MANNING
Jos Dirksen
IN ACTION
REST and Web Service architectures
www.it-ebooks.info
SOA Governance in Action
www.it-ebooks.info
www.it-ebooks.info
SOA Governance
in Action
REST AND WS-* ARCHITECTURES
JOS DIRKSEN
MANNING
SHELTER ISLAND
www.it-ebooks.info
For online information and ordering of this and other Manning books, please visit
www.manning.com. The publisher offers discounts on this book when ordered in quantity.
For more information, please contact
Special Sales Department
Manning Publications Co.
20 Baldwin Road
PO Box 261
Shelter Island, NY 11964
Email:
©2013 by Manning Publications Co. All rights reserved.
No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in
any form or by means electronic, mechanical, photocopying, or otherwise, without prior written
permission of the publisher.
Many of the designations used by manufacturers and sellers to distinguish their products are
claimed as trademarks. Where those designations appear in the book, and Manning
Publications was aware of a trademark claim, the designations have been printed in initial caps

or all caps.
Recognizing the importance of preserving what has been written, it is Manning’s policy to have
the books we publish printed on acid-free paper, and we exert our best efforts to that end.
Recognizing also our responsibility to conserve the resources of our planet, Manning books are
printed on paper that is at least 15 percent recycled and processed without elemental chlorine.
Development editor: Scott Meyers
Manning Publications Co. Technical pr oo frea der: Niek Palm
20 Baldwin Road Copyeditor: Linda Recktenwald
PO Box 261 Proofreader: Melody Dolab
Shelter Island, NY 11964 Typesetter: Marija Tudor
Cover designer: Marija Tudor
ISBN: 9781617290275
Printed in the United States of America
1 2 3 4 5 6 7 8 9 10 – MAL – 18 17 16 15 14 13 12
www.it-ebooks.info
To my wife Brigitte, my daughter Sophie, and my parents
www.it-ebooks.info
www.it-ebooks.info
vii
brief contents
PART 1 INTRODUCTION 1
1
■
Introducing SOA governance 3
2
■
Setting up the SOA governance environment 27
3
■
Using a case study to understand SOA governance 60

PART 2 DESIGN-TIME POLICIES 79
4
■
Service design and documentation policies 81
5
■
Security policies 116
6
■
Testing, performance, and the cloud 156
PART 3 RUNTIME POLICIES 187
7
■
Using tools for runtime governance 189
8
■
Lifecycle support and discovering resources 212
9
■
Integrating SOA governance tools with existing tools and
technologies 235
www.it-ebooks.info
BRIEF CONTENTS
viii
www.it-ebooks.info
ix
contents
preface xv
acknowledgments xvii
about this book xix

about the cover illustration xxiii
PART 1 INTRODUCTION 1
1
Introducing SOA governance 3
1.1 What is SOA governance? 4
Definition of service-oriented architecture 4
■
Introducing
governance 7
■
Defining SOA governance 10
1.2 How using SOA governance can help 13
Keeping track of how services are used 13
■
Keeping uniformity
among services 14
1.3 Common pitfalls when introducing SOA governance 14
1.4 Requirements of an SOA governance solution 15
Creating and maintaining policies 16
■
Applying policies at
design time 17
■
Applying policies at runtime 18
1.5 Getting started with SOA governance 18
www.it-ebooks.info
CONTENTS
x
1.6 Getting an overview of the available policies 20
Design and documentation policies 21

■
Security policies 21
Testing and performance policies 22
1.7 SOA governance and open source 22
Where is open source at the moment? 22
■
Open source
tools 24
1.8 Summary 25
2
Setting up the SOA governance environment 27
2.1 Architecture of the SOA governance environment 28
Services architecture 29
2.2 Setting up the Eclipse environment 31
2.3 Introducing the traffic avoidance example 32
2.4 Configuring the general services and database 34
The data model used in this service 34
■
Setting up the data
access layer 35
■
Setting up the logic layer 37
2.5 Checking out and configuring the REST services 38
Overview of the REST layer 38
■
Implementation of the
REST layer 40
■
Testing the REST layer 41
2.6 Checking out and configuring the SOAP services 43

