SlideShare a Scribd company logo

From Developer to Production, Promoting your Webservices

K
kingsfleet

The document discusses promoting web services from development to production. It covers policies, publishing services, consuming services, and alternatives like UDDI and dependency injection. Key points include using policies for security configuration, designing with promotion in mind from the start, and managing security tokens carefully.

Technology
1 of 46
Download to read offline
<Insert Picture Here> From Developer to Production, Promoting your WebServices Gerard Davison : Senior Principal Software Engineer JDeveloper WebServices
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
Presentation Agenda • Introduction <Insert Picture Here> • Policies • Publishing Services • Consuming Services • Conclusion
<Insert Picture Here> Introduction
Introduction P is for promotion • Make it easy to simplify deployments • Focus on JAX-WS but a lot is applicable to JAX-RPC in WebLogic Dev Test Production
Introduction E is for endpoints • Need to use different instances of a web service in different contexts – Versioning a different problem • Mock services for development • “Real” services for production – Can alter real data – Can cost money per-transaction
Introduction S is for security • Web Service Security is like pick’n’mix – Likely to cause indigestion – Hard to move to a different shop once you’re started. • Can hard to set up a dev / test / production env • Less productive • Policies are the key to making this easier
Introduction Development Mock Rating Loan Credit Client Rating Approver
Introduction Testing Mock Rating Secured Loan Credit Client Rating Approver
Introduction Production Mock Rating Secured Loan Credit Client Rating Approver
<Insert Picture Here> Policies Primer
Policies WS-Policy • A description of how to communicate – Stuff that happens to the message after you have sent it • A meta pointer for other WS-* standards • Cover a range of technologies – WS-Addressing – WS-Security – WS-ReliableMessaging – WS-TX
Policies WS-Policy - Some namespaces • wsp: – http://schemas.xmlsoap.org/ws/2004/09/policy • wsu: – http://docs.oasis-open.org/wss/2004/01/oasis- 200401-wss-wssecurity-utility-1.0.xsd • sp: – http://schemas.xmlsoap.org/ws/2005/07/securit ypolicy
Policies WS-Policy - Normal Form <wsp:Policy> <wsp:ExactlyOne> <wsp:All> <sp:SupportingTokens> <wsp:Policy> <sp:UsernameToken sp:IncludeToken=quot;http://docs.oasis- open.org/…quot;> <wsp:Policy> <sp:WssUsernameToken10/> </wsp:Policy> </sp:UsernameToken> </wsp:Policy> </sp:SupportingTokens> </wsp:All> </wsp:ExactlyOne> </wsp:Policy>
Policies WS-Policy - Compact <wsp:Policy> <sp:SupportingTokens> <wsp:Policy> <sp:UsernameToken sp:IncludeToken=quot;http://docs.oasis- open.org/…quot;> <wsp:Policy> <sp:WssUsernameToken10/> </wsp:Policy> </sp:UsernameToken> </wsp:Policy> </sp:SupportingTokens> </wsp:Policy>
Policies WS-Policy - ID <wsp:Policy name=“UserNameToken” wsu:id=“SP1” > <sp:SupportingTokens> <wsp:Policy> <sp:UsernameToken sp:IncludeToken=quot;http://docs.oasis- open.org/…quot;> <wsp:Policy> <sp:WssUsernameToken10/> </wsp:Policy> </sp:UsernameToken> </wsp:Policy> </sp:SupportingTokens> </wsp:Policy>
Policies WS-Policy - Referenced From a WSDL <wsdl:portType name=”CreditRatingquot; wsp:PolicyURIs=quot;#SP1quot; > <wsdl:operation>…</wsdl:operation> </wsdl:binding>
Policies WS-Policy - Where does it get referenced Service Policy Subject Service Endpoint Policy Subject Port / Binding / PortType Operation Policy Subject Binding.Operation / PortType.Operation Message Policy Subject Input / Output / Fault / Message
Policies WS-Policy • Important for both publishing and consuming • Can be named • Can be managed at deploy time
<Insert Picture Here> Publishing Services
Publishing Weblogic policies • For JAX-WS only security policy at the moment – Use @Addressing for WS-Addressing policy • For JAX-RPC also reliable messaging • @Policies(@Policy(uri=“policy:….”)) • weblogic-webservices-policy.xml in WEB-INF / META- INF
Publishing Centralized configuration • KeyStores, etc… are configured at the server level • Allow you to assert rather than configure • Different configuration at each level: – Dev - no security – QA - security using internal certificates – Deploy - security using “gold” certificates
Publishing Annotation to “standard” policies @WebService @Policies(@Policy (uri=“policy:SomePolicy.xml”)) public class Hello { public String sayHello(String name) { return name; } }
Publishing Deployment descriptor <webservice-policy-ref …> <port-policy>HelloPort</port-policy> <ws-policy> <uri>policy:SomePolicy.xml</uri> <direction>both</direction> </ws-policy> </webservice-policy-ref>
