Tai Lieu Chat Luong


Applied SOA
Service-Oriented Architecture
and Design Strategies
Mike Rosen
Boris Lublinsky
Kevin T. Smith
Marc J. Balcer

Wiley Publishing, Inc.


Applied SOA



Applied SOA
Service-Oriented Architecture
and Design Strategies
Mike Rosen
Boris Lublinsky
Kevin T. Smith
Marc J. Balcer

Wiley Publishing, Inc.


Applied SOA: Service-Oriented Architecture and Design Strategies
Published by

Wiley Publishing, Inc.
10475 Crosspoint Boulevard
Indianapolis, IN 46256

www.wiley.com
Copyright  2008 by Wiley Publishing, Inc., Indianapolis, Indiana
Published simultaneously in Canada
ISBN: 978-0-470-22365-9
Manufactured in the United States of America
10 9 8 7 6 5 4 3 2 1
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form
or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as
permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior
written permission of the Publisher, or authorization through payment of the appropriate per-copy fee
to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978)
646-8600. Requests to the Publisher for permission should be addressed to the Legal Department, Wiley
Publishing, Inc., 10475 Crosspoint Blvd., Indianapolis, IN 46256, (317) 572-3447, fax (317) 572-4355, or
online at />Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or
warranties with respect to the accuracy or completeness of the contents of this work and specifically
disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No
warranty may be created or extended by sales or promotional materials. The advice and strategies
contained herein may not be suitable for every situation. This work is sold with the understanding
that the publisher is not engaged in rendering legal, accounting, or other professional services. If
professional assistance is required, the services of a competent professional person should be sought.
Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an
organization or Website is referred to in this work as a citation and/or a potential source of further
information does not mean that the author or the publisher endorses the information the organization
or Website may provide or recommendations it may make. Further, readers should be aware that
Internet Websites listed in this work may have changed or disappeared between when this work was
written and when it is read.

For general information on our other products and services or to obtain technical support, please
contact our Customer Care Department within the U.S. at (800) 762-2974, outside the U.S. at (317)
572-3993 or fax (317) 572-4002.
Library of Congress Cataloging-in-Publication Data:
Applied SOA : service-oriented architecture and design strategies / Mike
Rosen . . . [et al.].
p. cm.
Includes index.
ISBN 978-0-470-22365-9 (paper/website)
1. Web services. 2. Software architecture. 3. Computer network
architecture. 4. Information resources management. I. Rosen, Michael,
1956TK5105.88813.A69 2008
006.7
8 — dc22
2008015109
Trademarks: Wiley, the Wiley logo, and related trade dress are trademarks or registered trademarks
of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not
be used without written permission. All other trademarks are the property of their respective owners.
Wiley Publishing, Inc., is not associated with any product or vendor mentioned in this book.
Wiley also publishes its books in a variety of electronic formats. Some content that appears in print
may not be available in electronic books.


About the Authors

Mike Rosen is chief scientist at Wilton Consulting Group, which provides
expert consulting on software architecture, SOA, and enterprise architecture.
He is also director of enterprise architecture for the Cutter Consortium and
editorial director of the SOA Institute. He frequently speaks at industry
symposia and contributes to industry journals.
Boris Lublinsky is lead architect at Navteq, where he is responsible for

SOA and BPM implementations. He is a frequent contributor to technology
magazines and a speaker at industry conferences. Boris is also an SOA news
editor for InfoQ.
Kevin T. Smith is a technical director at ManTech MBI (formally McDonald
Bradley, Inc.), where he builds highly secure and data-driven SOA solutions
for the U.S. government. He is the author of many SOA technology articles
in industry magazines, such as the SOA/Web Services Journal, and has
coauthored several technology books, including The Semantic Web (Wiley,
2003), Professional Portal Development with Open Source Tools (Wrox, 2004), More
Java Pitfalls (Wiley, 2003), and Essential XUL Programming (Wiley, 2001), in
addition to the books where he has written chapters as a contributing author.
Kevin has led SOA workshops and has presented at numerous industry
conferences, such as the RSA Security Conference, JavaOne, the Semantic
Technology Conference, the Apache Open Source Conference, Net-Centric
Warfare, the Object Management Group, and the Association for Enterprise
Integration.
Marc J. Balcer is the founder of ModelCompilers.com, a provider of
tools and services for realizing the power of model-based development,
and the coauthor of Executable UML: A Foundation for Model-Driven Architecture (Addison-Wesley, 2002). He has over 15 years of experience in
v