Overview of the WS-* layer 43
■
The WSDL-based contract
for this service 44
■
Implementation of the WS-* layer 47
Testing the WS-* remoting layer 48
2.7 Setting up the SOA registry 49
Running the SOA registry for the first time 49
■
Registering a
service manually in the registry 50
■
Accessing the WSO2
Governance Registry 51
2.8 Setting up the BAM application 53
Installing BAM tools and checking out the code from SVN 53
Attaching an event sender to the service 54
■
Setting up the
widget to visualize the statistics 57
2.9 Summary 59
3
Using a case study to understand SOA governance 60
3.1 Getting to know OpenGov 61
The organizational chart of OpenGov 61
■
The stakeholders
of OpenGov 63
www.it-ebooks.info

CONTENTS
xi
3.2 Explaining SOA governance using OpenGov
products 64
GovForms: permit registration 65
■
GovTraffic: the traffic
avoidance system 66
■
GovMobile: registering your complaint
using mobile devices 66
■
GovPortal: information about city
services 67
■
GovData: OpenGov’s open data portal 67
3.3 Overview of the available services 68
3.4 Defining policies for the OpenGov organization 69
Service design and documentation policies 70
■
Security
policies 72
■
Performance and testing-related policies 75
3.5 Summary 77
PART 2 DESIGN-TIME POLICIES 79
4
Service design and documentation policies 81
4.1 Complying with the self-documenting service policy 82
Documenting a REST-based service 83

■
Documenting a WS-*
based service 88
■
Adding documentation to the service
repository 92
4.2 Following existing standards and definitions 95
Including an existing XML schema in a WSDL 95
■
Using an
existing XML schema in a REST resource 98
■
Using a
REST-based search definition 99
4.3 Creating a reusable service 103
Define the correct level of granularity 103
■
Decoupling the
transport layer from the logical layer 104
■
Service
discovery 104
■
Versioning, documentation, and using
standards 106
4.4 How to version services 107
Versioning a WS-* based service 107
■
Versioning a REST
service 111

4.5 Summary 115
5
Security policies 116
5.1 Encrypting a communications channel for sensitive
data 117
Using HTTPS with Jetty 118
■
Using HTTPS and client-side
SSL with Jetty 119
www.it-ebooks.info
CONTENTS
xii
5.2 Validating message integrity and non-repudiation 120
Applying WS-Security to SOAP messages 121
■
Using HMAC
for message integrity and non-repudiation 126
5.3 Using a centralized identity system 131
Installing the authentication provider 133
■
Configuring the
authentication provider 133
■
Creating the authentication
façade 134
■
Creating the authentication filter 137
5.4 Using OAuth to allow other services to access your service 141
5.5 Reusing existing authorization services 149
Configuring the OpenAM entitlement service 150

Creating an authorization filter 153
5.6 Summary 155
6
Testing, performance, and the cloud 156
6.1 How to test your service 157
Logic layer and data layer testing 158
■
Remoting layer
testing 161
■
Integration testing 167
6.2 Using quality management tools 170
Running a maven build for Sonar 172
6.3 Developing for the cloud 174
Different types of cloud services 174
■
Requirements for the
cloud provider 175
■
Creating a service that can run in the
Amazon cloud 176
6.4 Summary 185
PART 3 RUNTIME POLICIES 187
7
Using tools for runtime governance 189
7.1 Runtime governance 189
Gadget 191
■
Gadget server 191
■

Event producer 192
Event service 193
■
Event processor 194
7.2 Monitor performance and service usage 195
Average response time 196
■
Report usage based on
service 199
■
Report usage based on location 202
Number of requests per time period 206
7.3 Security and documentation 208
Failed authentication and authorization 208
Documentation compliance 211
7.4 Summary 211
www.it-ebooks.info
CONTENTS
xiii
8
Lifecycle support and discovering resources 212
8.1 Defining the lifecycle of a service 213
Standard service lifecycle 213
■
OpenGov service lifecycle 214
8.2 Creating a custom view for the policy 217
8.3 Defining the lifecycle of a policy 225
8.4 Discovery of a service and a policy in the service
repository 227
Searching the repository from the web application 227

