In my last XML article ("XML for Dummies, Idiots, and People Like Me Who Just Don't Know"), I discussed the fundamentals of XML--semantics, use, validation, and transformation. While I brought up the fact that XML is intended for companies to communicate with other companies, I did not describe that facility in detail.
XML is really not a single technology, but rather a group of technologies. XML has its own standard that defines a method of marking up text to create a transportable document. Additional functionality--such as getting data out of an XML document--is completely separate from the XML standard, but it is still referenced as an XML technology.
In this article, I'll explore additional technologies that relate specifically to system-to-system XML document exchange. I'll also talk about security and then review three standards that comprise the baseline of Web services.
XML Name Space
The XML Name Space protocol allows you to qualify which node a tag belongs to. There are instances in which there may be duplicate tag names that have different meanings. While you and I may be able to read an XML document and distinguish between the two, a computer will have more difficulty, which can create ambiguity.
I'll use the example of a job application. The initial section (which you can consider a node) asks information about you--your name, address, etc. The next node may ask about previous job experience, including details such as company name, supervisor name, address, phone numbers, etc. The final node may ask for references, once again requesting names, addresses, and phone numbers.
In this example, there are several areas where duplicate tag names can exist. Name of the applicant and name of the references, phone numbers, and addresses are all tags that can have identical tag names. While this is easily avoided by creating long tag names such as
XML Name Spaces says that
As more companies use XML for communications with other companies, XML Name Spaces will become more important. The more XML documents there are in existence, the more opportunity there is for tag name duplication. Also, Name Spaces are heavily used in SOAP, Web Services, and XML Schema as a pseudo way of implementing tag inheritance.
XML Schema provides the same functionality as the document type definition (DTD) that I discussed in the previous article. It is a means of describing data in an XML document and thereby providing the method upon which the XML is validated. XML Schema was proposed by the World Wide Web Consortium (W3C) because DTD was part of the original XML specification, but it lacked some of the follow-on technologies that were released.
The first stumbling block that DTD ran into was the lack of support for Name Spaces. This support is increasingly important with wider adoption of XML for company-to-company communications. In addition, DTD had minimal data type support, which applied only to its attributes, not to data contained within tag sets.
Knowing all of these deficiencies, the W3C created XML Schema. While significantly more complex, it compensates for DTD's weaknesses.
Without security, transactions have no integrity. How can you confirm that the transaction came from company A? How do you know that the transaction was not altered after leaving company A? Is company A allowed to perform this type of transaction? Did anyone intercept and see that transaction while it was on its way to your server? These are the goals of a secure system, whether it is XML or another type of system.
XML Security consists of several different technologies, each dealing with different facets of security. New technologies are coming out with different standards and twists, but the following collection represents a full suite of security tools.
On a daily basis, we physically sign many documents. Credit card slips, checks, and purchase orders are all documents that require us to validate that we are who we say we are. Obviously, XML documents can't be signed by a person, but the requirement still exists to validate that transactions you send are being sent by you and that transactions coming from an external entity are indeed from them.
The XML Signature Syntax and Processing standard provides a way to digitally sign documents, and it includes information on how the signature was created. The most important aspect is the encryption algorithm that was used to create the signature. The receiver of the XML document then uses the reverse algorithm to validate that the sender is who they say they are.
An interesting aspect of XML Signatures is that there are means for signing only a part of an XML document and not the whole document. As you will see when I review SOAP, an XML document goes through several steps on its way to an end point. In any one of those steps, the document can be manipulated. Each step includes the ability to sign the elements of the document that were altered, providing full accountability throughout the workflow of a transaction.
This standard provides the markup associated with encrypted elements in an XML document. Similar to XML Signatures, XML Encryption provides the ability to encrypt portions of the XML document. It also provides the data that describes what algorithm was used to perform the encryption of that portion of the document. By encrypting all or some of the XML document, you can prevent entities from seeing data that is not specifically intended for them.
The biggest deficiency of both Signature and Encryption is that they do not perform the encryption or signature generation. They merely define how to mark up the areas that contain the encryption or the signature. Separate technologies outside of the scope of XML are required to develop a public key infrastructure (PKI) that creates, manages, and revokes public and private key sets and to apply these keys in making signatures and encrypted values.
These two technologies are fundamental to a company performing secure transactions, and purchasing the software to sign and encrypt transactions will weigh heavily on IT budgets.
XML Key Management Specification (XKMS)
When utilizing a PKI, the key role to making it all work is management of keys. If any device other than the one using it knows the private key, then the security is compromised. XKMS provides a set of APIs that offload this function to PKI systems. The systems authorize the use of, verify the validity of, and manage key certificates.
This standard consists of two subcomponents. XML Key Registration Service Specification (X-KRSS) handles confirmation of user authenticity. XML Key Information Service Specification (X-KISS) retrieves and validates keys from an online key provider. The intention of these two subprotocols or sets of APIs is to ensure that thin clients such as cell phones and driver information systems perform as little processing as possible. If these functions were not offloaded, then the thin devices would not have the processing required and would not be able to securely use XML.
