1 / 89

8. Advances in Web Engineering

8. Advances in Web Engineering. SOA Security for e-Commerce. Introduction to SOA Environments. by Dennis Smith and Grace Lewis Software Engineering Institute. What is SOA?. Service-oriented architecture is a way of designing systems that enables Cost-efficiency Agility Adaptability

ivana
Download Presentation

8. Advances in Web Engineering

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 8. Advances in Web Engineering • SOA • Security for e-Commerce SWE 444 - Internet & Web Application Development

  2. Introduction to SOA Environments by Dennis Smith and Grace Lewis Software Engineering Institute SWE 444 - Internet & Web Application Development

  3. What is SOA? • Service-oriented architecture is a way of designing systems that enables • Cost-efficiency • Agility • Adaptability • Leverage of legacy investments SWE 444 - Internet & Web Application Development

  4. Services • Services are reusable components that represent business tasks. • Customer lookup • Account lookup • Credit card validation • Credit check • Hotel reservation • Interest calculation • Services can be • Globally distributed across organizations • Reconfigured into new business processes SWE 444 - Internet & Web Application Development

  5. Services and Cost-Efficiency CRM Application Order Processing Application Invoicing Application Customer Lookup - 2 Customer Lookup - 1 Customer Lookup - 3 A service with equivalent functionality can be implemented and used by all three applications Customer Lookup Service SWE 444 - Internet & Web Application Development

  6. Services and Agility The new application can easily use available services. Order Processing Application Course Management Application New services can be used by other applications as well. Customer Lookup Service Credit Check Service Item Lookup Service Inventory Check Service Room Availability Service SWE 444 - Internet & Web Application Development

  7. Services and Adaptability The SOA Infrastructure provides a standard communication mechanism between applications and services. Order Processing Application SOA Infrastructure Changes in services have potentially no impact on existing applications that use them. Customer Lookup Service Credit Check Service Item Lookup Service Inventory Check Service SWE 444 - Internet & Web Application Development

  8. Services and Legacy Leverage Order Processing Application The applications access the services in a standard way. Legacy platform diversity and complexity is transparent to the application. SOA Infrastructure Customer Lookup Service Credit Check Service Item Lookup Service Inventory Check Service It is the service’s task to invoke the legacy system. Manufacturing System Customer Management System SWE 444 - Internet & Web Application Development

  9. Internal Users Components of an SOA-Based System Application X Application Z Application Y Service D Internet SOA Infrastructure Development Tools Security Discovery Service C External System Service B Service A Legacy or New Code Enterprise Information System

  10. In Summary … • SOA is an approach to software development where • Services provide reusable functionality with well-defined interfaces. • An SOA infrastructure enables discovery, composition and invocation of services. • Applications are built using functionality from available services. • If managed well, SOA adoption can lead to • Cost-efficiency • Agility • Adaptability • Leverage of legacy investments • The hard part is the “if managed well”. SWE 444 - Internet & Web Application Development

  11. An SOA Provides The Complete Architecture For A System • SOA is an architectural pattern/style/paradigm and not the architecture of the system itself. • An architectural pattern provides guidance that embodies best practices. • The concrete elements and their interactions are the architecture of the system. • Any number of systems can be developed based on an architectural pattern. • An architecture based on SOA inherits both the good and the bad. • Corollary: SOA cannot be bought off-the shelf. • System qualities have to be built into the architecture of the system. • Decisions have to be made—service design and implementation, technologies, tradeoffs. SWE 444 - Internet & Web Application Development

  12. Using XML and WSDL Guarantees Interoperability Among Web Services Provided by Multiple Organizations • Web Services enable syntactic interoperability • XML Schema defines structure and data types • WSDL defines the interfaces: operations, parameters and return values • Web Services do not guarantee semantic interoperability • XML and WSDL do not define the meaning of data • WSDL does not define what a service does • How to describe the meaning of Web Service inputs and outputs in a formal manner • Active research area—unresolved issues • Interoperability needs agreement on both syntax and semantics SWE 444 - Internet & Web Application Development

