Pages: pp. 14-18
Web services, in brief, are a framework of software technologies designed to support interoperable machine-to-machine interaction over a network. Companies on different systems can use Web services to exchange information online with business partners, customers, and suppliers.
IDC estimates that worldwide spending on Web services-based software projects will reach $11 billion by 2008, compared to $1.1 billion in 2003. A Gartner survey of 110 companies also indicated that 54 percent are already working on Web services projects this year or have plans to begin soon. Figure 1 shows results from a 2004 Forrester Research survey of about 280 large North American firms. Survey respondents identified a total of 66 Web services that are either in production or in development.
Figure 1 Web services projects. Respondents to a 2004 Forrester Research survey of about 280 North American firms indicated that they have a total of 66 Web services either in production or in development.
"The industry is entering a critical stage in the acceptance and support for higher levels of Web services standards and technologies," said Sandra Rogers, director for Web services software and integration at IDC. "Users and vendors alike must acknowledge and support an environment that allows for phased change, and the ability of vendors to support and help businesses transform multiple generations of Web services will be vital."
Various standards organizations and industry consortia are developing Web services specifications without a unifying authority. Organizations such as the World Wide Web Consortium (W3C), the Organization for the Advancement of Structured Information Standards (OASIS), the Liberty Alliance Project, and the Web Services Interoperability Organization (WS-I) have developed or reviewed numerous standards.
Because of this, noted Joe McKendrick, an analyst with Evans Data, "Developers that we interviewed, who are assumed to be on the cutting edge of Web services deployments, are largely uncertain of what standards they will be supporting over the long run. Most have either never heard of or only know a little about the many specifications coming out of the standards bodies."
In several key areas such as business process automation, security, and reliable messaging, there are competing versions of standards. Some companies, said Girish Juneja, cofounder of Sarvega, a Web services company, have thus been reluctant to spend money on Web services, particularly in advanced technologies, until standards issues are resolved.
"But the adoption of basic standards like XML, SOAP, and WS-Security has accelerated spending, and we'll see more enterprises adopting and deploying B2B Web services as a result of security issues being addressed," Juneja said.
The Web services market is poised for takeoff. An Evans Data survey indicated that one out of every 10 companies is investing in Web services development and integration this year. About 13 percent of the respondents said that a majority of their development funds are going to Web services, and IBM is investing more than $1 billion a year.
"Overall, almost nine out of ten companies say they're putting at least some development funds—even if it's only a couple of thousand dollars—toward Web services," McKendrick said.
"If Web services implementations from different vendors are not fully compatible and interoperable," said Mike Gilpin, an analyst with Forrester, "customers may have to do additional custom development to overcome those issues. This extra work reduces the value of Web services as a universal way to link software applications."
Moreover, noted Philipe Le Hegaret, architecture domain leader for the W3C, using WS does not guarantee standards compliance. An example is the profiling work done at WS-I—few of the specifications in the Basic Profile are the standardized versions.
The W3C created the first round of Web services specifications in 2003. This early work tended to focus on low-level, core functionality such as Simple Object Access Protocol (SOAP) 1.2 and Web Services Description Language (WSDL) 2.0. OASIS has concentrated on higher-level functionality for Web services, such as security, authentication, registries, business process execution, and reliable messaging.
WS-I is a different type of organization. It issues guidelines and tools to help developers build software that complies with existing Web services specifications. These guidelines include:
Established in February 2002 by nine companies—Accenture, BEA, Fujitsu, H-P, IBM, Intel, Microsoft, Oracle, and SAP—WS-I now has more than 130 members worldwide. The organization focuses on documenting which options to use and how to interpret vague specification text. WS-I combines different Web services pieces in an installation-ready package, which it calls profiles.
The organization has made some progress in enlisting vendors to work together to resolve interoperability issues. WS-I's Basic Profile 1.0, issued in April 2004, is now considered the "essential guide to addressing interoperability issues that come up between Web services," noted McKendrick.
Even though WS-I was formed to create interoperability among Web services technologies, according to Astor, the process hasn't eliminated intervendor issues as evidenced by competing specifications in areas such as reliable messaging and others.
"I'd love to get everyone to say there's one set of standards and keep overt agendas at the door, because you don't serve customers that way," said Dave Watson, CTO of Kaiser Permanente, which is active in WS-I. "But the agendas that form these groups don't allow that."
BEA Systems, IBM, and SAP developed the Business Process Execution Language for Web services. They submitted BPEL to OASIS in May 2003. The OASIS Technical Committee is finalizing an approved version of the specification—although no date has been set yet for final approval.
BPEL uses Web services for business process automation. For example, a user booking a travel package online might want an airline ticket, hotel, and rental car—all of which have identical departure and return dates. Web services communicate with multiple providers in parallel to ensure that all criteria and price guidelines are met to complete the transactions. The real benefit is reduced development time and improved business process flexibility.
Another important business process called choreography is also useful for complex automation services. Chore- ography provides a set of rules that explains how different components can act together, and in what sequence, giving a flexible, systemic view of the process. Using a travel package analogy, choreography allows reservations to recognize that airfare must be booked first and that rental cars and hotels can be booked once travel dates are confirmed.