Publishing Deployment Plan • JSR - 88 • Weblogic xml file not standard • Also can override individual files • The key to dealing with promotion • No tooling in JDeveloper yet
<Insert Picture Here> Publishing Demo
Publishing Summary • A mix of deployment and environmental artifacts • Security declaratively added at class level • But the configuration done at domain level
<Insert Picture Here> Consuming Services
Consuming Endpoints • Abstract WSDL defines the service • Concrete WSDL tell you where to find it. • You often want to change location – Promotion – Or Multiple deployments in different environments • But you want a static interface to program against
Consuming Changing the endpoint public void doSomething(…) { CreditRating_Service crs = … CreditRating cr = crs.getCreditRatingPort(); ((BindingProvider)cr).getRequestContext() .put( BindingProvider.ENDPOINT_ADDRESS_PROPERTY, “http://…………”); }
Consuming WSDLS • WSDLs also contain policies • Won’t be read if you just change the endpoint • Can create a new service object – Expensive • Better to use injection in EE case
Consuming Injection and indirection @WebServiceRef(name = “CreditRatingService”) CreditRating creditRatingPort; <service-ref> <service-ref-name>CreditRatingService</service- ref-name> <service-interface> com.somecreditrating.xmlns.rating.CreditRating _Service</service-interface> </service-ref>
<Insert Picture Here> Consuming Demo
Consuming Security Tokens • Simple .properties file in this example • Should be using a Keystore – JCEKS rather than default JKS to store SecretKey instances – Still need to hard code a password but less open to brute force searching • Possibly query WebLogic stores for environmental configuration – I’m still learning the stack
Consuming Security Tokens : Storing KeyStore ks = KeyStore.getInstance(quot;JCEKSquot;); ks.load(null, keyStorePassword); PasswordProtection keyStorePP = new PasswordProtection(keyStorePassword); SecretKeyFactory factory = SecretKeyFactory.getInstance(quot;PBEquot;); SecretKey generatedSecret = factory.generateSecret(new PBEKeySpec( password)); ks.setEntry(key, new SecretKeyEntry( generatedSecret), keyStorePP); ls.save(…, keyStorePassword);
Consuming Security Tokens : Retrieving KeyStore ks = KeyStore.getInstance(quot;JCEKSquot;); ks.load(…, keyStorePassword); SecretKeyFactory factory = SecretKeyFactory.getInstance(quot;PBEquot;); SecretKeyEntry ske = (SecretKeyEntry)ks.getEntry(key, keyStorePP); PBEKeySpec keySpec = (PBEKeySpec)factory.getKeySpec( ske.getSecretKey(), PBEKeySpec.class); char[] password = keySpec.getPassword();
Consuming Alternatives : Catalog file @WebServiceRef(type = CreditRating_Service.class) CreditRating creditRatingPort; In WEB-INF or META-INF java-ws-catalog.xml <catalog xmlns=quot;urn:oasis:names:tc:entity:xmlns:xml:cat alogquot; prefer=quot; systemquot;> <system systemId=“CreditRating.wsdlquot; uri=“ExternalCreditRating.wsdlquot;/> </catalog>
Consuming Alternatives : UDDI • Lookup service by UUID – UDDI 2.0 repository built in to weblogic – Just edit uddi.properties to enable • BPEL has support for this directly • For JAX-WS write your own code to lookup WSDL • Some BPEL services do WSDL indirection – Only changes on the BPEL server
Consuming Alternatives: DI, Spring @AuthenticatedService(“CreditRatingService”) CreditRating creditRatingPort; // or <bean id=“CreditRatingService”> … </bean
Consuming Alternatives: Aspects @WebServiceRef(type = CreditRating_Service.class) @InjectionPoint(key = “Name”) CreditRating creditRatingPort; // public aspect InjectionProvider { pointcut injectionPoint(Object target) : set(@WebServiceRef @InjectionPoint * *) && target(target) after injectionPoint(Object target) { BindingProvider = target; … } }
<Insert Picture Here> Conclusion
Conclusion • Understand and use policies • Design from the start with promotion in mind – EE – DI – Home grown • Managing security tokens is finicky – Store passwords in wallet or keystore
For More Information • JDeveloper – http://www.oracle.com/technology/products/jdev/index.html • Weblogic – http://www.oracle.com/technology/products/weblogic/index.ht ml • Your speaker – gerard.davison@oracle.com • http://kingsfleet.blogspot.com/
The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
From Developer to Production, Promoting your Webservices

Recommended

CDI and Weld
CDI and WeldCDI and Weld
CDI and Weld
jensaug
 
JSR-299 (CDI), Weld & the Future of Seam (JavaOne 2010)
JSR-299 (CDI), Weld & the Future of Seam (JavaOne 2010)JSR-299 (CDI), Weld & the Future of Seam (JavaOne 2010)
JSR-299 (CDI), Weld & the Future of Seam (JavaOne 2010)
Dan Allen
 