  13. It Is Easy To Develop Applications Based on Services • It is relatively easy to build services to work with a particular infrastructure … but designing a “good” service might not be that easy. • From a implementation standpoint • Ease depends on tool availability for SOA infrastructure • There is plenty of guidance and excellent tool support to implement, deploy, and manage services for Web Services • Most difficult part is composition—data mismatches • From a design standpoint • Designing a service interface in a way that it can be used easily in many contexts is a much harder task. • Not many best practices for designing services • Have to anticipate potential users and usage patterns SWE 444 - Internet & Web Application Development

  14. It is Easy to Compose Services Dynamically at Runtime • Current technologies have not advanced to the point that this is possible in production environments. • Requires the use of a common ontology by service providers and client applications within a domain • Requires the construction of extremely intelligent applications that • Construct the right queries for the discovery of services • Compose services when there is not a single service that can process the request • Provide the right data to invoke a service that was discovered at runtime SWE 444 - Internet & Web Application Development

  15. Web Services • Web services is one mechanism for implementing an SOA-based system. • Service interfaces are described using Web Services Description Language (WSDL) • Data is transmitted using SOAP over HTTP • UDDI is optionally used as the directory service • Because it is the most common mechanism, it is often equated to SOA. SWE 444 - Internet & Web Application Development

  16. Web Service Protocol Stack The highlighted standards are the most commonly used Most Web Service standards are emerging and even competing Security, QoS, Transactions, and Management have to be addressed in all layers SWE 444 - Internet & Web Application Development

  17. Web Services At Design Time Bob exposes functionality in a system as a service (or creates a specific service) and places a WSDL document in an “accessible place” Alice obtains the WSDL corresponding to Bob’s web service Alice runs the WSDL document through tools that generate all the necessary message construction code (e.g. WSDL2Java) Alice adds code to her application that executes the message construction code to connect to Bob’s web service and any additional code that uses the response obtained from Bob’s web service SWE 444 - Internet & Web Application Development

  18. Web Services At Run Time HTTP Request Call Return HTTP Response User at Alice’s Application HTTP Server Bob’s System • When Bob’s HTTP server sees a SOAP message it sends it to the SOAP engine • User executes Alice’s application 5. Bob’s system executes the invoked operation 2. Application builds a SOAP message and sends it to Bob’s service via HTTP 6. Bob’s system returns operation results 4. SOAP engine parses the message and constructs the call to Bob’s system 8. Alice’s application interprets response and displays results to the user. 7. SOAP engine builds response message and returns it via HTTP SWE 444 - Internet & Web Application Development

  19. Static vs. Dynamic • With today’s technology, discovery and composition of services are done at design time—Static • Developer discovers services and obtains addresses • Developer writes code to invoke the services located at these addresses • There is a great amount of research to enable discovery and composition at runtime—Dynamic • Application discovers services and obtains addresses • Application contains code to invoke the discovered services and “knows” what information to provide • There are a lot of “In-Between” techniques • Application discovers services but requires user intervention to select services and provide the required information • Portals are configured such that “portlets” correspond to services SWE 444 - Internet & Web Application Development

  20. In Summary … • Web Services are the most currently used approach to SOA implementation. • Basic infrastructure standards are fairly stable • More higher level standards are emerging • Web Services are not the only approach to SOA implementation. SWE 444 - Internet & Web Application Development

  21. Components of an SOA-Based Systems • Services • Applications • SOA Infrastructure SWE 444 - Internet & Web Application Development

  22. Our Scenario: SOA-Based System Components Organization 2 Credit Card Validation System Organization 1 SOA Infrastructure CRM Application Order Management System FedEx Shipping System Order Processing Application Internet Financial System UPS Shipping System DHL Customer Organization Shipping System Order Placement Application SWE 444 - Internet & Web Application Development

  23. Distribution of SOA-Based System Development “Just-In-Time” Inventory Management Net-Centric Operations Organizational ESB Single Organization Multiple Organizations Incorporation of Map Data Software as a Service On the left side of the spectrum all three types of components are developed within the same organization. On the right side of the spectrum each type of component is developed by a different organization. There are many possibilities in between. As you move to the right, the challenges are greater. SWE 444 - Internet & Web Application Development

