Web Services and Open Source

Marketing phrases and commercial products dominate the discussion about Web Services. Magazines and portals describe new standards and buzzwords are coined by industry leaders. But, the open source community also has plenty to offer. In fact, a lot of commercial products are based on open source projects.

The purpose of this paper is to show that open source has something to offer when it comes to Web Services. This article is divided into two parts. Part one is about Web Services and open source in general. Part two presents specific open source tools.

Part I

An Open Source Stack

A complete stack for Web Services applications consists of an operating system, a database, an application server, a web server, a Servlet engine and a SOAP engine. Commercial Web Services products often cover several components of the stack. For example, from IBM, you can get everything from an operating system to a SOAP engine. Products like BEA's WebLogic Server cover everything from the application server to the SOAP engine to the business orchestration engine. Open source critics note that you need several different products to build a stack from open source components, then these components have to be integrated. For each component of the stack, you have to choose among several products. For example, Jakarta Tomcat or Jetty could be used as Web Containers. Suppose you decided to use Tomcat, then you have to choose among 47 versions (as of June 2004) available from the Jakarta website, including the archive. Thus, your complete stack could be:

Redhat Linux 8.0
MySQL 4.0
JBoss 3.2.4
Apache 2.0.49
Tomcat 5.0.25
Axis 1.1

It is unlikely that someone else will have a stack with exactly the same programs and version numbers as yours. As a result, there may be some incompatibilities and you would be the only one with this particular configuration. But the situation is not as bad as open source opponents would like us to believe. Because some software versions are more popular than others, there is actually only a small number of versions from which to choose. For production, you should rely on stable and popular versions. Bundles of open source software like the JBoss packages, including versions of an application server and a Web Container, make it easy to choose a working combination. JBoss also offers a whole stack containing a database, an application server, a Web container and a SOAP engine.

Open software is made with open standards in mind and interoperability is an important goal. Many developers work with open source products and report bugs, so interoperability problems are fixed early. In the case of an interoperability problem, the huge developer community can help find and fix the problem.

The Combination of Open Source and Commercial Products

Thanks to open standards, open source and commercial products can be combined in one stack. A typical stack might look like this:

Windows 2000 Server
Oracle database
JBoss application server
Tomcat Web Container
Axis SOAP engine

The user has the choice of using the best product- whether it is open source or payware. Products can even be replaced later if they fail or if a better product becomes available.

Interoperability

Web Services are about interoperability. In theory, all products should be able to communicate with one another. However, the diversity of products and standards impairs interoperability. It is impossible to determine which is more interoperable- commercial or open source Web Services software. Open source tools are often patched to be interoperable, but these patches are usually made after an incompatibility has already been detected. Prior to release, commercial products may be better tested against specifications and guidelines, like WS-I, to become branded.

Ease of Use

Open source projects are like text adventures- the documentation is scattered over several locations. The main documentation is often short and insufficient. Valuable information is buried in the source code and only available to experienced programmers. However, the community around the open source project is an abundant source of help. The archives of the mailing lists are full of information and questions posted are usually answered right away.

Closed source software is often accompanied by excellent documentation and step-by-step tutorials. Unlike open source products, almost all commercial Web Services products have easy-to-use graphical user interfaces and wizards. The learning curve is not very steep and an integrated product could often be mastered in a few days.

Although documentation and support are different for open and closed source, in general, it is not possible to say one is better than the other. Before choosing an open source product, it is a good idea to investigate the documentation, the activity on the mailing list and to see whether there are books about that product.

Part II: Open Source Projects

This section describes Web Services tools in the open source domain. The tools mentioned below do not present an exhaustive list, rather, they comprise a typical selection.

SOAP Engines

A SOAP engine is a server or library that enables communication over the SOAP protocol. There are open source SOAP engines for a lot of different programming languages and platforms. For some languages, only open source engines are available.

Apache Axis

Apache Axis is a SOAP implementation subject to the liberal Apache Software Foundation license. It can be used for the development of clients and servers and also for the development of other SOAP-based tools like Web Services Gateways and Firewalls. Axis supports the Java standards JAX-RPC and SAAJ. Enterprise JavaBeans can be deployed as Web Services. Several commercial and non-commercial products are either based on Axis or use Axis to support Web Services. Examples include Apple's WebObjects, Borland's JBuilder and Macromedia's JRun and Coldfusion.