Searching the repository from the repository client 229
8.5 Visualizing the information from the registry 230
Creating a gauge that shows the documentation
percentage 231
■
Creating a pie chart that shows the
lifecycle stages 232
8.6 Summary 234
9
Integrating SOA governance tools with existing tools and
technologies 235
9.1 Enterprise integration 236
Provisioning a WSDL from the repository 236
■
Provisioning
the configuration from the repository 238
■
Sending events
from Mule 241
■
Loading the Mule configuration from the
repository 245
■
Sending events to Nagios from the Bamos
event server 246
9.2 BPM engine integration 251
Monitoring average task execution 251
■
Monitoring which
processes are started 255

9.3 Language integration 257
C# 257
■
Ruby 260
■
Python 261
9.4 What you should remember from this book 263
9.5 Summary 264
appendix Installing tools, libraries, and frameworks 265
index 277
www.it-ebooks.info
www.it-ebooks.info
xv
preface
A few years ago, I wrote a book with a colleague about open source ESBs (Enterprise
Service Buses), Open Source ESBs in Action (Manning, 2008). In that book we wrote
about using open source tools to integrate applications and expose legacy systems as
services. In the years that followed, ESBs were seen as one of the cornerstones of devel-
oping Service Oriented Architectures (SOAs). In 2008, when people talked about SOA,
especially in the enterprise world, they meant the traditional SOAP-over-HTTP-based
services. Everyone was doing this, the big vendors promoted it, and it finally looked
like we had a way to create services that could be used by other departments and mul-
tiple users.
Over the next couple of years I wrote many services myself and was part of many
projects that tried to use SOA concepts to create reusable services. What I noticed was
that every company and every department had their own standards, tools, technolo-
gies, and a set of principles they used to determine how a service should be written.
For one project we created a RESTful service using Scala without writing any docu-
mentation; for another project, we meticulously documented each element and oper-
ation of a SOAP/HTTP-based service. But the goals for both projects were the same: we

wanted to create a service that would have a long life, would be used by many consum-
ers, and was easy to maintain and possibly extend.
One thing I know is that developers and architects want to create good services,
but what is almost always missing is a solid set of rules and standards to follow when
developing a service. In our projects we often create a set of coding standards that are
enforced through an IDE plugin, as well as some coding guidelines and dos and
www.it-ebooks.info
PREFACE
xvi
don’ts. While that assures the quality of the code, it isn’t enough to create an easy-to-
use service. For this you also need a set of rules, a set of principles that determines
how your client interacts with your service. In other words, it is good to have a set of
policies that help you define the contract of your service.
And what happens after a service is in production? I know from experience that
measuring who is using a service and garnering insight into the business processes
using your service can give you valuable information. This information can help you
determine where to focus your development, where to add resources, and much more.
What I needed was a form of SOA governance. I wanted a set of policies we could
use while creating the service (design-time governance) and a way to measure how
our services were being used (runtime governance). Most books on SOA governance
focus on the process, which is also very important, but they often lack practical exam-
ples. This book tries to provide you both with a set of guidelines for and practical
examples of how to apply SOA governance.
I hope this book will show you that getting started with SOA governance isn’t that
hard and that it provides many advantages—and that there are plenty of open source
tools that can help you take the first steps.
www.it-ebooks.info
xvii
acknowledgments
Writing a book is a long and difficult effort. I couldn’t have done this without the sup-