  24. Application Developers 1 • Focus on the discovery, composition and invocation of services, either statically at design time or dynamically at run time SWE 444 - Internet & Web Application Development

  25. 4. The application needs to be architected in such a way that it can easily accommodate changes in services interfaces … Application Developers 2 2. Understand the interfaces in terms of the functionality and QoS provided by them Organization 2 Credit Card Validation System Organization 1 SOA Infrastructure CRM Application Order Management System FedEx Shipping System Internet Order Processing Application 1. Identify appropriate services (both internal and external) that can be reused Financial System UPS Shipping System 3. Create the new system using as many existing services as possible DHL Customer Organization Shipping System Order Placement Application Application Developer needs to create a new application using the SOA approach … as well as if it needs to become a service provider itself SWE 444 - Internet & Web Application Development

  26. Tasks for Application Developers • Understand the SOA infrastructure • Discover appropriate services to be incorporated into applications • Retrieve service description documentation • Invoke the identified services in applications • Data conversions • Error handling • Availability handling • Test the services for correctness in the context of the application being developed SWE 444 - Internet & Web Application Development

  27. Service Developers • Focus on the description and granularity of services so that applications can easily locate and use them with acceptable Quality of Service (QoS) SWE 444 - Internet & Web Application Development

  28. Service Developers 3. Anticipate requirements for future consumer systems and architect services in a scalable fashion Organization 2 Credit Card Validation System Organization 1 SOA Infrastructure CRM Application Order Management System FedEx Shipping System Order Processing Application Internet Financial System UPS Shipping System 4. Design, create and publish services to internal and external organizations 2. Analyze service interface, functionality and QoS requirements for new consumer systems 1. Identify what existing business functionality can be exposed/reused as services DHL Shipping System SWE 444 - Internet & Web Application Development

  29. Tasks for Service Developers • Understand requirements of potential service users • Understand SOA infrastructure • Develop code that receives the service request, translates it into calls into new or existing systems, and produces a response • Describe and publish the service • Develop service initialization code and operational procedures • Service-Level Agreements (SLAs) are a topic of current interest among service providers. SWE 444 - Internet & Web Application Development

  30. Infrastructure Developers • Focus on providing a stable infrastructure • Standards • Common services • Development tools • NOTE: The Enterprise Service Bus (ESB) is an example of an infrastructure designed to support the SOA paradigm. SWE 444 - Internet & Web Application Development

  31. Infrastructure Developers 2 There are common services that are used by all applications Organization 2 Credit Card Validation System Organization 1 SOA Infrastructure CRM Application Order Management System Security FedEx Development Tools Shipping System Order Processing Application Internet Financial System Discovery Service Registry UPS Shipping System Infrastructure developers have to design, create and maintain these common services for both internal and external use (if required) DHL Shipping System SWE 444 - Internet & Web Application Development

  32. Tasks for Infrastructure Developers • Selection of standards to implement as part of the infrastructure • Development of a set of common infrastructure services for discovery, communication, security, etc. • Identification and development of binding mechanisms to satisfy the largest set of potential service users • Provision of tools for application and service developers • Documentation and support for the infrastructure SWE 444 - Internet & Web Application Development

  33. The Potential Problem • If the three types of components are developed within the same organization, the challenges are less. • Simpler communication between developers (or might even be the same developers) • However, it is becoming increasingly common for these three types of components to be developed independently by separate organizations. • Decisions made locally by any one of these development groups can have an effect on the other groups. SWE 444 - Internet & Web Application Development

  34. Sample Consequences of Decisions: Service Granularity 1 • The granularity of service interfaces can affect the end-to-end performance of an SoS because services are executed across a network as an exchange of a service request and a service response. • If service interfaces are too coarse-grained, clients will receive more data than they need in their response message. • If service interfaces are too fine-grained, clients will have to make multiple trips to the service to get all the data they need. SWE 444 - Internet & Web Application Development

