RE: Stateful Web Services

[Anne Thomas Manes]

(sorry, I'm no longer subscribed to the dev list, please forward my mail if
(Byou deem appropriate)
(B
(BMy comment about JAX-RPC refers to the fact that the JCP isn't really in a
(Bposition to define Web services standards. It is defining standard Java
(Bbindings to the Web services standards. (very useful to the Java community,
(Bbut not the same as creation of the basic standards.) The standards are
(Bbeing defined at W3C and OASIS.
(B
(BThe JAX-RPC spec even implies as much when it says
(B> > This version of
(B> > the JAX-RPC specification does not specify (or require) session
(B> > management using SOAP headers given that there is no standard SOAP
(B> > header representation for the session information.
(B
(BI agree with you. Once formal SOAP headers for session management have been
(Bdefined, SOAP implementers should build automatic support for them into
(Btheir products. Users should have a very simple mechanism to request
(Bstateful sessions, and the SOAP platform should just handle it
(Bautomatically. Doing session management via standard SOAP headers will
(Bensure cross-vendor interoperability and support identical functionality
(Bacross any transport protocol.
(B
(BBest regards,
(BAnne
(B
(B> -----Original Message-----
(B> From: Toshiyuki Kimura [mailto:[EMAIL PROTECTED]]
(B> Sent: Thursday, January 16, 2003 3:12 AM
(B> To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
(B> Subject: Re: Stateful Web Services
(B>
(B>
(B> Hi Thomas and Anne,
(B>
(B>   Do you mean "Whatever is unjust is not held to be a law
(B> (i.e. the spec)" ?  :-)
(B>
(B>   Usually, the first commited spec is used to having some
(B> problems; for example, The HTTP/1.0 has some issues in
(B> the security, and performance. And the SOAP/1.1 also has
(B> some interoperability problems in the cause of the spec's
(B> indetermination like as the current situation.
(B> Please note that I don't want to deny your thought.
(B>
(B>   Just I want to say is ...
(B>
(B>   This matter should be discussed after separating two
(B> layers. One is user group like as axis-user they just use
(B> the WebService Runtime platform (i.e. AXIS). The other is
(B> developer group like as axis-dev they develop (or optimize)
(B> to their own WebService Runtime.
(B>   Because your opinion seems to be the develper group point
(B> of view. If someone wants to session mechanism, basically he
(B> has to do is just "session.maintain = true".  The cookies,
(B> any SOAP Header fields, or the protocol binding should not
(B> be cared by the user level.  It'll be handled some vendors
(B> (may be in developer gropups) in the near future.
(B>
(B> That's all I'd like to notify.
(B>
(B> Regards,
(B>
(B>     Toshiyuki Kimura <[EMAIL PROTECTED]>
(B>     R&D Headquarters
(B>     NTT DATA Corp.
(B>
(B> -----Original Message-----
(B> From: [EMAIL PROTECTED]
(B> [mailto:[EMAIL PROTECTED]]
(B> Sent: Thursday, January 16, 2003 12:01 AM
(B> To: [EMAIL PROTECTED]
(B> Subject: RE: Stateful Web Services
(B>
(B> I agree with Anne comments for sure. JAX-RPC is even representing only one
(B> specific type of Web Service interface (SOAP/HTTP). When you look at the
(B> different activities around Web Services (SOAP over JMS, WSIF with native
(B> binding to EJB/JCA/JMS/....) you realize quickly that the scope is bigger
(B> than that, and it still needs to mature a little bit before definitive
(B> position on how to handle session (for example) must be done.