Spheon JSOAP

JSOAP is a small and fast SOAP implementation for Java created by Florian Müller. The tool offers custom serializers, limited WSDL support and a graphical WSDL wizard.

gSOAP

gSOAP is a toolkit for the use and development of Web Services in C and C++. Thus, functionality in native libraries and legacy systems can be exposed as Web Services. gSOAP is compliant with the WS-I Basic Profile 1.0a and warns about potential interoperability issues during compile time. The toolkit uses streaming XML parsing techniques and is, therefore, very fast. Even on slow hardware, I experienced roundtrip times below three milliseconds- there is almost no difference compared to CORBA. The footprint of Web Services clients and servers using gSOAP can be quite small (less than 150 KBytes). gSOAP can be integrated into Apache HTTPD and Microsoft IIS Web servers. Or, the included standalone server can be used. To secure connections, gSOAP can communicate over HTTPS and support for WS-Security is in the works.

Security Solutions

In pre-SOAP times, messages were exchanged using complicated protocols and obscure messages. Encryption and signatures were not always necessary because it was hard to decipher, or even modify, a message. SOAP messages are XML documents that can be opened in an ordinary text editor. Compared to CORBA messages, which use the IIOP-protocol, SOAP messages are much easier for humans to comprehend. Additionally, SOAP messages can be modified using simple tools. SOAP messages are an invitation for hackers, especially when the messages travel across the Internet. Consequently, SOAP communication demands more security measures than other protocols.

It might seem odd to depend on an open source security solution at first. However, security leaks are detected and fixed more rapidly if the source code of a product is freely available. Linux is a popular example.

WSS4J

Apache is developing an OASIS Web Services Security (WS-Security) implementation as a subproject of its Web Services Functionality Extension (WSFX). WSS4J is a library that uses Apache Axis and Apache XML-Security projects.

openSAML

SAML is an OASIS standard that enables single sign-on for Web Services. It defines the format of XML messages containing authentication, attribute and authorization data. openSAML is comprised of a set of Java and C++ libraries which enable the parsing, creation and transport of SAML messages. Internet2 members have built openSAML as part of their work on the Shibboleth federation solution.

SourceID

Ping Identity Corporation offers its Federation Gateway software under a limited open source license. SourceID enables identity federation, single sign-on and cross-boundary security. Version 1.0 supports the SAML 1.0 and Liberty 1.1 standards. The next version 2.0 will support SAML 1.1, Liberty 2.0, OASIS Web Services Security, WS-Trust and WS-Federation. Implementations for Java and .NET are available. SourceID can be executed on Apache Tomcat, BEA WebLogic, IBM WebSphere and JBoss.

Apache XML Security

XML security is an Apache project aimed at providing an implementation for the W3C standards XML encryption and XML signature. An XML security library is already available and XML encryption is in beta status. Support for XML Key Management is planned.

Tools

Web Services are based on XML thus Web Services software has to process XML. XML messages have to be parsed and documents have to be transformed. The basic tools for parsing and transforming are XML parsers like Xerces and XSLT processors like Xalan. Much of this XML infrastructure consists of open source projects and many commercial vendors use this infrastructure to build their software.

jUDDI

jUDDI is Apache's implementation of the Universal Description, Discovery and Integration (UDDI) specification. It needs a relational database with JDBC support and a Servlet 2.3 conforming Web Container. jUDDI can be easily integrated with existing authentication systems.

Cladonia Exchanger XML Browser

The Exchanger XML Browser is a visualizer for XML documents. XML Elements can be associated with a "service" that renders the element using an interactive graphic. A SOAP envelope can be rendered as an envelope image. Clicking on the image will invoke the corresponding Web Service.

Apache Web Services FX

The Web Services Functionality Extensions consist of several subprojects which implement WS-* specifications. The Addressing subproject deals with WS-Addressing; Sandesha addresses WS-ReliableMessaging and the above-mentioned WSS4J is an implementation of Web Services Security aka WS-Security.

Summary

The software developer benefits from the choice of commercial and open source products. Open source projects for Web Services offer similar advantages and disadvantages as other open source projects. In the past, open source projects for Web Services have received less recognition than they deserved, but promising projects for Web Services security could change this.