port and hard work of many others. There are many people I’d like to thank:
■
Michael Stephens at Manning who helped me with the initial proposal. Without
his help this book wouldn’t have seen the light of day.
■
My technical proofreader, Niek Palm, who worked tirelessly during the holiday
period to meticulously work through the examples and the content. I appreci-
ate that he always spoke his mind, and didn’t always agree with me or with what
I’d written.
■
My copyeditor Linda Rechtenwald for her hard work translating my non-native
written English to readable text. You wouldn’t believe how many times she cor-
rected my errors.
■
Katie Tennant and Melody Dolab for proofreading the book and making my
work easier by ensuring that everything was consistent.
■
All the other people at Manning who helped me get this book published.
Thanks for believing in this book and helping me all along the way.
■
I’d also like to thank my development editors who guided me through the
many stages of the book: Scott Meyers, Jeff Bleiel, and Dean DeChambeau.
■
Thanks to the following reviewers who read the manuscript at various stages of
development. Your valuable and sometimes critical comments made this a better
book: Alberto Lagna, Andy Verberne, Barry Polley, David Dossot, Hemant
Bedekar, Jason Coates, Javier Carro, Jeroen Benckhuijsen, Padmavathy Ramesh,
Roy Prins, Sander Rossel, Senaka L. Fernando, Tijs Rademakers, and Tray Scates.
www.it-ebooks.info
ACKNOWLEDGMENTS

xviii
■
Thanks to the guys at WSO2 for creating such great 100% open source products.
■
Special thanks to Edwin Damen and Jac Speelman at JPoint (my employer), for
giving me the time to finish the last couple of chapters, instead of sending me
out to clients.
■
A final thank-you to my wife who, once again, had to endure many long days
and evenings without me while I sat at my laptop. And I couldn’t have done this
without my daughter who always succeeds in cheering me up when I’m down.
www.it-ebooks.info
xix
about this book
Welcome to SOA Governance in Action. The main goal of this book is to introduce you
to SOA governance and provide you with a set of guidelines and policies you can use
to get started introducing SOA governance to your organization.
The book is divided into three parts. In the first part you’ll be introduced to the
theory behind SOA governance and you’ll set up an environment that you can experi-
ment with. In the second and third parts of the book, we look at and discuss various
concepts you can use to start governing your SOA.
Audience
This book is intended for software developers and architects who want to better
understand SOA governance and use it to create great services.
The focus of this book is on the practical side of SOA governance. It shows you how
to apply the principles of SOA governance to your own services and organization.
There are many great books published that also cover SOA governance, but none that
focus on the practical side of things.
Even though this book has many examples using Java, XML, and JSON, you don’t
have to be an expert in these technologies to benefit from this book. If you’ve got a

basic understanding of programming, you’ll be able to read the examples and imple-
ment them using the technology of your choice.
Experience with SOA, or with governance, is helpful but isn’t required for this book.
www.it-ebooks.info
ABOUT THIS BOOK
xx
Roadmap
This book is divided into three parts:
■
In the first part of the book, you’ll get an introduction to SOA concepts and gov-
ernance tools, as well as the environment and policies that we’re going to discuss.
■
In the second part, we look at the policies you can use during the development
phase.
■
In the last part of the book, we focus on how to work with SOA governance
when your services are deployed and running.
The first part consists of the following chapters:
■
Chapter 1 starts with an introduction to SOA Governance. It includes a simple
explanation of SOA and an explanation of governance. In this chapter you’ll see
why SOA Governance is important and what problems SOA governance solves.
This chapter also describes how open source tools can help you get started with
SOA governance.
■
Chapter 2 shows you how to set up a complete SOA governance environment
where you can experiment with the examples from this book. This chapter also
includes an example of the basic architecture that we’ll use throughout this
book for REST and WS-*-based services.
■

Chapter 3 presents a scenario that we’ll use throughout the book—a fictional
company that provides a number of applications and services to its customers.
This company faces a number of problems that we’ll use as input to define a set
of policies. In later chapters you’ll see how to use various open source tools to
comply with these policies.
The second part contains the following chapters:
■
Chapter 4 looks at the policies related to service design and documentation.
This chapter will show how you can make your services self-documenting and
how to correctly version your services.
■
Chapter 5 stresses the importance of taking security into account during the
design phase of a project. This chapter explains how tools can help you
implement security-related policies such as centralizing authentication and
authorization.
■
Chapter 6 discusses how testing and SOA Governance work together. You’ll see
how you can test all the layers from a service using different tools and technolo-
gies. You’ll also see how you can create a service that can easily run in the cloud.
For this last example, we’ll use Amazon as the cloud provider.
The last part consists of the following chapters:
■
Chapter 7 shows how you can use the Bamos runtime governance environment
to monitor your services in real time. It provides a number of examples on how
you can visualize key metrics of your service landscape.
www.it-ebooks.info
ABOUT THIS BOOK
xxi
■
Chapter 8 looks at how a service and a policy both have a lifecycle. You’ll be