The W3C's WS-Choreography Working Group, which includes Hewlett-Packard (H-P), Oracle, and Sun Microsystems (but not IBM and Microsoft), is working on the Web Services Choreography Description Language (WS-CDL) 1.0 specification.
According to W3C's Le Hegaret, a key Web services goal is conformance —the integration of applications so they share the same rules of engagement.
"Because a well-defined choreography guarantees conformance across application domains, businesses gain faster time to market," he said. "WS-CDL defines peer-to-peer collaboration between Web service participants."
As Web services start to be deployed across enterprise boundaries and for collaborative e-business and e-transaction scenarios, and especially where significant economic value is riding on the messages (as opposed to casual e-mail, for example), reliability becomes a critical issue. Communication over the Internet (and intranets) is inherently unreliable as current transport protocols, such as HTTP and SMTP, and other message delivery protocols admit conditions that don't offer guaranteed or ordered delivery. Yet Web services messages need to be delivered to the ultimate receiver, even in the presence of a component, system, or network failure.
Reliable messaging thus helps ensure the quality of services between two parties. It guarantees the delivery of a message, eliminates duplicate messages, and guarantees the ordering of a group of messages. A purchase order is a good use case to eliminate duplicate messages while ensuring that the order was received at the other end. A retransmission of the order without any ability to uniquely identify it would generate two purchase orders instead of one.
Guaranteed message ordering ensures that a group of messages will be received by the destination application in the order they have been sent. "This becomes important when a message makes the assumption that a precedent message was indeed received," said Le Hegaret.
Two specifications addressing reliable messaging have emerged. WS Reliable Messaging (WSRM), which has not been submitted to a standards body, is backed by IBM, Microsoft, BEA Systems, and their technical partners. WS-Reliability (WSR), supported by Fujitsu, Hitachi, NEC, Oracle, Sonic Software, and Sun, may be approved as an OASIS standard by the end of 2004.
WSRM relies implicitly on the addressing mechanism defined in WS-Addressing, whereas WSR explicitly introduces its own address mechanism. An addressing mechanism provides the capability to direct messages—for example, replies/faults—to specific Web services; in other words, it is equivalent to a message routing mechanism.
According to Eisaku Nishiyama, a Software Division section manager for Hitachi, Ltd., both sides are making an effort to settle the differences.
"We invited the WSRM proponents to join the OASIS Web Services Reliable Messaging Technical Committee and, even after they published WSRM, we have continued to suggest to them that they submit the specification to the committee," Nishiyama said.
"It's just natural in business that there are different approaches to the same problem," noted Andy Astor, vice president of standards strategy for webMethods, a Web services infrastructure company. Astor also serves on the WS-I board. "We're confident that they will converge over time, and that a single consensus standard will emerge that will benefit everyone."
"W3C sees this rift [in messaging] as unfortunate and undesirable," said Le Hegaret.
As Web services become an integral component of the e-business infrastructure, security becomes paramount. Two security initiatives currently are under development.
WS-I. The WS-I issued a revised Security Scenarios document in February laying the groundwork for the scope and requirements of the WS-I Basic Security Profile, a set of nonproprietary Web services specifications. It subsequently released a public version of the working draft in May and is still soliciting feedback. To date, no standards organizations have released security scenarios.
IBM, Microsoft, BEA Systems, RSA Security, and VeriSign have developed WS-Federation, a security specification that replicates some of the features of the Web Services Framework (WSF) and the Security Assertion Markup Language (SAML) 2.0.
To date, WS-Federation has not been officially submitted for formal standardization. WS-Federation describes a standard technology framework for creating and authenticating user identities, then using Web services to share that identity within a company or with customers or business partners. Proponents say the specification would let companies using different security schemes do business securely, which would help facilitate e-commerce transactions, for example, when moving from an employee Web portal offering access to a health maintenance organization to one offering access to retirement account information.
"WS-Federation overlaps with functionality promised in SAML 2.0 and the Liberty Alliance specifications," said Sarvega's Juneja. "The good news here is that both specifications are still evolving based on the demands of the marketplace, so there will be some convergence."
The Liberty Alliance Project is a consortium of more than 150 companies and nonprofit and government organizations from around the globe. Liberty Alliance is committed to developing an open standard for federated network identity that supports all current and emerging network devices. Key members include Sun, HP, Nokia, Intel, General Motors, and Novell.
A variety of companies use the Liberty ID-WSF specification, and some vendors and products have earned the right to display the Liberty Interoperable logo by passing a series of interoperability tests. With the Nokia WAP Gateway, for example, mobile phones can use Liberty Single Sign-On and Authentication by functioning as a Liberty-enabled proxy which provides access to external identity providers. General Motors is incorporating federal identity management and Liberty specifications within MySocrates, the employee intranet. America Online uses Liberty specifications to extend access to AOL's Internet broadcasting service, Radio@AOL, beyond the computer and into any room with a TV or stereo.
