Monday, August 12, 2013

REST vs. SOAP

REST vs. SOAP – The Right WebService

                
Web Services are the key point of Integration for different applications belonging to different Platforms, Languages, systems. It wouldn’t be wrong if you call Web-services as the “Rendezvous point of the Business”.
I’ve been using HTTP and SOAP since several years new. REST is rather new. SOAP revolutionized RPC and loose coupling  beyond the restrictions posed by  earlier protocols. However off late I have been giving APIs and interfaces considerable thought and am leaning a lot more towards simple HTTP based APIs with an XML or JSON response format as opposed to SOAP. Let’s try to discuss all the aspects one by one.
Before we start, Let’s do a basic terminology headsup -
  • SOAP refers to Simple Object Access Protocol
  • HTTP based APIs refer to APIs that are exposed as one or more HTTP URIs and typical responses are in XML / JSON. Response schemas are custom per object
  • REST on the other hand adds an element of using standrdized URIs, and also giving importance to the HTTP verb used (ie GET / POST / PUT etc)
  • Although, in last few years we saw growth of large no.  of Web Services, despite that the hype surrounding the SOAP has barely reduced. Internet architects have come up with a surprisingly good argument for pushing SOAP aside: there’s a better method for building Web services in the form of Representational State Transfer (REST).
    REST is more of an old philosophy than a new technology. But a realization that came later in technology. Whereas SOAP looks to jump-start the next phase of Internet development with a host of new specifications, the REST philosophy espouses that the existing principles and protocols of the Web are enough to create robust Web services. This means that developers who understand HTTP and XML can start building Web services right away, without needing any toolkits beyond what they normally use for Internet application development.
    In a RESTful architecture, the key resources are identified — Can be entities, collections, or anything else the designer seems worthy of having its own URI. The standard methods — in this case, the HTTP verbs — are mapped to resource-specific semantics. All resources implement the  same uniform interface. The dimension of content-types, which allows for different representations of resources (e.g. in both XML, HTML, and plain text), as well as the possibility of links to resources in resource representations. Use your imagination — e.g. the GET on /customer/4711 would return a document that contains a link to a specific /order/xyz.
    I am seeing a lot of new web services are implemented using a REST style architecture these days rather than a SOAP one. Lets step back a second and put some light on what REST is.
    What is a REST Web Service
    Representational State Transfer or REST basically means that each unique URL is a representation of some object. You can get the contents of that object using an HTTP GET, to delete it, you then might use a POST, PUT, or DELETE to modify the object (in practice most of the services use a POST for this).
    How Popular is REST?
    All of the major webservices on the Internet now use REST: Twitter, Yahoo’s web services use REST, others include Flickr, del.icio.us, pubsub, bloglines, technorati, and several others. Both eBay and Amazon have web services for both REST and SOAP.
    and  SOAP?
    SOAP is mostly used for Enterprise applications to integrate wide types and no. of applications and another trend is to integrate with legacy systems, etc. On the Internet side of things — Google is consistent in implementing their web services using SOAP, with the exception of Blogger, which uses XML-RPC.
    REST vs SOAP
    The companies that use REST APIs haven’t been around for very long, and their APIs came out this year or last year mostly. So REST is definitely In-Vogue  for creating a web service.  But, lets face it — Use SOAP to wash, and you REST when your tired). The main advantages of REST web services are:
    • Lightweight – not a lot of extra xml markup
    • Human Readable Results
    • Easy to build – no toolkits required
    SOAP also has some advantages:
    • Easy to consume – sometimes
    • Rigid – type checking, adheres to a contract
    • Development tools
    Is SOAP Simple Object access really that  simple ? I guess a misnomer!
    Let’s discuss all the point of comparisons –
    API Flexibility & Simplicity
    The key to the REST methodology is to write Web services using an interface that is already well known and widely used: the URI. For example, exposing a currency converter service, in which a user enters a currency quote symbol to return a real-time target currency price, could be as simple as making a script accessible on a Web server via the following URI: http://www.ExampleCurrencyBrokerage.com/convert?=us-dollar&value=100&target=pound
    Any client or server application with HTTP support could easily call that service with an HTTP GET command. Depending on how the service provider wrote the script, the resulting HTTP response might be as simple as some standard headers and a text string containing the current price for the given ticker symbol. Or, it might be an XML document.
    This interface method has significant benefits over SOAP-based services. Any developer can figure out how to create and modify a URI to access different Web resources. SOAP, on the other hand, requires specific knowledge of a new XML specification, and most developers will need a SOAP toolkit to form requests and parse the results.
    Bandwidth Usage – REST is Lighter
    Another benefit of the RESTful interface is that requests and responses can be short. SOAP requires an XML wrapper around every request and response. Once namespaces and typing are declared, a four- or five-digit stock quote in a SOAP response could require more than 10 times as many bytes as would the same response in REST.
    SOAP proponents argue that strong typing is a necessary feature for distributed applications. In practice, though, both the requesting application and the service know the data types ahead of time; thus, transferring that information in the requests and responses is gratuitous.
    How does one know the data types—and their locations in the response—ahead of time? Like SOAP, REST still needs a corresponding document that outlines input parameters and output data. The good part is that REST is flexible enough that developers could write WSDL files for their services if such a formal declaration was necessary. Otherwise, the declaration could be as simple as a human-readable Web page that says, “Give this service an input of some stock ticker symbol, in the format q=symbol, and it will return the current price of one share of stock as a text string.”