Security Assertion Markup Language (SAML)
SAML is a bidirectional set of XML communications that indicate whether a user has access to perform a certain XML transaction. If you look at the supply chain model, you have suppliers that are in charge of quality, accounts receivable, scheduling of deliveries, and price points. While all these people are in the same company, a quality engineer should not adjust price points and submit invoices, and a sales person should definitely not respond to quality alerts.
SAML provides this type of functionality by communicating back and forth with the external resource to identify a person and to request information about the particular user. SAML could make requests for such information as what department Joe Pink is in; what position he holds (e.g., supervisor or manager); who he reports to; and whether he has proxy authority in his manager's absence. Based upon the information received from the external entity, the system will know whether this person has the authority to perform the transaction.
This technology will only be big if it is highly adopted. If it is, creating users in a supply chain management application will be a thing of the past. SAML will allow you to automatically know who people are, which companies they are from, and what transactions they have authority to.
Platform for Privacy Preferences (P3P)
While not related to over-the-wire XML transaction security, this technology will be very important in the near future. It allows companies to define their security policy through XML. The document will describe how browsing patterns are used and whether the site acquires any personally identifiable information. It stores this information in an XML file so that a browser such as Internet Explorer 6.0 can download it and report back to you if the Web site violates any rules that you--as the user--set up. Watch for this feature to be popular in the near future.
Web Services are to the new decade what bell-bottoms were to the 60s. While serving a different purpose--function versus fashion--Web Services' popularity will be explosive. Or at least that is what many vendors and educational institutions are selling.
The concept is to subscribe to a service provided by an external entity. The service can provide depreciation calculations, EDI transmission, shipping schedules (including calling for new pickups), and anything else you can think of. Web Services use a group of XML technologies for the semantics of the transaction. This includes technologies that help in discovery and description of the transaction and service.
Aside from the security, Name Space, and Schema technologies I discussed earlier, there are three key technologies that enable Web Services. Simple Object Access Protocol (SOAP) is a method for encapsulating a transaction in an XML Document. Web Services Description Language (WSDL) describes to clients how to use a particular Web Service. And Universal Description, Discovery, and Integration (UDDI) allows the location and publishing of Web Services.
Some of you may already be using Web Services and not knowing it. Microsoft Passport is an example of a Web Service. It is a distributed authentication service. As a Web Service, it can be leased out to other companies who want what Microsoft describes as a "common Internet authentication mechanism across participating Web sites." Of course, the service is oriented toward the .NET platform, but it still provides a good example of Web Services and the variety of services they can provide.
In the next sections, I'll go through the details of SOAP, WSDL, and UDDI. Other XML technologies can be linked to create a Web Service, but these are the most common technologies. There are also other technologies that can extend Web Services, but this article would turn into a novel if I reviewed all of them.
SOAP is the syntax used to create XML-based messages. Transactions can contain a series of message exchanges to complete a single unit of work. A hotel reservation portal, for example, would exchange messages with several hotels and a credit card authorization firm before a transaction is complete. SOAP provides the ability to create these messages but not the workflow behind it.
A message is encapsulated in a SOAP envelope, which mimics real life to a certain degree (letters or messages are put in an envelope before they are mailed/processed). A SOAP message can also have many different intermediaries, or steps, along the message's path. Why not combine the credit card authorization and room booking into one message? Send the message to the credit card company (with the hotel information encrypted), and if it is approved, the credit card company then forwards it to the hotel, which is the final step in the transaction. The credit card company in this example is the intermediary.
A SOAP envelope consists of a header and body. The purpose of each is really up to the designer of the XML application. Initial concepts were that the header would contain information such as message origin and routing path/work flow if intermediaries were involved. The body would contain the payload or information for each intermediary in the workflow of the transaction.
The most important aspect of SOAP and actually the worst is the fact that it is a one-way message exchange. SOAP defines sending a message from system A to system Z with the possibility of some B, C, and/or D systems in between. It does not take into account the fact that Z will have to respond to A in a synchronous manner. That is up to you--the programmer, designer, architect, or project manager.
SOAP is really just a piece of paper that defines the one-way message exchange. XML parsers that understand SOAP syntax do not do anything with the instructions except present them to the application using the parser to read the XML. SOAP was never intended to provide a rigid set of guidelines on how to define a transaction and the code that each intermediary should expect to process and then forward the transaction on to the next step. It was designed to be "extensible" like XML and be rigid in terms of how to mark up the document--but not in terms of transaction definition.
The most common transport for SOAP messages is HTTP. Similar to straight XML, SOAP uses an HTTP post to send the text XML document to the next step in the transaction. For more asynchronous transactions or ones that are not dependent on guaranteed delivery and a timed response, SOAP messages can be sent in an email message.
I'm still wrapping my head around SOAP as a viable technology. In my opinion, IT departments would benefit most from SOAP if it would provide more logic and move away from the extensible nature of XML. SOAP really does not provide any groundbreaking functionality that I could not easily do with raw XML. I can create header and body tags in an XML document and call it a transaction. The only real plus that I see is the ability to have multiple steps in a SOAP message. But again, I can define my own method for doing that in an XML document.