Throwing complexity over the wall: Rapid development for enterprise Java (Jav...
Throwing complexity over the wall: Rapid development for enterprise Java (Jav...Throwing complexity over the wall: Rapid development for enterprise Java (Jav...
Throwing complexity over the wall: Rapid development for enterprise Java (Jav...
Dan Allen
 
Testing micro services using testkits
Testing micro services using testkitsTesting micro services using testkits
Testing micro services using testkits
Maxim Novak
 
Crossroads of Asynchrony and Graceful Degradation
Crossroads of Asynchrony and Graceful DegradationCrossroads of Asynchrony and Graceful Degradation
Crossroads of Asynchrony and Graceful Degradation
C4Media
 
Devoxx UK 2013 Test-Driven Development with JavaEE 7, Arquillian and Embedded...
Devoxx UK 2013 Test-Driven Development with JavaEE 7, Arquillian and Embedded...Devoxx UK 2013 Test-Driven Development with JavaEE 7, Arquillian and Embedded...
Devoxx UK 2013 Test-Driven Development with JavaEE 7, Arquillian and Embedded...
Peter Pilgrim
 
Glassfish V2.1 Harpreet Singh
Glassfish V2.1 Harpreet SinghGlassfish V2.1 Harpreet Singh
Glassfish V2.1 Harpreet Singh
Eduardo Pelegri-Llopart
 
Batch Applications for Java Platform 1.0: Java EE 7 and GlassFish
Batch Applications for Java Platform 1.0: Java EE 7 and GlassFishBatch Applications for Java Platform 1.0: Java EE 7 and GlassFish
Batch Applications for Java Platform 1.0: Java EE 7 and GlassFish
Arun Gupta
 

Recommended

CDI and Weld
CDI and WeldCDI and Weld
CDI and Weld
jensaug
 
JSR-299 (CDI), Weld & the Future of Seam (JavaOne 2010)
JSR-299 (CDI), Weld & the Future of Seam (JavaOne 2010)JSR-299 (CDI), Weld & the Future of Seam (JavaOne 2010)
JSR-299 (CDI), Weld & the Future of Seam (JavaOne 2010)
Dan Allen
 
Throwing complexity over the wall: Rapid development for enterprise Java (Jav...
Throwing complexity over the wall: Rapid development for enterprise Java (Jav...Throwing complexity over the wall: Rapid development for enterprise Java (Jav...
Throwing complexity over the wall: Rapid development for enterprise Java (Jav...
Dan Allen
 
Testing micro services using testkits
Testing micro services using testkitsTesting micro services using testkits
Testing micro services using testkits
Maxim Novak
 
Crossroads of Asynchrony and Graceful Degradation
Crossroads of Asynchrony and Graceful DegradationCrossroads of Asynchrony and Graceful Degradation
Crossroads of Asynchrony and Graceful Degradation
C4Media
 
Devoxx UK 2013 Test-Driven Development with JavaEE 7, Arquillian and Embedded...
Devoxx UK 2013 Test-Driven Development with JavaEE 7, Arquillian and Embedded...Devoxx UK 2013 Test-Driven Development with JavaEE 7, Arquillian and Embedded...
Devoxx UK 2013 Test-Driven Development with JavaEE 7, Arquillian and Embedded...
Peter Pilgrim
 
Glassfish V2.1 Harpreet Singh
Glassfish V2.1 Harpreet SinghGlassfish V2.1 Harpreet Singh
Glassfish V2.1 Harpreet Singh
Eduardo Pelegri-Llopart
 
Batch Applications for Java Platform 1.0: Java EE 7 and GlassFish
Batch Applications for Java Platform 1.0: Java EE 7 and GlassFishBatch Applications for Java Platform 1.0: Java EE 7 and GlassFish
Batch Applications for Java Platform 1.0: Java EE 7 and GlassFish
Arun Gupta
 
Apache Roller, Acegi Security and Single Sign-on
Apache Roller, Acegi Security and Single Sign-onApache Roller, Acegi Security and Single Sign-on
Apache Roller, Acegi Security and Single Sign-on
Matt Raible
 
Sustainable Agile Development
Sustainable Agile DevelopmentSustainable Agile Development
Sustainable Agile Development
Gabriele Lana
 
Moving applications to the cloud
Moving applications to the cloudMoving applications to the cloud
Moving applications to the cloud
Sergejus Barinovas
 
Engineering Velocity @indeed eng presented on Sept 24 2014 at Beyond Agile
Engineering Velocity @indeed eng presented on Sept 24 2014 at Beyond AgileEngineering Velocity @indeed eng presented on Sept 24 2014 at Beyond Agile
Engineering Velocity @indeed eng presented on Sept 24 2014 at Beyond Agile
KenAtIndeed
 
