RPC, RMI, SOA
Martin Kuba, ÚVT MU
Komunikace v distribuovaných
systémech
● z hlediska synchronnosti
○ synchronní – volající strana zastaví a čeká,
dokud nedostane odpověď
○ asynchronní – volající strana pokračuje v
práci, na příchod odpovědi je upozorněna
● z hlediska zajištění doručení zprávy
○ transientní (pomíjivá)
○ persistentní (vytrvalá)
● webové služby obvykle používají transientní
synchronní komunikaci, ale lze použít všechny
kombinace
RPC - Remote Procedure Calls
● distribuované systémy komunikují zasíláním zpráv
● vhodná abstrakce – RPC - Remote Procedure Calls
● např. DCE RPC, SUN RPC, …
● synchronní volání požadavek-odpověď
○ volaná procedura, parametry předávané hodnotou
○ návratové hodnoty
● IDL – Interface Definition Language
● klient a server stubs
○ volané jako běžné funkce v daném prog. jazyce
○ zajišťují marshalling/serializaci, komunikaci,
unmarshaling/deserializaci
RMI - Remote Method Invocation
● distribuované objektově-orientované systémy potřebují
předávat parametry odkazem
● distribuovaný objekt má stav a metody – interface, a
implementaci
● Remote Method Invocation - např. CORBA, Java RMI,
DCOM
● binární protokoly, Object Request Broker
● Java RMI umí předat objekt – stav i implementaci metod
SOA - Service Oriented Architecture
● RMI funguje jen v systémech pod centrální
správou, neškáluje na Internet-size
○ synchronní komunikace neškáluje
○ tight coupling, verzování a evoluce jsou
obtížné
○ distribuovanost nelze schovat (partial failure)
● SOA – Service Oriented Architecture
○ služby mají definovaný interface
○ interface je popsán zprávami, ne operacemi na
datových typech
○ služby lze nalézt (např. v adresáři)
SOA (2)
● rozdíl mezi OO a SOA
○ přehrávač CD poskytuje službu přehrání CD
○ různá kvalita služby ve walkmanovi nebo HiFi
věži
○ v objektově-orientovaném přístupu by každé
CD bylo dodáno s vlastním přehrávačem, ze
kterého by nešlo vyjmout
● SOA patrně lépe odpovídá způsobu, jímž jsou
organizovány lidské aktivity
Web services
Martin Kuba, ÚVT MU
A web service is a software system
designed to support interoperable
machine-to-machine interaction over a
network.
(W3C, Web Services Glossary)
Glossary
URL - Uniform Resource Locator
HTTP - Hypertext Transfer Protocol
HTML - Hypertext Markup Language
XML - Extensible Markup Language
GUI - Graphical User Interface
CGI - Common Gateway Interface
SSL/TLS - Secure Sockets Layer/Transport Layer Security
REST - Representational State Transfer
JSON - JavaScript Object Notation
AJAX - Asynchronous JavaScript and XML
Brief web services history
1989 - World Wide Web invented
1991 - HTTP 0.9 specified
1992 - Internet at Masaryk University :-)
1993 - first GUI web browser Mosaic
1993 - CGI interface for executing programs
1995 - JavaScript introduced by Netscape
1996 - SSL 3.0
1998 - XML 1.0
1998 - SOAP 1.1 by Microsoft
2003 - SOAP 1.2 by W3C (never used)
2004 - WS-Interoperability Basic Profile
Brief web services history (2)
2000 - REST defined by Roy Fielding
2001 - JSON format invented
2004 - GMail and Google Maps
2004 - Web 2.0 hype, wikis, mash-ups
2005 - AJAX (Asynchronous JavaScript)
2005 - Yahoo! offers JSON web services
2006 - OpenID 2.0
2008 - HTML5 (First Public Working Draft)
2010 - OAuth 1.0
2010 - mobile devices with Android
2012 - OAuth 2.0
Brief web services history (3)
2013 - responsive web design as answer to
mobile devices with differing screen sizes
2006-2013 - cloud computing (Amazon 2006,
Microsoft 2008, Google 2013)
2014 - HTML5 finalised
2014 - OpenID Connect
2015 - HTTP/2
2018 - TLS 1.3
My definition of a web service
web service client communicates with a web
server providing a web resource identified by a
URL, using HTTP protocol (optionally secured
by SSL/TLS) exchanging messages in XML or
JSON formats
this definition covers
● SOAP/WSDL services
● REST APIs
● dynamic web pages using AJAX
SOAP/WSDL web services
● SOAP was Simple Object Access Protocol
● WSDL is Web Service Description Language
● technology for remote procedure calls using
exchange of XML messages
● preferred in the enterprise world
● used in API of the Czech eGovernment’s
"Data Boxes"
● WS-Interoperability Basic Profile needed to
ensure interoperability
○ requires SOAP1.1
● many WS-* extensions
SOAP call
SOAP response
SOAP/WSDL web services (2)
● started as XML-based Remote Method
Invocation protocol
● changed to Remote Procedure Call protocol
(no objects - SOAP is not abbreviation)
● introduced own type system
○ big problems with compatibility
● later replaced by XML Schema type system
● main lesson - remote interfaces should be
defined by messages, not operations
SOAP versus REST
● enterprises prefer complicated stack
○ XML
○ SOAP, WSDL, WS-Interoperability
○ WS-* (WS-Security, WS-Addressing, ...)