    Security
    Probably the most interesting aspect of the REST vs. SOAP debate is the security perspective. Although the SOAP camp insists that sending remote procedure calls (RPC) through standard HTTP ports is a good way to ensure Web services support across organizational boundaries. However,  REST followers argue that the practice is a major design flaw that compromises network safety. REST calls also go over HTTP or HTTPS, but with REST the administrator (or firewall) can discern the intent of each message by analyzing the HTTP command used in the request. For example, a GET request can always be considered safe because it can’t, by definition, modify any data. It can only query data.
    A typical SOAP request, on the other hand, will use POST to communicate with a given service. And without looking into the SOAP envelope—a task that is both resource-consuming and not built into most firewalls—there’s no way to know whether that request simply wants to query data or delete entire tables from the database.
    As for authentication and authorization, SOAP places the burden in the hands of the application developer. The REST methodology instead takes into account the fact that Web servers already have support for these tasks. Through the use of industry-standard certificates and a common identity management system, such as an LDAP server, developers can make the network layer do all the heavy lifting.
    This is not only helpful to developers, but it eases the burden on administrators, who can use something as simple as ACL files to manage their Web services the same way they would any other URI.
    REST ain’t Perfect
    To be wise, REST ain’t perfect. It isn’t the best solution for every Web service. Data that needs to be secure should never be sent as parameters in URIs. And large amounts of data, like that in detailed purchase orders (POs), can quickly become cumbersome or even out of bounds within a URI.
    And when It comes to attachments, SOAP is a solid winner. SOAP can transport your all text adn BINaries without a glitch. In such cases, SOAP is indeed a solid solution. But it’s important to try REST first and resort to SOAP only when necessary. This helps keep application development simple and accessible.
    Fortunately, the REST philosophy is catching on with developers of Web services. The latest version of the SOAP specification now allows certain types services to be exposed through URIs (although the response is still a SOAP message). Similarly, users of Microsoft .NET platform can publish services so that they use GET requests. All this signifies a shift in thinking about how best to interface Web services.
    Developers need to understand that sending and receiving a SOAP message isn’t always the best way for applications to communicate. Sometimes a simple REST interface and a plain text response does the trick—and saves time and resources in the process.
    Type Handling
    SOAP provides relatively stronger typing since it has a fixed set of supported data types. It therefore guarantees that a return value will be available directly in the corresponding native type in a particular platform. Incase of HTTP based APIs the return value needs to be de-serialized from XML, and then type-casted. This may not represent much effort, especially for dynamic languages. Infact, even incase of copmlex objects, traversing an object is very similar to traversing an XML tree, so there is no definitive advantage in terms of ease of client-side coding.
    Client-side Complexity (Thinner Clients)
    Making calls to an HTTP API is significantly easier than making calls to a SOAP API. The latter requires a client library, a stub and a learning curve. The former is native to all programming languages and simply involves constructing an HTTP request with appropriate parameters appended to it. Even psychologically the former seems like much less effort.
    Testing and Troubleshooting
    It is also easy to test and troubleshoot an HTTP API since one can construct a call with nothing more than a browser and check the response inside the browser window itself. No troubleshooting tools are required to generate a request / response cycle. In this lies the primary power of HTTP based APIs
    Server-side Complexity
    Most Programming languages make it extremely easy to expose a method using SOAP. The serialization and deserialization is handled by the SOAP Server library. To expose an object’s methods as an HTTP API can be relatively more challenging since it may require serialization of output to XML. Making the API Rest-y involves additional work to map URI paths to specific handlers and to import the meaning of the HTTP request in the scheme of things. Offcourse many frameworks exist to make this task easier. Nevertheless, as of today, it is still easier to expose a set of methods using SOAP than it is to expose them using regular HTTP.
    Caching
    Since HTTP based / Rest-ful APIs can be consumed using simple GET requests, intermediate proxy servers / reverse-proxies can cache their response very easily. On the other hand, SOAP requests use POST and require a complex XML request to be created which makes response-caching difficult
    VERDICT
    In the end I believe SOAP isn’t that simple, it requires greater implementation effort and understanding on the client side while HTTP based or REST based APIs require greater implementation effort on the server side. API adoption can increase considerably if a HTTP based interface is provided. Infact,  an HTTP-based API with XML/JSON responses represents the best of both breeds and is easy to implement on the server as well as easy to consume from a client.
    For consuming web services, its sometimes a toss up between which is easier. For instance Google’s AdWords web service is really hard to consume (in CF anyways), it uses SOAP headers, and a number of other things that make it kind of difficult. On the converse, Amazon’s REST web service can sometimes be tricky to parse because it can be highly nested, and the result schema can vary quite a bit based on what you search for.
    Which ever architecture you choose make sure its easy for developers to access it, and well documented. In the end when you host Web-service for the internet, it’s the client side complexity that matters most in attracting them to use your service. Choose wisely.