SQL Server 2008 Migration
SQL Server 2008 MigrationSQL Server 2008 Migration
SQL Server 2008 Migration
Mark Ginnebaugh
 
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the process
guest3379bd
 
Soa And Web Services Security
Soa And Web Services SecuritySoa And Web Services Security
Soa And Web Services Security
ConSanFrancisco123
 
Peer Code Review: In a Nutshell and The Tantric Team: Getting Your Automated ...
Peer Code Review: In a Nutshell and The Tantric Team: Getting Your Automated ...Peer Code Review: In a Nutshell and The Tantric Team: Getting Your Automated ...
Peer Code Review: In a Nutshell and The Tantric Team: Getting Your Automated ...
Atlassian
 
SEASR Installation
SEASR InstallationSEASR Installation
SEASR Installation
Loretta Auvil
 
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat Security Conference
 
WordPress Acceptance Testing, Solved!
WordPress Acceptance Testing, Solved!WordPress Acceptance Testing, Solved!
WordPress Acceptance Testing, Solved!
Taylor Lovett
 
Seminar - JBoss Migration
Seminar - JBoss MigrationSeminar - JBoss Migration
Seminar - JBoss Migration
Xebia IT Architects
 
Wicket Deliver Your Webapp On Time
Wicket Deliver Your Webapp On TimeWicket Deliver Your Webapp On Time
Wicket Deliver Your Webapp On Time
Will Hoover
 
Soroka Resume 2016 Rev.2
Soroka Resume 2016 Rev.2Soroka Resume 2016 Rev.2
Soroka Resume 2016 Rev.2
Andrew Soroka
 
Smart Client Development
Smart Client DevelopmentSmart Client Development
Smart Client Development
Tamir Khason
 
Jenkins Online Meetup - Automated SLI based Build Validation with Keptn
Jenkins Online Meetup - Automated SLI based Build Validation with KeptnJenkins Online Meetup - Automated SLI based Build Validation with Keptn
Jenkins Online Meetup - Automated SLI based Build Validation with Keptn
Andreas Grabner
 
Asp.Net Mvc Dev Days09
Asp.Net Mvc Dev Days09Asp.Net Mvc Dev Days09
Asp.Net Mvc Dev Days09
Bruno Matos Tavares
 
Use Layered Model-Based Requirements to Achieve Continuous Testing
Use Layered Model-Based Requirements to Achieve Continuous TestingUse Layered Model-Based Requirements to Achieve Continuous Testing
Use Layered Model-Based Requirements to Achieve Continuous Testing
TechWell
 
Using Puppet - Real World Configuration Management
Using Puppet - Real World Configuration ManagementUsing Puppet - Real World Configuration Management
Using Puppet - Real World Configuration Management
James Turnbull
 
Cloud design pattern using azure
Cloud design pattern using azureCloud design pattern using azure
Cloud design pattern using azure
Karthikeyan VK
 
What is an RPA CoE? Session 2 – CoE Roles
What is an RPA CoE? Session 2 – CoE RolesWhat is an RPA CoE? Session 2 – CoE Roles
What is an RPA CoE? Session 2 – CoE Roles
DianaGray10
 
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham HillinQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
LizaNolte
 

More Related Content

Similar to From Developer to Production, Promoting your Webservices

Apache Roller, Acegi Security and Single Sign-on
Apache Roller, Acegi Security and Single Sign-onApache Roller, Acegi Security and Single Sign-on
Apache Roller, Acegi Security and Single Sign-on
Matt Raible
 
Sustainable Agile Development
Sustainable Agile DevelopmentSustainable Agile Development
Sustainable Agile Development
Gabriele Lana
 
Moving applications to the cloud
Moving applications to the cloudMoving applications to the cloud
Moving applications to the cloud
Sergejus Barinovas
 
Engineering Velocity @indeed eng presented on Sept 24 2014 at Beyond Agile
Engineering Velocity @indeed eng presented on Sept 24 2014 at Beyond AgileEngineering Velocity @indeed eng presented on Sept 24 2014 at Beyond Agile
Engineering Velocity @indeed eng presented on Sept 24 2014 at Beyond Agile
KenAtIndeed
 
SQL Server 2008 Migration
SQL Server 2008 MigrationSQL Server 2008 Migration
SQL Server 2008 Migration
Mark Ginnebaugh
 
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the process
guest3379bd
 
Soa And Web Services Security
Soa And Web Services SecuritySoa And Web Services Security
Soa And Web Services Security
ConSanFrancisco123
 
Peer Code Review: In a Nutshell and The Tantric Team: Getting Your Automated ...
Peer Code Review: In a Nutshell and The Tantric Team: Getting Your Automated ...Peer Code Review: In a Nutshell and The Tantric Team: Getting Your Automated ...
Peer Code Review: In a Nutshell and The Tantric Team: Getting Your Automated ...
Atlassian
 