(B>
(B> On the religious attitude of stateful sessions being a bad thing, I am not
(B> so convinced, but it is probably a very subjective matter :-)
(B>
(B> -----Original Message-----
(B> From: Anne Thomas Manes [mailto:[EMAIL PROTECTED]]
(B> Sent: Wednesday, January 15, 2003 8:47 AM
(B> To: [EMAIL PROTECTED]
(B> Subject: RE: Stateful Web Services
(B>
(B> I would not view the JAX-RPC 1.0 spec as the definitive source of Web
(B> services standards information. Particularly when it comes to advanced
(B> features such as session management, security, reliability, etc. As Thomas
(B> said, the "right" way to implement stateful sessions is to use
(B> SOAP headers.
(B> That's how Systinet does it. That's how BEA's proposal suggests we do it.
(B> But no one has attempted to standardize it yet. (it's lower on
(B> the priority
(B> list than security and reliability)
(B>
(B> If you dig, you'll find that a number of folks believe that stateful
(B> sessions are a "bad" thing. Quite a few folks even get religious about it.
(B>
(B> Anne
(B> > -----Original Message-----
(B> > From: Toshiyuki Kimura [mailto:[EMAIL PROTECTED]]
(B> > Sent: Wednesday, January 15, 2003 4:35 AM
(B> > To: [EMAIL PROTECTED]
(B> > Subject: Re: Stateful Web Services
(B> >
(B> > Hi Thomas,
(B> >
(B> >   I believe that you refered to the JAX-RPC spec too, however, your
(B> > suggestions below may be had misgivings about misunderstanding with
(B> > the spec.
(B> >
(B> > The spec said as follows:
(B> > .........*.........*.........*.........*.........*.........*.........*
(B> > 13.2 Session Management
(B> >          :
(B> > In the JAX-RPC 1.0 version, the session management mechanisms require
(B> > use of HTTP as the transport in the protocol binding. This version of
(B> > the JAX-RPC specification does not specify (or require) session
(B> > management using SOAP headers given that there is no standard SOAP
(B> > header representation for the session information. SOAP based session
(B> > management may be considered in the future versions of the JAX-RPC
(B> > specification.
(B> >
(B> > A JAX-RPC runtime system is required to use at least one of the
(B> > following mechanisms to manage sessions:
(B> >
(B> >  - Cookie based  ...
(B> >  - URL rewriting ...
(B> >  - SSL session   ...
(B> >          :
(B> > .........*.........*.........*.........*.........*.........*.........*
(B> >
(B> >   A develper (someone) wants to follow the spec regarding the session
(B> > management (on SOAP over HTTP), he'd better use whichever way what is
(B> > specified in the extract above.  (Excluding, you are talking about the
(B> > future spec of JAX-RPC or the other protocol bindings.)
(B> >
(B> > Regards,
(B> >
(B> >     Toshiyuki Kimura <[EMAIL PROTECTED]>
(B> >     R&D Headquarters
(B> >     NTT DATA Corp.
(B> >
(B> > -----Original Message-----
(B> > From: [EMAIL PROTECTED]
(B> > Sent: Wednesday, January 15, 2003 2:39 PM
(B> > To: [EMAIL PROTECTED]
(B> > Subject: RE: Stateful Web Services
(B> >
(B> > As usual it is always a little bit more complicated than that .....
(B> >
(B> > There is not a lot of "standard" API interface to Web Services. Sun
(B> > has a standard API called JAXRPC which can be used as a standard web
(B> > service client API, where the notion of session is defined, but it is
(B> > left to the person implementing this API to decide how to implement
(B> > the session support.
(B> >
(B> > What is "well" defined in the web services area is the
(B> > protocol/encoding used for exchanging request/response between the
(B> > client and the server. The most used and well known encoding is SOAP
(B> > (encode the response/request in XML a specific way) and the most used
(B> > and well known protocol is HTTP.
(B> >
(B> > So, if you consider a web service using SOAP over HTTP, most of the
(B> > reasonable web service package (server and/or client) supporting such
(B> > web service will also support the handling of HTTP cookies and then
(B> > support session handling.
