RPC, RMI, SOA Martin Kuba, ÚVT MU Komunikace v distribuovaných systémech ● z hlediska synchronnosti ○ synchronní – volající strana zastaví a čeká, dokud nedostane odpověď ○ asynchronní – volající strana pokračuje v práci, na příchod odpovědi je upozorněna ● z hlediska zajištění doručení zprávy ○ transientní (pomíjivá) ○ persistentní (vytrvalá) ● webové služby obvykle používají transientní synchronní komunikaci, ale lze použít všechny kombinace RPC - Remote Procedure Calls ● distribuované systémy komunikují zasíláním zpráv ● vhodná abstrakce – RPC - Remote Procedure Calls ● např. DCE RPC, SUN RPC, … ● synchronní volání požadavek-odpověď ○ volaná procedura, parametry předávané hodnotou ○ návratové hodnoty ● IDL – Interface Definition Language ● klient a server stubs ○ volané jako běžné funkce v daném prog. jazyce ○ zajišťují marshalling/serializaci, komunikaci, unmarshaling/deserializaci RMI - Remote Method Invocation ● distribuované objektově-orientované systémy potřebují předávat parametry odkazem ● distribuovaný objekt má stav, metody – interface, a implementaci ● Remote Method Invocation - např. CORBA, Java RMI, DCOM ● binární protokoly, Object Request Broker ● Java RMI umí předat objekt – stav i implementaci metod SOA - Service Oriented Architecture ● RMI funguje jen v systémech pod centrální správou, neškáluje na Internet-size ○ synchronní komunikace neškáluje ○ tight coupling - verzování a evoluce jsou obtížné ○ distribuovanost nelze schovat (partial failure) ● SOA – Service Oriented Architecture ○ služby mají definovaný interface ○ interface je popsán zprávami, ne operacemi na datových typech ○ služby lze nalézt (např. v adresáři) SOA (2) ● rozdíl mezi OO a SOA ○ přehrávač CD poskytuje službu přehrání CD ○ různá kvalita služby ve walkmanovi nebo HiFi věži ○ v objektově-orientovaném přístupu by každé CD bylo dodáno s vlastním přehrávačem, ze kterého by nešlo vyjmout ● SOA patrně lépe odpovídá způsobu, jímž jsou organizovány lidské aktivity ● loose coupling - nezávislá evoluce klientů a služeb provozovaných různými organizacemi Web services Martin Kuba, ÚVT MU PA160 lecture, spring 2020 A web service is a software system designed to support interoperable machine-to-machine interaction over a network. (W3C, Web Services Glossary) Glossary URL - Uniform Resource Locator HTTP - Hypertext Transfer Protocol HTML - Hypertext Markup Language XML - Extensible Markup Language GUI - Graphical User Interface CGI - Common Gateway Interface SSL/TLS - Secure Sockets Layer/Transport Layer Security REST - Representational State Transfer JSON - JavaScript Object Notation AJAX - Asynchronous JavaScript and XML Brief web services history 1989 - World Wide Web invented 1991 - HTTP 0.9 specified 1992 - Internet at Masaryk University :-) 1993 - first GUI web browser Mosaic 1993 - CGI interface for executing programs 1995 - JavaScript introduced by Netscape 1996 - SSL 3.0 1998 - XML 1.0 1998 - SOAP 1.1 by Microsoft 2003 - SOAP 1.2 by W3C (never used) 2004 - WS-Interoperability Basic Profile Brief web services history (2) 2000 - REST defined by Roy Fielding 2001 - JSON format invented 2004 - GMail and Google Maps 2004 - Web 2.0, wikis, mash-ups 2005 - AJAX (Asynchronous JavaScript) 2005 - Yahoo! offers JSON web services 2006 - OpenID 2.0 2008 - HTML5 (First Public Working Draft) 2010 - OAuth 1.0 2010 - mobile devices with Android 2012 - OAuth 2.0 Brief web services history (3) 2013 - responsive web design as answer to mobile devices with differing screen sizes 2006-2013 - cloud computing (Amazon 2006, Microsoft 2008, Google 2013) 2014 - HTML5 finalised 2014 - OpenID Connect 2015 - HTTP/2, JSON Web Tokens 2016 - OpenAPI (Swagger) 2018 - TLS 1.3 My definition of a web service web service client communicates with a web server providing a web resource identified by a URL, using HTTP protocol (optionally secured by TLS) exchanging messages in XML or JSON formats this definition covers ● SOAP/WSDL services ● REST APIs ● dynamic web pages using AJAX SOAP/WSDL web services ● SOAP was Simple Object Access Protocol ● WSDL is Web Service Description Language ● technology for remote procedure calls using exchange of XML messages ● preferred in the enterprise world ● used in API of the Czech eGovernment’s "Data Boxes" ● WS-Interoperability Basic Profile needed to ensure interoperability ○ requires SOAP1.1 ● many WS-* extensions SOAP call SOAP response SOAP/WSDL web services (2) ● started as XML-based Remote Method Invocation protocol ● changed to Remote Procedure Call protocol (no objects - SOAP is not abbreviation now) ● introduced own type system ○ big problems with compatibility ● later replaced by XML Schema type system ● main lesson - remote interfaces should be defined by messages, not operations SOAP