introduced to a standard lifecycle you can use for services and for policies. This
chapter also shows how the WSO2 registry can help you keep track of all the ser-
vices and policies used in your organization or department.
■
Chapter 9 discusses how you can integrate the tools and technologies shown in
this book with your existing components and services. It includes examples to
get you started in a number of languages and also shows you how to integrate
with ESBs and BPM engines.
The appendix contains installation instructions for the tools used throughout the
book. If you work through chapter 2, you’ll see references to the appendix on how to
install specific components.
Code conventions and downloads
All the code in the examples used in this book is presented in a
monospaced font like
this
. This code, except for the code in chapter 9, is written in Java. Even though Java
is used for the code samples, all the concepts that are explained also apply to other lan-
guages. For longer lines of code, a wrapping character may be used to keep the code
technically correct while conforming to the limitations of a printed page.
Annotations accompany many of the code listings and numbered cueballs are used
if longer explanations are needed. Longer listings of code examples appear under
clear listing headers; shorter listings appear between lines of text.
The source code for all of the examples in the book is available for download from
the publisher’s website at www.manning.com/SOAGovernanceinAction. You can also
download the latest sources from the Google code project. How to get the latest code
is explained in the appendix.
Software and hardware requirements
The examples in this book use various tools and libraries. Each chapter explains
which specific tool is used to implement a policy or show a concept. The appendix
explains all the tools that you will need and how to install them. The easiest way to

play around and experiment with the examples in this book is by configuring an
Eclipse installation. The appendix also explains how to install and configure Eclipse
to work with the examples from this book.
Author Online
Purchase of SOA Governance in Action includes free access to a private web forum run by
Manning Publications where you can make comments about the book, ask technical
questions, and receive help from the author and from other users. To access the forum
and subscribe to it, point your web browser to www.manning.com/SOAGovernancein
Action. This page provides information on how to get on the forum once you’re regis-
tered, what kind of help is available, and the rules of conduct on the forum.
www.it-ebooks.info
ABOUT THIS BOOK
xxii
Manning’s commitment to our readers is to provide a venue where a meaningful
dialog between individual readers and between readers and the author can take place.
It’s not a commitment to any specific amount of participation on the part of the
author, whose contribution to the AO remains voluntary (and unpaid). We suggest
you try ask the author some challenging questions lest his interest stray!
The Author Online forum and the archives of previous discussions will be accessi-
ble from the publisher’s website as long as the book is in print.
www.it-ebooks.info
xxiii
about the cover illustration
The figure on the cover of SOA Governance in Action is captioned “A Fisherman.” The
illustration is taken from a 19th-century edition of Sylvain Maréchal’s four-volume
compendium of regional dress customs published in France. Each illustration is finely
drawn and colored by hand. The rich variety of Maréchal’s collection reminds us
vividly of how culturally apart the world’s towns and regions were just 200 years ago.
Isolated from each other, people spoke different dialects and languages. On the
streets or in the countryside, it was easy to identify where they lived and what their

trade or station in life was just by their dress.
Dress codes have changed since then and the diversity by region, so rich at the
time, has faded away. It is now hard to tell apart the inhabitants of different conti-
nents, let alone different towns or regions. Perhaps we have traded cultural diversity
for a more varied personal life—certainly for a more varied and fast-paced techno-
logical life.
At a time when it is hard to tell one computer book from another, Manning cele-
brates the inventiveness and initiative of the computer business with book covers
based on the rich diversity of regional life of two centuries ago, brought back to life by
Maréchal’s pictures.
www.it-ebooks.info
ABOUT THE COVER ILLUSTRATION
xxiv
www.it-ebooks.info