Federated identity allows users to link identity information between accounts without centrally storing personal information. Users can control when and how their accounts and attributes are linked and shared between domains and service providers, giving them greater control over their personal data. In practice, this means that users can be authenticated by one company or Web site and be recognized and delivered personal content and services in other locations without having to reauthenticate or sign on with a separate username and password. This provides a framework that helps large corporations interact with business partners and customers without re-entering credentials.
For example, Company A has several inventory and production applications within its portal and wants the employees of Company B to access these applications. Without a federated identity, A must manage the credentials, profiles, and logins of each employee from B. Federated identity allows employees from B to access A's applications without the burden of managing the identities. An employee who no longer works for B will be locked out of A's applications immediately without any identity management from A.
Sun and several other companies developed the Liberty Alliance Project's Web services security specification, portions of which were submitted to the OASIS Security Services Technical Committee in connection with work on the OASIS SAML 2.0 Committee draft. According to Patrick Gannon, president and CEO of OASIS, the specification is expected to be submitted to OASIS members for approval as a standard at the end of 2004. Gannon said the committee has also used this material to add features to SAML that provide some interoperability with the Liberty specifications.
"Liberty retains its separate existence as a project and organization, and OASIS members have indicated that they expect SAML to be compatible with multiple methods of identity management, not just Liberty," Gannon said.
A primary goal of Web services is to unlock a new generation of e-commerce applications.
"Web services is about accessing and connecting data and unlocking the value of that data, especially in legacy systems," said Ron Favali, a spokesperson for IBM. "The real value comes in the new ability to mix and match componentized business processes with a componentized IT structure. Trying to solve a specific business issue is much easier if you can isolate the technology needed to address the problem, which Web services enables."
Joe Keller, vice president of marketing for Java Web services at Sun Microsystems, added that Web services "also allow IT organizations to build a new class of software applications that vastly improve their ability to integrate the hodgepodge of software applications and architecture that are found in most enterprises today."
But the uncoordinated Web services standards process has resulted in some companies "predeveloping" a standard and then turning it over to a standards organization. For submitting vendors, notes Evan Data's McKendrick, this is just smart business, as it helps lead to a critical mass of new applications that interoperate with their own applications and tools.
"The downside is that it perpetuates the lock a particular vendor may already have on the market, giving their formerly proprietary approach the blessings of becoming an open one," he said. "Still, there's no better way of promoting a technology solution."
But Keller noted that Sun advocates using recognized standards bodies, where all work is conducted in the open, with equal access to technology.
"IBM and Microsoft believe it is more efficient to develop specifications in a closed process, and then turn it over to a standards body for its blessing. This has resulted in overlapping industry efforts, which Sun is working hard to drive industry convergence on. There is no real evidence that the closed approach results in faster standards," said Keller.
According to an Evans Data survey, developers are almost evenly divided on whether multiple competing standards could hurt Web services deployment efforts. The largest group, 45 percent, says that multiple and competing standards will threaten the survival of Web services. Another 41 percent felt there was no threat. The rest didn't know.
"There are multiple standards competing for each problem space in Web services," noted McKendrick. "Generally, however, for every set of competing standards, there is a clear leader, either by virtue of backing from the dominant players or because there are usable implementations. More damaging than competing specifications are vendor politics, which create much fear, uncertainty, and doubt in the Web services space—a familiar beast to anyone that has been in IT over the past two decades."
But OASIS's Gannon disagrees. "The media often exaggerates the concept of standards wars," Gannon said. "Web services standardization is a huge area with much ongoing work that needs to happen—and is happening. It makes sense for some of this work to take place within W3C alongside related infrastructure specifications, and for other work to take place within OASIS alongside related infrastructure and implementation methods."
Web services have no value if they're not interoperable, and interoperability is based on standards compliance. For the immediate future, noted McKendrick, Web services hold the most promise for boosting IT productivity.
"Web services only show their value when deployed on an enterprise basis. There is still a lack of understanding among non-IT managers about what Web services can accomplish," he said. "IT budgets are still tight, and we have to show corporations how Web services can save money and eventually increase revenues—in a big way. We haven't done this yet."
If more than one standard emerges for the same Web services task, some companies could create adapters—layers of software that transparently translate concepts from one technology into equivalent concepts in another technology, supporting the latter without having to implement it—or simply maintain two sets of products. But Sun's Keller said while this may bridge the difference between how two different specifications implement similar functionality, "It's a Band-Aid solution that will only be used until it becomes clear which specification will gain market traction as the preferred approach. This is not a great solution since it adds performance overhead and additional complexity to a services infrastructure."
"Having two standards to solve a particular problem will complicate the implementation of Web services," said W3C's Le Hegaret. "However, it will not prevent their adoption."
It's safe to predict that many competing Web services efforts will consolidate. Whit Andrews, research director for Gartner, said WS-Reliability and WS Reliable Messaging "are very likely to become a single effort."
Yet Ron Schmelzer, an analyst with ZapThink, said no one wants to give up their product differentiation. "Vendors rarely decide which standards are best," he said. "It's the end users and customers who decide based on a value immediately seen, or a huge company like Wal-Mart or Boeing saying, 'We'll do it this way.' Then it becomes mandated. End of story. There is no right way—with Web services there will continue to be give and take between simplicity and completeness."