SEASR Installation
SEASR InstallationSEASR Installation
SEASR Installation
Loretta Auvil
 
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat Security Conference
 
WordPress Acceptance Testing, Solved!
WordPress Acceptance Testing, Solved!WordPress Acceptance Testing, Solved!
WordPress Acceptance Testing, Solved!
Taylor Lovett
 
Seminar - JBoss Migration
Seminar - JBoss MigrationSeminar - JBoss Migration
Seminar - JBoss Migration
Xebia IT Architects
 
Wicket Deliver Your Webapp On Time
Wicket Deliver Your Webapp On TimeWicket Deliver Your Webapp On Time
Wicket Deliver Your Webapp On Time
Will Hoover
 
Soroka Resume 2016 Rev.2
Soroka Resume 2016 Rev.2Soroka Resume 2016 Rev.2
Soroka Resume 2016 Rev.2
Andrew Soroka
 
Smart Client Development
Smart Client DevelopmentSmart Client Development
Smart Client Development
Tamir Khason
 
Jenkins Online Meetup - Automated SLI based Build Validation with Keptn
Jenkins Online Meetup - Automated SLI based Build Validation with KeptnJenkins Online Meetup - Automated SLI based Build Validation with Keptn
Jenkins Online Meetup - Automated SLI based Build Validation with Keptn
Andreas Grabner
 
Asp.Net Mvc Dev Days09
Asp.Net Mvc Dev Days09Asp.Net Mvc Dev Days09
Asp.Net Mvc Dev Days09
Bruno Matos Tavares
 
Use Layered Model-Based Requirements to Achieve Continuous Testing
Use Layered Model-Based Requirements to Achieve Continuous TestingUse Layered Model-Based Requirements to Achieve Continuous Testing
Use Layered Model-Based Requirements to Achieve Continuous Testing
TechWell
 
Using Puppet - Real World Configuration Management
Using Puppet - Real World Configuration ManagementUsing Puppet - Real World Configuration Management
Using Puppet - Real World Configuration Management
James Turnbull
 
Cloud design pattern using azure
Cloud design pattern using azureCloud design pattern using azure
Cloud design pattern using azure
Karthikeyan VK
 

Similar to From Developer to Production, Promoting your Webservices (20)

Apache Roller, Acegi Security and Single Sign-on
Apache Roller, Acegi Security and Single Sign-onApache Roller, Acegi Security and Single Sign-on
Apache Roller, Acegi Security and Single Sign-on
 
Sustainable Agile Development
Sustainable Agile DevelopmentSustainable Agile Development
Sustainable Agile Development
 
Moving applications to the cloud
Moving applications to the cloudMoving applications to the cloud
Moving applications to the cloud
 
Engineering Velocity @indeed eng presented on Sept 24 2014 at Beyond Agile
Engineering Velocity @indeed eng presented on Sept 24 2014 at Beyond AgileEngineering Velocity @indeed eng presented on Sept 24 2014 at Beyond Agile
Engineering Velocity @indeed eng presented on Sept 24 2014 at Beyond Agile
 
SQL Server 2008 Migration
SQL Server 2008 MigrationSQL Server 2008 Migration
SQL Server 2008 Migration
 
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the process
 
Soa And Web Services Security
Soa And Web Services SecuritySoa And Web Services Security
Soa And Web Services Security
 
Peer Code Review: In a Nutshell and The Tantric Team: Getting Your Automated ...
Peer Code Review: In a Nutshell and The Tantric Team: Getting Your Automated ...Peer Code Review: In a Nutshell and The Tantric Team: Getting Your Automated ...
Peer Code Review: In a Nutshell and The Tantric Team: Getting Your Automated ...
 
SEASR Installation
SEASR InstallationSEASR Installation
SEASR Installation
 
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
 
WordPress Acceptance Testing, Solved!
WordPress Acceptance Testing, Solved!WordPress Acceptance Testing, Solved!
WordPress Acceptance Testing, Solved!
 