○ persistent connections - queues
○ RPC based
○ complex tools and frameworks
● Internet crowd prefers simplicity
○ JSON
○ web APIs described as HTTP requests to URLs
○ AJAX in browsers
○ transient connections - TCP/IP, HTTP
○ scalable using REST
Web APIs
● well-known APIs
○ Google APIs (Calendar, GMail, Maps, ...)
○ Facebook API
○ Twitter API
○ based on HTTP+JSON+SSL+OAuth
● third party clients
○ web, mobile (Android, iOS, ...), desktop, embedded
● OAuth
○ developer registers an application at API provider
○ user authorises the application to use certain operations
in the API, giving the application a token
○ application uses the token to use the API on behalf of
the user
JSON - JavaScript Object Notation
● simple specs at http://json.org
● implemented parsers for every language
● native in web browsers
The same Google Cal event in XML
AJAX
● Asynchronous JavaScript And XML
● does not need XML, uses JSON often
● based on introduction of XMLHttpRequest
JavaScript object to web browsers around
the year 2006
● asynchronous request to web server
● response processed in JavaScript
● same-origin policy (protocol,host,port)
● Cross-origin resource sharing (CORS)
REST
● Representational State Transfer
● software architecture style for creating
scalable web services
● invented by Roy Fielding, author of HTTP 1.1
● resources identified by URIs
● representations of resources as JSON, XML or
other formats
● uses HTTP methods GET, PUT, DELETE and
POST for manipulating resources
REST (2)
● no IDL (Interface Description Language) so
far
● API described in human natural language
○ e.g. “image can be changed by HTTP PUT request
to /image/{imageID}”
● Richardson Maturity Model
○ level 1 - resources identified by URIs
○ level 2 - use of HTTP methods as verbs
○ level 3 - HATEOAS (Hypertext As The Engine Of
Application State)
○ level 3 introduces discoverability, making a protocol
more self-documenting
HAL - Hypertext Application Language
● one of proposed standards for HATEOAS
(level 3 in Richardson Maturity Model)
● format for JSON messages in REST APIs
○ every object has _links property with links to
operations on the object or to other objects
○ collections are wrapped in _embedded
● supported by Spring HATEOAS Java library
HAL example
Mash ups
● combine data from various sources
● typically a Google map with some geospatial
data
○ ships - http://www.marinetraffic.com/
○ aircrafts - http://www.flightradar24.com/
www.marinetraffic.com
www.flightradar24.com
Federated identity
● many authentication mechanisms were
developed for the web
○ username+password (hard to remember)
○ X509 digital certificate (complicated to get)
○ digest, Kerberos etc. (not much support in browsers)
● users forget passwords to rarely used accounts
● in federated identity, account from one
organisation can be reused at others
● identity providers
○ OpenID - MojeID.cz, anybody
○ SAML - in academia, Microsoft O365, Google Apps
○ OAuth - Google, Facebook, Twitter, ...
○ OpenID Connect - mix of OpenID and OAuth
OpenID versions 1 and 2
● obsolete
● introduced the idea of decentralized
authentication protocol
● users were identified by URLs
● anybody could run an identity provider
● problem of trust
● only large identity providers like Google were
trusted by service providers
SAML
● Security Assertion Markup Language
● introduced in 2001
● provides web browser single sign-on
● SAML document is XML containing user
attributes signed by identity provider
● trust between identity providers and service
providers is established using federations
● a federation publishes lists of trusted IdPs
and SPs complying with federation’s policy
● WAYF -Where Are Your From? service
OAuth
● open standard for authorization, commonly
used as a way for Internet users to authorize
websites or applications to access their
information on other websites but without
giving them the passwords
● can be also used for authentication
● more in separate slides
OpenID Connect
● promoted as third version of OpenID
● authentication layer built on top of OAuth 2.0
● OAuth used for authorization
● standardized UserInfo API
● OpenID used for user data items (email, full
name, etc.)