be spe= cified along with the URL for the endpoint:
<wsdl:port>
&nb= sp; <soap:address location=3D”uri” />
</wsdl:port>
Constraints on port definitions are listed in Sec=
tion
5.16.
There are two Web service implementations involved in = this Usage Scenario, but only the Initial Web service is advertised in UDDI. The Final Web service is not discoverable because the callback endpoint must be known to and accessible = by the initiator of the Initial request. Communicating the callback endpoint in the initial request accomplis= hes this.
Advertisement of Web services patterned after the Init=
ial
sequence in this scenario adheres to the “Using
WSDL in a UDDI Registry, Version 1.07” Best Practice document.
Because the Final sequence in this scenario occurs bet= ween the two parties that participate in the Initial sequence, no advertisement = or discovery of this sequence is desired or necessary.
Advertising Basic Callback Web service=
s in
this way enables discovery using the inquiry patterns supported by the UDDI
Inquiry API set (see
http://www.uddi.org/pubs/ProgrammersAPI-V2.04-Published-20020719.pdf). These include the browse pattern, =
the
drill-down pattern and the invocation pattern.
General UDDI Constraints are listed in Section =
span>5.17.
This section identifies the threats most relevant to t= his Usage Scenario as described in Appendix 1 where additional information on B= asic Profile compliant countermeasures may also be found.
Additional constraints may apply if HTTPS is used to implement security. These are Basic Profile requirements: R5000, R5001, R50= 10. Appendix 1 has additional guidelines on Security.
As of this writing no specific threat has been identif= ied as being singularly relevant to this Usage Scenario, though Replay is being investigated as a potential candidate.
This section details common Web service threats and su= ggests possible countermeasures that are compliant with the Basic Profile. The countermeasures detailed here are best applied through a risk assessment of your Web service application.
This information presented here is not intended to be = an exhaustive or encyclopedic treatment of the security issues confronting Web services developers. Rather, it is designed to provide an intermediate assessment of security issues that briefly explores the intersection between traditional security issues and their manifestation in the Web services architecture.
= Authentication is a mechanism or a protocol that demonstrates proof of an asserted = identity. Using an authentication mechanism, a Web service can draw conclusions about the send= er of a request or response message, and then act on the message. Many types of authentication mechanisms and protocols have been developed, including pass= word schemes, Secure Sockets Layer (SSL), Kerberos, and public key infrastructur= e. Each mechanism has advantages and limitations. With respect to interoperability, each mechanism introduces a variety of challenges. Web services can usually rely on the software platform to provide interoperable transport authentication. Additionally, Web services may wish to share authentication information across domains to provide single sign-on within a community of cooperating business entities.
Authentication requirements are usually asymmetrical b= etween service requestors and service providers. Therefore, authentication for Web services can be further subdivided as below.
Threat
The threats to a Web service= that does not authenticate users include access to data or resources by unauthor= ized entities, and ‘man-in-the-middle attacks’. In man-in-the-middle attacks, an unauthorized entity intercepts messages between requestor and responder, enabling eavesdropping and data manipulation. In very sophisticated Web services environments, a Web service provider may not be able to authentica= te all parties involved in a transaction, and may therefore be required to delegate trust to other Web services.
Since Web services may rely on directory services to f= ind providers of services (such as UDDI), authentication must be ensured in cer= tain processes such as consulting UDDI registries or downloading WSDL files. If authentication is not required by a directory, a relatively easy attack wou= ld be to falsify a WSDL file, causing reliant Web services to bind to improper ports.
Countermeasure
A Web service SHOULD authenticate the sender of a request. Some specific situations in which Web services should authenticate requests incl= ude those in which underlying state is changed, in which there is a charge for using the service, or where the information returned by the service is privileged.
Authentication of the service requester is the appropriate countermeasure. Client authentication can be performed using agreed upon digital certificates in the client authenticati= on piece of an SSL/TLS exchange. The digital certificates exchanged during the= SSL handshake must chain to a certificate authority agreed upon by both client = and server.