Seminar - JBoss Migration
Seminar - JBoss MigrationSeminar - JBoss Migration
Seminar - JBoss Migration
 
Wicket Deliver Your Webapp On Time
Wicket Deliver Your Webapp On TimeWicket Deliver Your Webapp On Time
Wicket Deliver Your Webapp On Time
 
Soroka Resume 2016 Rev.2
Soroka Resume 2016 Rev.2Soroka Resume 2016 Rev.2
Soroka Resume 2016 Rev.2
 
Smart Client Development
Smart Client DevelopmentSmart Client Development
Smart Client Development
 
Jenkins Online Meetup - Automated SLI based Build Validation with Keptn
Jenkins Online Meetup - Automated SLI based Build Validation with KeptnJenkins Online Meetup - Automated SLI based Build Validation with Keptn
Jenkins Online Meetup - Automated SLI based Build Validation with Keptn
 
Asp.Net Mvc Dev Days09
Asp.Net Mvc Dev Days09Asp.Net Mvc Dev Days09
Asp.Net Mvc Dev Days09
 
Use Layered Model-Based Requirements to Achieve Continuous Testing
Use Layered Model-Based Requirements to Achieve Continuous TestingUse Layered Model-Based Requirements to Achieve Continuous Testing
Use Layered Model-Based Requirements to Achieve Continuous Testing
 
Using Puppet - Real World Configuration Management
Using Puppet - Real World Configuration ManagementUsing Puppet - Real World Configuration Management
Using Puppet - Real World Configuration Management
 
Cloud design pattern using azure
Cloud design pattern using azureCloud design pattern using azure
Cloud design pattern using azure
 

Recently uploaded

What is an RPA CoE? Session 2 – CoE Roles
What is an RPA CoE? Session 2 – CoE RolesWhat is an RPA CoE? Session 2 – CoE Roles
What is an RPA CoE? Session 2 – CoE Roles
DianaGray10
 
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham HillinQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
LizaNolte
 
Containers & AI - Beauty and the Beast!?!
Containers & AI - Beauty and the Beast!?!Containers & AI - Beauty and the Beast!?!
Containers & AI - Beauty and the Beast!?!
Tobias Schneck
 
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and BioinformaticiansBiomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Neo4j
 
QA or the Highway - Component Testing: Bridging the gap between frontend appl...
QA or the Highway - Component Testing: Bridging the gap between frontend appl...QA or the Highway - Component Testing: Bridging the gap between frontend appl...
QA or the Highway - Component Testing: Bridging the gap between frontend appl...
zjhamm304
 
AWS Certified Solutions Architect Associate (SAA-C03)
AWS Certified Solutions Architect Associate (SAA-C03)AWS Certified Solutions Architect Associate (SAA-C03)
AWS Certified Solutions Architect Associate (SAA-C03)
HarpalGohil4
 
GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...
GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...
GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...
GlobalLogic Ukraine
 
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge GraphGraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
Neo4j
 
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
Jason Yip
 
Y-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PPY-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PP
c5vrf27qcz
 
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsConnector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
DianaGray10
 
GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)
Javier Junquera
 
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdfLee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
leebarnesutopia
 
Essentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation ParametersEssentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation Parameters
Safe Software
 
Day 2 - Intro to UiPath Studio Fundamentals
Day 2 - Intro to UiPath Studio FundamentalsDay 2 - Intro to UiPath Studio Fundamentals
Day 2 - Intro to UiPath Studio Fundamentals
UiPathCommunity
 
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin..."$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
Fwdays
 
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving
 
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
Fwdays
 
Mutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented ChatbotsMutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented Chatbots
Pablo Gómez Abajo
 
AI in the Workplace Reskilling, Upskilling, and Future Work.pptx
AI in the Workplace Reskilling, Upskilling, and Future Work.pptxAI in the Workplace Reskilling, Upskilling, and Future Work.pptx
AI in the Workplace Reskilling, Upskilling, and Future Work.pptx
Sunil Jagani
 

Recently uploaded (20)

What is an RPA CoE? Session 2 – CoE Roles
What is an RPA CoE? Session 2 – CoE RolesWhat is an RPA CoE? Session 2 – CoE Roles
What is an RPA CoE? Session 2 – CoE Roles
 
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham HillinQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
 
Containers & AI - Beauty and the Beast!?!
Containers & AI - Beauty and the Beast!?!Containers & AI - Beauty and the Beast!?!
Containers & AI - Beauty and the Beast!?!
 
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and BioinformaticiansBiomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
 
QA or the Highway - Component Testing: Bridging the gap between frontend appl...
QA or the Highway - Component Testing: Bridging the gap between frontend appl...QA or the Highway - Component Testing: Bridging the gap between frontend appl...
QA or the Highway - Component Testing: Bridging the gap between frontend appl...
 
AWS Certified Solutions Architect Associate (SAA-C03)
AWS Certified Solutions Architect Associate (SAA-C03)AWS Certified Solutions Architect Associate (SAA-C03)
AWS Certified Solutions Architect Associate (SAA-C03)
 
GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...
GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...
GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...
 
