Tom Richards .NET Weblog

WSDL modifications for ws-policy

In my quest to understand “advanced“ webservice I have wanted to understand how to tell a client app about my service, beyond the VS.NET basics.  WS-Policy has what I need but I wanted to add something to the wsdl rather than just having a separate policy.xml file that my docs refer to.

I have been trying to figure out how to do this using WSE.  The starting point is this blog by John Bristowe.

http://www.bristowe.com/blog/CommentView.aspx?guid=e61e7164-ce75-4ca2-94e8-1eedc95f7077

I have “stolen” his code, modified it somewhat and have tried to get it to work.  The webservice runs but doesn't call the ServiceDescriptionFormatExtension class

I have the following in my web.config.  I obviously need to start particpating in the dotnet.framework.webservices.enhancements news group.  I'm not getting anywhere by myself.

<system.web>

<webServices>

<serviceDescriptionFormatExtensionTypes>

<add type="WS_Policy.UsingPolicyFormatExtension, WS-Policy,Version=1.1.1.1, Culture=neutral, PublicKeyToken=A08168192A570B44" />

</serviceDescriptionFormatExtensionTypes>

"Advanced" webservices

Like I've mentioned before, I have been trying to get beyond the VS.NET wizard idea of webservices.  I have incorporated some WS-Securiy and have moved on to WS-Trust and others.

Besides all the Understanded ws-policy articles and the standard a good article is:

http://msdn.microsoft.com/webservices/understanding/advancedwebservices/default.aspx?pull=/library/en-us/dnwebsrv/html/wsoverview.asp

Somehow I hadn't put the idea of  “composability” into my webservice efforts.  Makes more sense.  This is one of the problems in trying to learn this stuff by your self - no one to share ideas with.

WS-Security, WSE and other standards

I had good feedback on my last post regarding WS-Security.  My project is not “real-world” in that it is just academic - my learning project. I wanted to explore WebService life beyond the VS.NET wizard so I'm doing all kinds of things that I wouldn't necessarily do in real life.

Some of the objects of this project are:

• Find something interesting enough that I will pursue it on my own time.
• Go beyond the basic VS.NET wizard generated “RPC“ like webservices
• Learn more WSDL and how to extend it
• Message based webservices using industry standard schemas and wsdl.
• UDDI
• Learn WS-XYZ standards - at the WS-Security, WS-Attachment level
• I would really like to get a handle on “best practices“ - part of standards I hope.
• Interop with Java, other clients and web services.   The WS-I basic profile stuff.
• ... more

I think that I'm doing fairly well. I get stuck on certain things and then make a jump forward.  

Still more on WSE and WS-Security

The wse 2.0 samples have helped tremendously.  The ws-security is beginning to make some sense.  I am still having trouble with some of the samples, especially those involving X509. I think that is user error.  I don't really need to encrypt the messages but I want to know - so I will make the WSE samples work.

I was confused about how the password digest was created.  There was a comment in one of the articles I read about it being the hash of a combination of the password, nonce and creation date. I finally found a spec at http://www.oasis-open.org/committees/wss/documents/WSS-Username-11.pdf

A tool that I've found very useful is SoapScope at http://www.mindreef.com.  I purchased a copy to help me look at messages and it's been worth it.

I have implemented username signing in my DosEquis “learning” project.  I already had an authentication scheme in place using a custom soap header, ala Yasser Shohoud' book.

One thing that I don't understand though is how a person perusing my web service site or wsdl would know about ws-security.  I was looking at the microsoft.com webservice stuff and was wondering the same thing.  If my client app had obtained a reference to a webservice via UDDI how would it know or be able to find out.  More things that I don't understand about “real-world” webservices.

The next big thing is to start working with DIME.  My DosEquis project will be collecting, processing and returning large amounts of data.

I also plan to start using the WS-I tools on my webservices.  I have listened to Yasser Shohoud's web cast http://msdn.microsoft.com/msdntv/episode.aspx?xml=episodes/en/20030724WEBSVCSYS/manifest.xml and just need to “code“.

More wse and Ws-Security

I moved on to the wse samples (UsernameSigningService) and found the problem described in my last post.  I will go thru the samples before trying any more experiments. 

As I said RTM.

WS-Security and WSE Experiments

Installing the ms webservices sdk got me thinking about ws-security.  I've read a number of articles and tried to read the spec but really needed to code.

So I started with WS-Security Authentication and Digital Signatures with Web Services Enhancements http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwssecur/html/wssecauthwse.asp

I built a simple webservice and test client based on the code in the article.  Didn't work because the service isn't getting a SoapContext, ie

(I wish I knew how to insert code snippets so they would look better)

[WebMethod]

public string HelloWorld()

{

string response = "";

SoapContext reqContext = RequestSoapContext.Current;//wse 2.0

if(reqContext == null)

{

throw new ApplicationException("Non-SOAP request");

}

Always throws.  The client code is just:

Test1.localhost.SvcWse svc = new Test1.localhost.SvcWse();

UsernameToken userTok = new UsernameToken("Username", "Password", PasswordOption.SendHashed);

svc.RequestSoapContext.Security.Tokens.Add(userTok);

svc.Url = "http://trichards/WS-Security_Svc1/Svc.asmx";

Console.WriteLine(svc.HelloWorld());

More RTM is required.  Not asking for help here.  This is just part of the learning process.  Sometimes I just need to play around for a while and then re-read what I thought that I had read.