versus REST ● enterprises prefer complicated stack ○ XML ○ SOAP, WSDL, WS-Interoperability ○ WS-* (WS-Security, WS-Addressing, ...) ○ persistent connections - queues ○ RPC based ○ complex tools and frameworks, need an IT department ● Internet crowd prefers simplicity ○ JSON ○ web APIs described as HTTP requests to URLs ○ AJAX in browsers ○ transient connections - TCP/IP, HTTP ○ scalable using REST Web APIs ● well-known APIs ○ Google APIs (Calendar, GMail, Maps, ...) ○ Facebook API ○ Twitter API ○ based on HTTP+TLS+JSON+OAuth ● third party clients ○ web, mobile (Android, iOS, ...), desktop, embedded ● OAuth ○ developer registers an application at API provider ○ user authorises the application to use certain operations in the API, giving the application a token ○ application uses the token to use the API on behalf of the user JSON - JavaScript Object Notation ● simple specs at http://json.org ● implemented parsers for every language ● native in web browsers The same Google Cal event in XML AJAX ● Asynchronous JavaScript And XML ● (Ajax was a Greek mythological hero) ● AJAX does not need XML, uses JSON mostly ● enabled by introduction of XMLHttpRequest JavaScript object to web browsers around the year 2006 ● asynchronous request to web server ● response processed in JavaScript ● same-origin policy (protocol,host,port) ● Cross-origin resource sharing (CORS) REST ● Representational State Transfer ● software architecture style for creating scalable web services ● invented by Roy Fielding, author of HTTP 1.1 ● resources identified by URIs ● representations of resources as JSON, XML or other formats ● uses HTTP methods GET, PUT, DELETE and POST for manipulating resources REST API Descriptions ● API described in human natural language ○ e.g. “image can be changed by HTTP PUT request to /image/{imageID} with the image in request body” ● WSDL 2.0 defined in 2007, but never used ● OpenAPI since 2016 ○ machine-processable description of REST interfaces ○ a form of IDL (Interface Description Language) ○ written in YAML language, which is a more human-readable superset of JSON OpenAPI ● “machine-readable interface files for describing, producing, consuming, and visualizing RESTful web services” ● developed since 2010 as Swagger, renamed to OpenAPI in 2016 ● version 3.0.0 released in 2017 ● latest version 3.0.2 released in 2018 ● API description in file openapi.yml ● tool OpenAPI Generator can generate clients in about 40 programming languages Java client library generated by OpenAPI Generator Python client library generated by OpenAPI Generator Mash ups ● combine data from various sources ● typically a Google map with some geospatial data ○ ships - http://www.marinetraffic.com/ ○ aircrafts - http://www.flightradar24.com/ www.marinetraffic.com www.flightradar24.com Federated identity ● many authentication mechanisms were developed for the web ○ username+password (hard to remember) ○ X509 digital certificate (complicated to get) ○ digest, Kerberos etc. (not much support in browsers) ● users forget passwords to rarely used accounts ● in federated identity, account from one organisation can be reused at others ● protocols and identity providers: ○ OpenID - MojeID.cz, anybody (obsolete) ○ SAML - in academia, Microsoft O365, Google Apps ○ OAuth - Google, Facebook, Twitter, ... ○ OpenID Connect - mix of OpenID and OAuth OpenID versions 1 and 2 ● obsolete ● introduced the idea of decentralized authentication protocol ● users were identified by URLs ● anybody could run an identity provider ● problem of trust ● only large identity providers like Google were trusted by service providers SAML ● Security Assertion Markup Language ● introduced in 2001 ● provides web browser single sign-on ● SAML document is XML containing user attributes signed by an identity provider ● trust between identity providers (IdP) and service providers (SP) is established using federations ● a federation publishes list of trusted IdPs and SPs complying with federation’s policy ● WAYF - Where Are Your From? service OAuth ● open standard for authorization, commonly used as a way for Internet users to authorize websites or applications to access their information on other websites but without giving them the passwords ● can be also used for authentication ● more in separate slides OpenID Connect ● promoted as third version of OpenID ● authentication layer built on top of OAuth 2.0 ● OAuth used for authorization ● standardized UserInfo API ● OpenID used for user data items (email, full name, etc.) JWT - JSON Web Tokens ● RFC 7515 - JSON Web Signature ○
.. ○ all 3 parts are base64-encoded, safe for URLs ○
is JSON metadata identifying signing key ● RFC 7519 - JSON Web Tokens ○ JWS with JSON payload JSON Web Token example https://jwt.io/