Web services Martin Kuba, ÚVT MU A web service is a software system designed to support interoperable machine-to-machine interaction over a network. (W3C, Web Services Glossary) Glossary URL - Uniform Resource Locator HTTP - Hypertext Transfer Protocol HTML - Hypertext Markup Language XML - Extensible Markup Language GUI - Graphical User Interface CGI - Common Gateway Interface SSL/TLS - Secure Sockets Layer/Transport Layer Security REST - Representational State Transfer JSON - JavaScript Object Notation AJAX - Asynchronous JavaScript and XML Brief web services history 1989 - World Wide Web invented 1991 - HTTP 0.9 specified 1992 - Internet at Masaryk University :-) 1993 - first GUI web browser Mosaic 1993 - CGI interface for executing programs 1995 - JavaScript introduced by Netscape 1996 - SSL 3.0 1998 - XML 1.0 1998 - SOAP 1.1 by Microsoft 2003 - SOAP 1.2 by W3C (never used) 2004 - WS-Interoperability Basic Profile Brief web services history (2) 2000 - REST defined by Roy Fielding 2001 - JSON format invented 2004 - GMail and Google Maps 2004 - Web 2.0 hype, wikis, mash-ups 2005 - AJAX (Asynchronous JavaScript) 2005 - Yahoo! offers JSON web services 2006 - OpenID 2.0 2008 - HTML5 (First Public Working Draft) 2010 - OAuth 1.0 2010 - mobile devices with Android 2012 - OAuth 2.0 Brief web services history (3) 2013 - responsive web design as answer to mobile devices with differing screen sizes 2006-2013 - cloud computing (Amazon 2006, Microsoft 2008, Google 2013) 2014 - HTML5 finalised 2014 - OpenID Connect 2015 - HTTP/2 My definition of a web service web service client communicates with a web server providing a web resource identified by a URL, using HTTP protocol (optionally secured by SSL/TLS) exchanging messages in XML or JSON formats this definition covers ● SOAP/WSDL services ● REST APIs ● dynamic web pages using AJAX SOAP/WSDL web services ● SOAP was Simple Object Access Protocol ● WSDL is Web Service Description Language ● technology for remote procedure calls using exchange of XML messages ● preferred in the enterprise world ● used in API of the Czech eGovernment’s "Data Boxes" ● WS-Interoperability Basic Profile needed to ensure interoperability ○ requires SOAP1.1 ● many WS-* extensions SOAP call SOAP response SOAP/WSDL web services (2) ● started as XML-based Remote Method Invocation protocol ● changed to Remote Procedure Call protocol (no objects - SOAP is not abbreviation) ● introduced own type system ○ big problems with compatibility ● later replaced by XML Schema type system ● main lesson - remote interfaces should be defined by messages, not operations SOAP versus REST ● enterprises prefer complicated stack ○ XML ○ SOAP, WSDL, WS-Interoperability ○ WS-* (WS-Security, WS-Addressing, ...) ○ persistent connections - queues ○ RPC based ○ complex tools and frameworks ● Internet crowd prefers simplicity ○ JSON ○ web APIs described as HTTP requests to URLs ○ AJAX in browsers ○ transient connections - TCP/IP, HTTP ○ scalable using REST Web APIs ● well-known APIs ○ Google APIs (Calendar, GMail, Maps, ...) ○ Facebook API ○ Twitter API ○ based on HTTP+JSON+SSL+OAuth ● third party clients ○ web, mobile (Android, iOS, ...), desktop, embedded ● OAuth ○ developer registers an application at API provider ○ user authorises the application to use certain operations in the API, giving the application a token ○ application uses the token to use the API on behalf of the user JSON - JavaScript Object Notation ● simple specs at http://json.org ● implemented parsers for every language ● native in web browsers The same Google Cal event in XML AJAX ● Asynchronous JavaScript And XML ● does not need XML, uses JSON often ● based on introduction of XMLHttpRequest JavaScript object to web browsers around the year 2006 ● asynchronous request to web server ● response processed in JavaScript ● same-origin policy (protocol,host,port) ● Cross-origin resource sharing (CORS) REST ● Representational State Transfer ● software architecture style for creating scalable web services ● invented by Roy Fielding, author of HTTP 1.1 ● resources identified by URIs ● representations of resources as JSON, XML or other formats ● uses HTTP methods GET, PUT, DELETE and POST for manipulating resources REST (2) ● no IDL (Interface Description Language) so far ● API described in human natural language ○ e.g. “image can be changed by HTTP PUT request to /image/{imageID}” ● Richardson Maturity Model ○ level 1 - resources identified by URIs ○ level 2 - use of HTTP methods as verbs ○ level 3 - HATEOAS (Hypertext As The Engine Of Application State) ○ level 3 introduces discoverability, making a protocol more self-documenting HAL - Hypertext Application Language ● one of proposed standards for HATEOAS (level 3 in Richardson Maturity Model) ● format for JSON messages in REST APIs ○ every object has _links property with links to operations on the object or to other objects ○ collections are wrapped in _embedded ● supported by Spring HATEOAS Java library HAL example Mash ups ● combine data from various sources ● typically a Google map with some geospatial data ○ ships - http://www.marinetraffic.com/ ○ aircrafts - http://www.flightradar24.com/ www.marinetraffic.com www.flightradar24.com Federated identity ● many authentication mechanisms were developed for the web ○ username+password (hard to remember) ○ X509 digital certificate (complicated to get) ○ digest, Kerberos etc. (not much support in browsers) ● users forget passwords to rarely used accounts ● in federated identity, account from one organisation can be reused at others ● identity providers ○ OpenID - MojeID.cz, anybody ○ SAML - in academia, Microsoft O365, Google Apps ○ OAuth - Google, Facebook, Twitter, ... ○ OpenID Connect - mix of OpenID and OAuth OpenID versions 1 and 2 ● obsolete ● introduced the idea of decentralized authentication protocol ● users were identified by URLs ● anybody could run an identity provider ● problem of trust ● only large identity providers like Google were trusted by service providers SAML ● Security Assertion Markup Language ● introduced in 2001 ● provides web browser single sign-on ● SAML document is XML containing user attributes signed by identity provider ● trust between identity providers and service providers is established using federations ● a federation publishes lists of trusted IdPs and SPs complying with federation’s policy ● WAYF -Where Are Your From? service OAuth ● open standard for authorization, commonly used as a way for Internet users to authorize websites or applications to access their information on other websites but without giving them the passwords ● can be also used for authentication ● more in separate slides OpenID Connect ● promoted as third version of OpenID ● authentication layer built on top of OAuth 2.0 ● OAuth used for authorization ● standardized UserInfo API ● OpenID used for user data items (email, full name, etc.)