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge GraphGraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
 
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
 
Y-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PPY-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PP
 
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsConnector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
 
GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)
 
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdfLee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
 
Essentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation ParametersEssentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation Parameters
 
Day 2 - Intro to UiPath Studio Fundamentals
Day 2 - Intro to UiPath Studio FundamentalsDay 2 - Intro to UiPath Studio Fundamentals
Day 2 - Intro to UiPath Studio Fundamentals
 
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin..."$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
 
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024
 
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
 
Mutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented ChatbotsMutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented Chatbots
 
AI in the Workplace Reskilling, Upskilling, and Future Work.pptx
AI in the Workplace Reskilling, Upskilling, and Future Work.pptxAI in the Workplace Reskilling, Upskilling, and Future Work.pptx
AI in the Workplace Reskilling, Upskilling, and Future Work.pptx
 

From Developer to Production, Promoting your Webservices

  • 1.
  • 2. <Insert Picture Here> From Developer to Production, Promoting your WebServices Gerard Davison : Senior Principal Software Engineer JDeveloper WebServices
  • 3. The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
  • 4. Presentation Agenda • Introduction <Insert Picture Here> • Policies • Publishing Services • Consuming Services • Conclusion
  • 6. Introduction P is for promotion • Make it easy to simplify deployments • Focus on JAX-WS but a lot is applicable to JAX-RPC in WebLogic Dev Test Production
  • 7. Introduction E is for endpoints • Need to use different instances of a web service in different contexts – Versioning a different problem • Mock services for development • “Real” services for production – Can alter real data – Can cost money per-transaction
  • 8. Introduction S is for security • Web Service Security is like pick’n’mix – Likely to cause indigestion – Hard to move to a different shop once you’re started. • Can hard to set up a dev / test / production env • Less productive • Policies are the key to making this easier
  • 9. Introduction Development Mock Rating Loan Credit Client Rating Approver
  • 10. Introduction Testing Mock Rating Secured Loan Credit Client Rating Approver
  • 11. Introduction Production Mock Rating Secured Loan Credit Client Rating Approver
  • 13. Policies WS-Policy • A description of how to communicate – Stuff that happens to the message after you have sent it • A meta pointer for other WS-* standards • Cover a range of technologies – WS-Addressing – WS-Security – WS-ReliableMessaging – WS-TX
  • 14. Policies WS-Policy - Some namespaces • wsp: – http://schemas.xmlsoap.org/ws/2004/09/policy • wsu: – http://docs.oasis-open.org/wss/2004/01/oasis- 200401-wss-wssecurity-utility-1.0.xsd • sp: – http://schemas.xmlsoap.org/ws/2005/07/securit ypolicy
  • 15. Policies WS-Policy - Normal Form <wsp:Policy> <wsp:ExactlyOne> <wsp:All> <sp:SupportingTokens> <wsp:Policy> <sp:UsernameToken sp:IncludeToken=quot;http://docs.oasis- open.org/…quot;> <wsp:Policy> <sp:WssUsernameToken10/> </wsp:Policy> </sp:UsernameToken> </wsp:Policy> </sp:SupportingTokens> </wsp:All> </wsp:ExactlyOne> </wsp:Policy>
  • 16. Policies WS-Policy - Compact <wsp:Policy> <sp:SupportingTokens> <wsp:Policy> <sp:UsernameToken sp:IncludeToken=quot;http://docs.oasis- open.org/…quot;> <wsp:Policy> <sp:WssUsernameToken10/> </wsp:Policy> </sp:UsernameToken> </wsp:Policy> </sp:SupportingTokens> </wsp:Policy>
  • 17. Policies WS-Policy - ID <wsp:Policy name=“UserNameToken” wsu:id=“SP1” > <sp:SupportingTokens> <wsp:Policy> <sp:UsernameToken sp:IncludeToken=quot;http://docs.oasis- open.org/…quot;> <wsp:Policy> <sp:WssUsernameToken10/> </wsp:Policy> </sp:UsernameToken> </wsp:Policy> </sp:SupportingTokens> </wsp:Policy>
  • 18. Policies WS-Policy - Referenced From a WSDL <wsdl:portType name=”CreditRatingquot; wsp:PolicyURIs=quot;#SP1quot; > <wsdl:operation>…</wsdl:operation> </wsdl:binding>
  • 19. Policies WS-Policy - Where does it get referenced Service Policy Subject Service Endpoint Policy Subject Port / Binding / PortType Operation Policy Subject Binding.Operation / PortType.Operation Message Policy Subject Input / Output / Fault / Message
  • 20. Policies WS-Policy • Important for both publishing and consuming • Can be named • Can be managed at deploy time
  • 22. Publishing Weblogic policies • For JAX-WS only security policy at the moment – Use @Addressing for WS-Addressing policy • For JAX-RPC also reliable messaging • @Policies(@Policy(uri=“policy:….”)) • weblogic-webservices-policy.xml in WEB-INF / META- INF
