On the teaser page for their book on REST Web Services, Leonard Richardson and Sam Ruby say that:
"To design a website you need to know about HTTP, XHTML, and URIs. To design a web application you need to know about HTTP, XHTML, and URIs.
To design a web service you need to know about XML, SOAP, WSDL, UDDI, WS-Policy, WS-Security, WS-Eventing, WS-Reliability, WS-Coordination, WS-Transaction, WS-Notification, WS-BaseNotification, WS-Topics, WS-Transfer...
What happened there?" http://www.crummy.com/writing/RESTful-Web-Services/
The stated problem is that developers are having to deal with a large number of specifications and standards, and figure out how to cobble together solutions. The solution they propose is to use REST instead (or rather, to use a "Resource Oriented Architecture" and to avoid re-inventing the core protocols of the Web).
This excellent Cisco article alludes to the same problem, that implementations of WS-*, SOAP, WSDL, et al, are right now in application servers in the hands of developers. But they have a different solution: Move it out into the network.
Same problem, different solution.
It is definitely a problem when all the WS-*, XML, and WSDL specfications are foisted on developers. Amongst other things, it presents security and governance problems. It's a security problem because I've seen developers cobble together solutions that put usernames and passwords into a WS-Security header in order to "appease the message-level security gods", but end up with a solution that is less secure than if HTTP-Auth over SSL had been used [because messages can be replayed]. It's a governance problem because the policies for those Web Services are hard-coded ("if (isInGroup("GoldCustomers"))") and are not under the control of any IT Operations staff.
Obviously, as a vendor of XML Gateways, I will also make the case for putting XML policices and processing out into the network, where it is under the control of IT Operations staff, and where the WS-* specifications are implemented in a secure and high-performance way. Foisting them on developers is crazy. Do I think they should all be thrown out in favor of REST? No, because there are some useful WS-Security use cases [see my post on 25 January about WS-Security use cases].
4:16:11 PM
|
|