Imagine paying for a service and not knowing how to use it. You pay $100 for 20 CDs, but no information is provided on how to query available selections, order your preferences, and stipulate delivery locations for certain selections because you would like to send them as gifts. This is what WSDL deals with.
Consider a Web Service as an object. In order to use this object, you have to know the methods that manipulate the object. In most cases, you will require one or more parameters with each method. So how do you know what the objects are, what their methods are, and what parameters are required to correctly call the methods?
WSDL provides the XML syntax for object, method, and variable definition. As with everything in XML, it is a tree structure that may say object PurchaseOrder has multiple methods, one of which is Submit, which accepts the parameters OrderDate (Date), PartNumber(Char(50)), Quantity(Int), etc. It would run down all methods for object PurchaseOrder and, as part of the definition of the methods, would include all of the parameters and their data types (Date, Char(50), Int, etc).
When I first looked at this, I had an argument with a programmer friend of mine who uses XML heavily. At this point, my frustration with XML was at a high point as I kept finding out that XML does absolutely nothing. While it defines a great deal, it provides nothing in the way of functionality. So what is the purpose of WSDL?
At the end of our debate, we came to the conclusion that programmatically, it would be too difficult for an application to connect to a Web service, get the WSDL content, and then intelligently know how to deal with the objects and methods provided based upon the data in its own back office operations. For this to actually work, the application would require some artificial intelligence to understand what an ambiguous GetCurrentManufacturingStatusOnForecastData object does.
A more practical approach to WSDL is the following scenario. Your purchasing department tells you that your company has a new supplier and that purchase orders can be submitted online. The manual from the supplier provides a Universal Resource Indicator (URI) for its Web Service for accepting purchase orders. As an administrator in your MRP, you go into the application and stipulate that purchase orders for this new company be sent through a Web Service and you provide the URI.
The application then goes and pulls the WSDL and provides a graphical representation of the objects available. You select the PurchaseOrder object. It then expands to provide a series of methods available for the PurchaseOrder object. One of these is SubmitPurchaseOrder, which you double-click on. The parameters required for this method are provided and you "map" data from your system that will populate the parameters when new purchase orders are approved.
Once this is complete, any new purchase orders will be automatically sent to the new supplier via its Web Service. Taking this a step further, you could (if provided by your application vendor) set up a routine check that looks for changes in the WSDL indicating different parameters, objects, or methods. If a change is found, you--as the administrator--are emailed with the changes and can update your system as needed.
I may have saved the best for last. UDDI is what everyone is calling the Yellow Pages of the Internet. It's a central repository of business information that is populated and searchable via XML SOAP messages.
Basically, you publish your business information (location, business type, services, products, etc.) to the UDDI repository. You also publish your Web services so that companies that find you in the UDDI know how to do e-business with you. You would publish to UDDI that you sell red rubber balls. You would also publish that you have an order system object and an online payment object. Companies searching UDDI for suppliers would then know how easy or hard it would be to integrate you as an e-business partner.
If you wish to search against UDDI, you can go to Microsoft's or IBM's UDDI sites. They both allow you to search against current UDDI registrants, as well as publish your own information. You'll notice that there are several business classification systems that you can search against. Some examples are WAND, NAICS, UNSPSC, and GEO. What these do is allow you to limit your search to a particular business in a particular area that performs a particular function.
Some companies that are new to XML or are venturing there on their own may find generating SOAP messages a little too complex but still want to be registered in UDDI. For this, Microsoft provides a free Software Development Kit (SDK) that generates the SOAP messages for you. Go to the Microsoft Web site and in their Downloads section, search for UDDI SDK.
Similar to WSDL, I think that you will not find applications that go to UDDI for you and search for suppliers or business partners. You can't judge a partner by their web site, or their UDDI information. Applications will instead provide an interface for you to search against, and then do additional research from there. If you find that the company you found is viable as a partner, then the application will process that remaining UDDI and WSDL information so that online commerce can automatically occur.
UDDI is actually a more tangible technology than the others that I have reviewed here. I believe that its popularity will pick up, but nothing is lost if you wait until tomorrow to register.
Skeptic Attitude Quelled
So if you review what's presented in this article, you'll find that there is really no tangible technology, aside from UDDI. It is all just standards to follow that are very open to how you implement them, and they really only deal with how you mark up XML documents. While it's great to know how to mark up an XML document that contains a digital signature, you still have to provide a means for producing the signature.
But then again, isn't that the point? What if you already have the facility for creating digital signatures? Why should you incorporate a new process for something that you already have a facility for? With XML and its bombardment of individual standards, you can use your digital signature process and wrap some XML text around the digital signature. And if you don't have digital signature software, you aren't pigeonholed into what the XML community thinks is the best solution. You know, maybe XML and the security and Web service standards discussed here actually make sense. What do you think?
MC Press Online