Threat
An attack on a service reque= ster is one that interposes a false or ‘spoofed” service that supplies responses resembling those provided by the expected service. For example, a “man-in-the-middle” might substitute a false response message f= or a genuine response, leading to request/response mismatches.
Countermeasure
Authentication of the servic= e is the appropriate countermeasure. An SSL/TLS connection can provide server authentication and is typically sufficient protection from Web service prov= ider spoofing for point-to-point transactions.
Authorization is the process of determining the capabi= lities granted to an entity by a service provider or another trusted entity. While authentication determines wh= ich entities can access a Web service, authorization determines which features = of that Web service can be accessed by the authenticated entity. In some cases even authenticated entities must be restricted to a subset of functions pro= vided by a Web service.
Threat
Unauthorized access to computational resources or protected data.
Countermeasure
Apply authorization mechanisms. Web services requests are fulfilled based on the authorization assigned to a particular requestor by = the service provider. A Web service m= ay need to communicate its authorization requirements through a policy.
A simple Web service may hav= e one authorization level: i.e., I will execute process X for any user authentica= ted using a recognized token. However, more sophisticated mechanisms may be required for Web services designed to service a range of consumers.
Threat
A compromise of privileged information through unauthorized access. In a messaging environment (as opp= osed to a session environment) it is important to evaluate the message protection characteristics of a Web service, because a Web service may not know the ultimate destination or the full route of the data being sent. Intermediari= es may be traversed and if the data is unprotected, might read the confidential contents of a message, or they might be able to deduce confidential informa= tion by the mere fact that a particular message (or a message of a certain type,= or messages in a certain frequency) was sent.
Countermeasure
Encryption is the primary de= fense against a breach of confidentiality. How encryption is applied can vary wid= ely. The SSL/TLS protocol encrypts messages for the duration of the session. . However, at each end-point, the message will be fully decrypted. An excepti= on to this situation is SSL Proxy tunneling. In which a client proxy opens a connection to a secure server, copying data in both directions without intervening in the secure transaction.
There are ways to address the problem of end-to-end co= nfidentiality while remaining compliant, though out of scope, of the Basic Profile. As an example, XML Encryption can be used to selectively encrypt elements or the entire message. There are many configurations, but one is to have the SOAP implementation encrypt the message payload, while leaving other information "in the clear" in the SOAP header.
Threat
Loss of data integrity is the unauthorized modification of a request or response. The threat to Web servi= ces is the malicious alteration or the accidental corruption of data.
Countermeasure
Messages sent using SSL/TLS have guaranteed data integ= rity for the duration of the exchange.
Another technique compliant, yet out of scope, with the Basic Profile is the use of digital signatures and message digests to provi= de proof of data integrity using XML Digital Signature. These can be applied to complete XML messages, or to portions of XML documents according to the XML Digital Signature specification.
Threat
A basic attack on a Web serv= ice is an attempt to re-use a once valid message. Certain elements of a Web services message, such as a security token, can also be reused as part of a different message to give the impression of a valid request or response.
Countermeasure
Replay attacks can be addres= sed by using message timestamps and caching, and through the use of universally un= ique identifiers on all messages.
One of the best countermeasu= res for any of the above security issues is a robust auditing/logging mechanism. In= combination with authentication mechanisms, auditing and logging mechanisms can provide chains of evidence that permit runtime infractions of trust policies to be remedied by the offline trust infrastructure of business agreements and contractual law.
Like any networked application, Web services are expos= ed to standard network security vulnerabilities such as:
This section provides a mapping of constraints listed = in the Basic Profile to each of the flow activities identified in Section 2 and wi= thin each scenario. In carrying out each activity, the listed constraints should= be consulted in the Basic Profile to check for compliance with the details of = the constraint.
The following constraints apply to both HTTP and HTTPS= .
The following constraints apply to both HTTP and HTTPS= .
SOAPAction
Header: R1119
[1] WS-I Basic Profile vers= ion 1.0 from www.ws-i.org.
&= nbsp; &nbs= p; &= nbsp; &nbs= p; &= nbsp; &nbs= p; &= nbsp; &nbs= p; &= nbsp; &nbs= p; &= nbsp; WS-I Usage Scenarios= span>