  35. Sample Consequences of Decisions: Service Granularity 2 Or the service can be more granular and provide three different operations for each type of information Order Management System CustInfo getCustBasicInfo( CustomerId ) OrderHistory getOrderHistory( CustomerId ) Order[] getPendingOrders( CustomerId ) [Basic Info, Order History, Pending Orders] getCustomerInfo( CustomerId ) The Order Management System can expose the business functionality of getting all the customer information in one call SWE 444 - Internet & Web Application Development

  36. Sample Consequences of Decisions: Requirements 1 • If service developers do not understand functionality and QoS needs of potential users of services, they might end up developing and deploying services that are never used SWE 444 - Internet & Web Application Development

  37. In Summary … • SOA-based systems are about more than just technology. • SOA-based systems development requires • Strategic approach to SOA implementation • Alignment with business goals • SOA governance • Policies, coordination and guidance for SOA infrastructure providers, service providers, and application developers • Realistic technology evaluation • Context-based technology evaluations • Change of mindset • Different development and implementation approach SWE 444 - Internet & Web Application Development

  38. Security for e-Commerce

  39. Definition of e-Commerce • E-commerce involves digitally enabledcommercial transactions between and among organizations and individuals • Digitally enabled transactions include all transactions mediated by digital technology • Commercial transactions involve the exchange of value across organizational or individual boundaries in return for products or services • e-Commerce vs. e-Business • E-Commerce: direct financial electronic transaction (e.g., ordering a book on Amazon.com) • E-Business: use of the Internet and the Web to better support any current manner of doing business.

  40. Seven Unique Features of e-Commerce • Is ubiquitous (available everywhere, all the time) • Offers global reach (across cultural/national boundaries) • Operates according to universal standards (lowers market entry for merchants and search costs for consumers) • Provides information richness (more powerful selling environment) • Is interactive (can simulate face-to-face experience, but on global scale) • Increases information density (amount and quality of information available to all market participants) • Permits personalization/customization

  41. Types of e-Commerce • Classified by nature of market relationship • Business-to-Consumer (B2C) • Business-to-Business (B2B) • Consumer-to-Consumer (C2C) • Classified by type of technology used • Peer-to-Peer (P2P) • Mobile commerce (M-commerce)

  42. Advantages • Quick • Easy • Time Saver • Variety of choices • Comparison

  43. Disadvantages • Security --- very important • Speed of internet access • Malfunction of website • Physically touching the product • Shipping and handling • Who to deal with when customer is not satisfied

  44. Dimensions of e-Commerce Security • Integrity: ability to ensure that information being displayed on a Web site or transmitted/received over the Internet has not been altered in any way by an unauthorized party • Nonrepudiation: ability to ensure that e-commerce participants do not deny (repudiate) online actions • Authenticity: ability to identify the identity of a person or entity with whom you are dealing on the Internet • Confidentiality: ability to ensure that messages and data are available only to those authorized to view them • Privacy: ability to control use of information a customer provides about himself or herself to merchant • Availability: ability to ensure that an e-commerce site continues to function as intended

  45. Dimensions of e-Commerce Security

  46. Security Threats in the e-Commerce Environment • Three key points of vulnerability: • Client • Server • Communications channel • Most common threats: • Malicious code • Hacking and cybervandalism • Credit card fraud/theft • Spoofing • Denial of service attacks • Sniffing • Insider jobs

  47. A Typical E-commerce Transaction

  48. Vulnerable Points in an e-Commerce Environment

  49. Technology Solutions • Protecting Internet communications (encryption) • Securing channels of communication (SSL, S-HTTP, VPNs) • Protecting networks (firewalls) • Protecting servers and clients

  50. Protecting Internet Communications: Encryption • Encryption: The process of transforming plain text or data into cipher text that cannot be read by anyone other than the sender and receiver • Purpose: • Secure stored information • Secure information transmission • Provides: • Message integrity • Nonrepudiation • Authentication • Confidentiality

More Related