Microsoft.com WebServices

I have been on a quest to find “real-world“ examples of significant web services.  I have looked at an played with google and amazon's web service sdks.  Now I have something from MS:

http://msdn.microsoft.com/webservices/building/livewebservices/mscomservices/default.aspx

The SDK seemed to install on my work computer fine but didn't really.  The help doesn't work.

All went well at home though, on both an XP and Win2003 machines, using VS.NET 2003. except that I didn't realize that WSE 1.0 must be installed - I had 2.0.  After that the the examples all worked well and were interesting to play with.  I have downloaded WSE, but hadn't really done anything yet.  I also have looked at a number of WS-Security articles. 

These are things that I “need to know” but haven't found time - we have been releasing a Beta at work.   Need to get back to priorities.

More real world web services ...

In my last entry I mentioned something about using industry standard data type and messages.  Also I mentioned the great article “Web Services are not Distributed Objects” http://weblogs.cs.cornell.edu/AllThingsDistributed/archives/000120.html, Yasser Shohoud's book on Interface based web services,  and some of his other articles  and thought I was on to something regarding the “real world”.  I also have read the “At your service“ articles on Industry Standard WSDL http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnservice/html/service02062002.asp At my work, our application makes heavy use of web services. These services are based on VS.NET wizard generated code: you create a service (object?) and add a bunch of methods to it.  Seems kind of RPCish?

I am interested in data acquisition stuff and looked at what the process control industry is doing.  In particular, OPC (http://opcfoundation.org)  I requested and received access to the new XML Data Access spec and retrieved a wsdl document for the xmlda service.  Looking at it I was surprised to find that they are also using a remote object rpc style.  The soap is document/literal, I'm talking about the way a developer looks at the code.  Create a proxy object and call methods on it.  One method (Browse) has 16 arguments, some of them are out types.  I would have thought that a better way would be to create the a Browse query xml message, a browser query response using xml schemas and go from there.  This is the path I was headed down on my “learning“ project anyway. 

Any way I guess the real world is still operating differently than I thought or hoped.  Unfortunately, I'm not a member of OPC and there is no one here that is interested in going beyond what we have done with web services.  I'd love to get into discussions with someone.  Need to get out more I guess.

Real World Web Services

Title stolen from Yasser Shohoud's book “Real World XML Web Services”, which is kinda my bible right now. In particular, Chapter 8: Interface-Based Web Service Development. This chapter has taught be a lot about what web services really are: beyond the VS.NET wizard generated ones that I've done - mostly an RPC style.  Create a server object and basically make it available to the client. 

Creating, or rather, re-using “standard” data definitions and message is very appealing.  My project is an attempt to convert a distributed data acquistion system that I did in Corba to .NET.  The application didn't use industry standard definitions for sensors, data, messages and API's because they really didn't exist or were “emerging”.  One of the standards organization OPC (Ole for Process Control) is coming out with XML based standards.  My plan is to use OPC supplied schemas in their XMLDA spec.  Another standard set is SensorML. 

I integrate these standards into my project and now see how to do it - or at least starting to.  Starting from VS.NET, creating a web service, adding various attributes to the methods and hand editing the wsdl and xsd files is crude but does work. 

I like the idea of designing data and messages first, especially using industry standard schemas.  I also like the idea of being able to validate messages. 

I think that I'm starting to understand what web services are really about - not RPC or distributed objects.  One good article that I found today is http://weblogs.cs.cornell.edu/AllThingsDistributed/archives/000120.html

The last time that I mentioned standards in my blog, I was basically told to forget them and just code.  I know how to code but am trying to learn better ways to do things that I've done. I've got a lot of reasons for working on my project, coding C# is not one of them - I do that all day at a different level.

MCSD ?

I am pretty old for this profession - I laugh (sadly) when I read about others turning 40.  I've been doing that for more years that I want to remember.

I have my DosEquis learning project to force me to learn more .NET that just the VS.NET way and this is working.

I also need to focus on things that the "young" guys aren't interested in.  My previous work has usually been hardware/embedded and embedded mixed with windows servers.

At work, I am the build master, configuration and deployment person.  I have written a lot of tools to support this.  Also I have been the general purpose solver of a lot of technical problems with our product.  Learned a lot and I don't think that there that there was a lot of interest in what I was doing as long as it works.

Anyway, I need to find more ways to stand apart from kids.  Luckily I get interested in most everything.

I have an MCSE, which was useful at a previous company, and am thinking about MCSD, whether it would be useful or not.  Wouldn't or shouldn't hurt.