(B> >
(B> > But everybody is trying to get away from this kind of solution as the
(B> > session rely on a specific transport feature (HTTP cookie in that
(B> > case). What happen if tomorrow you want to have your web service
(B> > available over JMS or SMTP?
(B> >
(B> > The "right" way to do session handling in SOAP Web Services is to use
(B> > SOAP headers. You define your own header and you take care of making
(B> > sure that your client and server are both handling the session through
(B> > this header. Automatic support of SOAP header is getting better and
(B> > better in the current SOAP packages (for example, with Axis as the
(B> > SOAP server and .NET C# as the
(B> > client application, you can have a stateful web service with very little
(B> > extra code compare to your regular client and server
(B> implementation if you
(B> > configure all that properly).
(B> >
(B> > From your web service implementation, if you use a java based SOAP
(B> > server engine, for sure you can connect to an EJB, regular Java Bean
(B> > or JDBC session. After that, according to the SOAP engine you will use
(B> > you will have to write a different amount of code to plug all that
(B> > together and maintain the session. In general, it should be very
(B> > similar (or sometimes even
(B> > easier) to doing the same thing with a regular servlet.
(B> >
(B> > Thomas
(B> > -----Original Message-----
(B> > From: David Peterson [mailto:[EMAIL PROTECTED]]
(B> > Sent: Tuesday, January 14, 2003 9:36 PM
(B> > To: [EMAIL PROTECTED]
(B> > Subject: Re: Stateful Web Services
(B> >
(B> > Anne,
(B> >
(B> > Thanks for the link and info.
(B> >
(B> > Do you know, can I still use an approach such as connecting a web
(B> > service to a EJB, or regular Java Bean, or a JDBC session?
(B> >
(B> > It surprises me that the concept of a stateful web service has not
(B> > been tackled by various web services standards bodies (e.g. OASIS for
(B> > example)!
(B> >
(B> > Regards,
(B> >
(B> > David
(B> >
(B> > Anne Thomas Manes wrote:
(B> >
(B> > >It depends on the SOAP implementation you're using. Most products
(B> > >don't support stateful services. Some do: Systinet WASP, Oracle SOAP,
(B> > >Apache SOAP, maybe a few others. Interoperability is a big issue,
(B> > >though. BEA published a proposed SOAP extension called SOAP
(B> > >Conversation (http://dev2dev.bea.com/techtrack/SOAPConversation.jsp),
(B> > >but I don't think it's getting much traction.
(B> > >
(B> > >Anne
(B> > >
(B> > >>-----Original Message-----
(B> > >>From: David Peterson [mailto:[EMAIL PROTECTED]]
(B> > >>Sent: Tuesday, January 14, 2003 5:25 PM
(B> > >>To: [EMAIL PROTECTED]
(B> > >>Subject: Stateful Web Services
(B> > >>
(B> > >>Hi All,
(B> > >>
(B> > >>I have a bit of a newbie question in relation to web services:
(B> > >>
(B> > >>Do SOAP-based web services support the concept of state and
(B> > >>persistence? That is, can I easily create a web service where state
(B> > >>is preserved between invocations?
(B> > >>
(B> > >>For example, can I create a "bank account" web service, which
(B> > >>supports deposit(), withdrawl() and getBalance() operations, and
(B> > >>have that web service preserve the current account balance between
(B> > >>separate invocations?
(B> > >>
(B> > >>I imagine that I could achieve this with web services by using an
(B> > >>external persistence component, eg an EJB, or a JDBC call to a
(B> > >>database. What I want to know is whether I can preserve state
(B> > >>internally (inside a web service component) by simply declaring an
(B> > >>instance variable appopriately (e.g. "static" - though this might
(B> > >>not be the right approach).
(B> > >>
(B> > >>On the other hand, is my only "stateful web service" option to use
(B> > >>an external persistence layer (JDBC or EJB?)
(B> > >>
(B> > >>Thanks.
(B> > >>
(B> > >>David Peterson
(B>