  • 23. Publishing Centralized configuration • KeyStores, etc… are configured at the server level • Allow you to assert rather than configure • Different configuration at each level: – Dev - no security – QA - security using internal certificates – Deploy - security using “gold” certificates
  • 24. Publishing Annotation to “standard” policies @WebService @Policies(@Policy (uri=“policy:SomePolicy.xml”)) public class Hello { public String sayHello(String name) { return name; } }
  • 25. Publishing Deployment descriptor <webservice-policy-ref …> <port-policy>HelloPort</port-policy> <ws-policy> <uri>policy:SomePolicy.xml</uri> <direction>both</direction> </ws-policy> </webservice-policy-ref>
  • 26. Publishing Deployment Plan • JSR - 88 • Weblogic xml file not standard • Also can override individual files • The key to dealing with promotion • No tooling in JDeveloper yet
  • 28. Publishing Summary • A mix of deployment and environmental artifacts • Security declaratively added at class level • But the configuration done at domain level
  • 30. Consuming Endpoints • Abstract WSDL defines the service • Concrete WSDL tell you where to find it. • You often want to change location – Promotion – Or Multiple deployments in different environments • But you want a static interface to program against
  • 31. Consuming Changing the endpoint public void doSomething(…) { CreditRating_Service crs = … CreditRating cr = crs.getCreditRatingPort(); ((BindingProvider)cr).getRequestContext() .put( BindingProvider.ENDPOINT_ADDRESS_PROPERTY, “http://…………”); }
  • 32. Consuming WSDLS • WSDLs also contain policies • Won’t be read if you just change the endpoint • Can create a new service object – Expensive • Better to use injection in EE case
  • 33. Consuming Injection and indirection @WebServiceRef(name = “CreditRatingService”) CreditRating creditRatingPort; <service-ref> <service-ref-name>CreditRatingService</service- ref-name> <service-interface> com.somecreditrating.xmlns.rating.CreditRating _Service</service-interface> </service-ref>
  • 35. Consuming Security Tokens • Simple .properties file in this example • Should be using a Keystore – JCEKS rather than default JKS to store SecretKey instances – Still need to hard code a password but less open to brute force searching • Possibly query WebLogic stores for environmental configuration – I’m still learning the stack
  • 36. Consuming Security Tokens : Storing KeyStore ks = KeyStore.getInstance(quot;JCEKSquot;); ks.load(null, keyStorePassword); PasswordProtection keyStorePP = new PasswordProtection(keyStorePassword); SecretKeyFactory factory = SecretKeyFactory.getInstance(quot;PBEquot;); SecretKey generatedSecret = factory.generateSecret(new PBEKeySpec( password)); ks.setEntry(key, new SecretKeyEntry( generatedSecret), keyStorePP); ls.save(…, keyStorePassword);
  • 37. Consuming Security Tokens : Retrieving KeyStore ks = KeyStore.getInstance(quot;JCEKSquot;); ks.load(…, keyStorePassword); SecretKeyFactory factory = SecretKeyFactory.getInstance(quot;PBEquot;); SecretKeyEntry ske = (SecretKeyEntry)ks.getEntry(key, keyStorePP); PBEKeySpec keySpec = (PBEKeySpec)factory.getKeySpec( ske.getSecretKey(), PBEKeySpec.class); char[] password = keySpec.getPassword();
  • 38. Consuming Alternatives : Catalog file @WebServiceRef(type = CreditRating_Service.class) CreditRating creditRatingPort; In WEB-INF or META-INF java-ws-catalog.xml <catalog xmlns=quot;urn:oasis:names:tc:entity:xmlns:xml:cat alogquot; prefer=quot; systemquot;> <system systemId=“CreditRating.wsdlquot; uri=“ExternalCreditRating.wsdlquot;/> </catalog>
  • 39. Consuming Alternatives : UDDI • Lookup service by UUID – UDDI 2.0 repository built in to weblogic – Just edit uddi.properties to enable • BPEL has support for this directly • For JAX-WS write your own code to lookup WSDL • Some BPEL services do WSDL indirection – Only changes on the BPEL server
  • 40. Consuming Alternatives: DI, Spring @AuthenticatedService(“CreditRatingService”) CreditRating creditRatingPort; // or <bean id=“CreditRatingService”> … </bean
  • 41. Consuming Alternatives: Aspects @WebServiceRef(type = CreditRating_Service.class) @InjectionPoint(key = “Name”) CreditRating creditRatingPort; // public aspect InjectionProvider { pointcut injectionPoint(Object target) : set(@WebServiceRef @InjectionPoint * *) && target(target) after injectionPoint(Object target) { BindingProvider = target; … } }
  • 43. Conclusion • Understand and use policies • Design from the start with promotion in mind – EE – DI – Home grown • Managing security tokens is finicky – Store passwords in wallet or keystore
  • 44. For More Information • JDeveloper – http://www.oracle.com/technology/products/jdev/index.html • Weblogic – http://www.oracle.com/technology/products/weblogic/index.ht ml • Your speaker – gerard.davison@oracle.com • http://kingsfleet.blogspot.com/
  • 45. The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.