    Read more: http://geeknizer.com/rest-vs-soap-using-http-choosing-the-right-webservice-protocol/#ixzz2bonGxKmU

    application pool identity

    http://www.cnblogs.com/yjmyzz/archive/2009/10/26/1590033.html

    IIS7.5中神秘的ApplicationPoolIdentity

    IIS7.5中(仅win7,win2008 SP2,win2008 R2支持),应用程序池的运行帐号,除了指定为LocalService,LocalSystem,NetWorkService这三种基本类型外,还新增了一种ApplicationPoolIdentify 



    win7的官方帮助上是这么说的:

    ApplicationPoolIdentity – 默认情况下,选择“应用程序池标识”帐户。启动应用程序池时动态创建“应用程序池标识”帐户,因此,此帐户对于您的应用程序来说是最安全的。
    也就是说"ApplicationPoolIdentity"帐号是系统动态创建的“虚拟”帐号(说它是虚拟的,是因为在用户管理里看不到该用户或用户组,在命令行下输入net user也无法显示,但该帐号又是确实存在的) 
    如何验证该帐号确实是存在的的?打开任务管理器,观察一下:


    w3wp.exe即iis进程,上图中高亮部分表明该iis进程正在以帐号luckty运行(注意这里的luckty即为上图中的应用程序池名称)

    好了,搞清楚这个有什么用?
    先来做一个测试,比如我们在iis里新建一个站点,主目录设置为c:\2\,应用程序池就指定刚才图中的luckty
    假如我们在该站点的default.aspx.cs里写入这样一行代码 :
    File.AppendAllText("C:\\TestDir\\1.txt",DateTime.Now.ToString());
    前提是c盘必须先建一个目录TestDir,同时除Administrator,System保留完全控制权外,其它帐号的权限都删除掉
    运行后,会提示异常: 对路径“C:\TestDir\1.txt”的访问被拒绝。
    原因很明显:该站点运行时是以应用程序池(luckty)对应的虚拟帐号运行的,而这个虚拟帐号不具备c:\TestDir的访问权限
    这种情况在web服务器(iis6)安全配置中很常见,比如我们把图片上传目录,常常放在主目录之外,同时以虚拟目录形式挂于站点之下,另外在IIS6中不指定该目录任何执行权限 ,这样即使有人非法上传了asp/aspx木马上去,也无法运行搞不成破坏!

    言归正传,要想让那一行测试代码正常运行,解决办法很简单,把虚拟帐号的权限加入文件夹安全权限中即可,但是问题来了:这个虚拟帐号我们是不可见的,如果你直接添加名为luckty的用户到文件夹安全帐号里,根本通不过(提示找不到luckty用户),说明这个虚拟帐号名称并不是"luckty"


    关键:手动输入 IIS AppPool\luckty (即IIS AppPool\应用程序池名),再确定,这回ok了.
    当然除了用"IIS AppPool\应用程序池名"外,windows内部还有一个特殊的用户组Authenticated Users,把这个组加入TestDir的安全权限帐号里也可以,不过个人觉得没有"IIS AppPool\应用程序池名"来得精确.

    结束语:
    IIS7.5的虚拟帐号设计确实很棒,想想传统IIS6的时候,为了把同一服务器上的各站点权限分开(以防止木马捣乱),不得不创建一堆iuser_XXX,iwam_XXX帐号并指定密码,再一个个站点分配过去,累死人!而虚拟帐号设计则让这类管理轻松多了,也不用担心密码过于简单或过期问题。So,还在等什么,赶紧升级到win7/win2008 R2吧!