vi

About the Authors

developing, deploying, and managing projects based upon executable models
and model-driven development techniques.
As a party to many enterprise development projects, Marc has witnessed
firsthand how the precision of application and architecture models can make

the difference between spectacular success and miserable failure. He has
applied Executable UML to projects in such diverse areas as medical instrumentation, transportation logistics, telecommunications, and financial services.


Credits

Executive Editor
Robert Elliott
Development Editor
Sydney Jones
Technical Editor
Jim Amsden
Production Editor
Laurel Ibey
Copy Editor
Foxxe Editorial Services
Editorial Manager
Mary Beth Wakefield
Production Manager
Tim Tate

Vice President and Executive
Group Publisher
Richard Swadley
Vice President and Executive
Publisher
Joseph B. Wikert
Project Coordinator, Cover
Lynsey Stanford
Proofreaders

Nancy Carrasco, Kathryn Duggan
Indexer
Jack Lewis
Cover Image
Paul Cooklin/Jupiterimages
Corporation

vii



Acknowledgments

Well, who to thank for all the help? First, thanks to all the people who supported
me throughout this process. There were many, but a few stand out for special
mention: all my friends and clients who cut me a little slack when I might
have been slightly unresponsive during the final push to finish everything;
my friends in the travel industry who inspired the case study; everyone at
Cutter Consortium for constant encouragement; SOAInstitute for providing a
forum to teach and discuss all things SOA; Robert Elliott at Wiley, who had
the uncanny timing to call me during a lull in my consulting practice and ask if
I wanted to be involved in an SOA book; and Sydney Jones, our project editor,
for putting up with our changes and delays. I hope she wasn’t just being nice
when she said we weren’t the worst group of authors ever. Thanks to Jim
Amsden, a friend and colleague, who also turned out to be the best technical
editor you could imagine; Jeroen van Tyn and Laura O’Brian for the great
Business Use Cases in Chapters 6 and 7 and Appendix A; my good friend Ken
Orr for teaching me about business architecture, processes, and semantics over
the years; my coauthors, for contributing to a collaborative project where we
all learned from each other and everyone’s chapters, and the book, benefited;

and most importantly, to my awesome wife, Tamar Krichevsky, who not only
put up with it all, but who also read every single chapter of the book and
compiled and wrote the fantastic Evaluating SOA Services appendix. Thanks.
— Mike Rosen
I would like to thank Mike for calling me out of the blue and asking whether I
would like to participate in this exciting project. I really enjoyed collaborating
with Mike, Kevin, and Marc. It allowed me to learn more about SOA and
significantly improved the quality of my chapters. Many thanks to the people
whom I used to work with over the years, especially Didier Le Tien, Dmitry
ix


x

Acknowledgments

Tyomkin, and Deborah Shaddon, for always challenging me with tough architecture questions and pointing at deficiencies in my solutions; Jay Davidson
and Edward Kuffert for explaining to me the importance of business architecture and the way the insurance industry works; and Jerry Daus, Matt O’Neal,
and Maria Mernandez for helping me to understand how IBM software works
and the best ways to use it. I am also thankful for all of the failed and successful
projects that I worked on, which taught me what is important and what is not,
and why things fail or succeed. Most importantly, to my wonderful wife, Lilia,
for patiently putting up with me spending more time with my computer than
with her. Thanks.
— Boris Lublinsky
I would like to thank my three talented coauthors, Mike, Boris, and Marc — it
has been a pleasure working with you on this exciting and challenging project.
Mike, you did a great job of guiding us in this process, and I would especially
like to thank Boris for his additions to the chapters on Composing Services
(Chapter 8) and SOA Governance (Chapter 12). I would like to thank Vaughn

Bullard for his suggestions on Chapter 12 and Layer7’s Toufic Boubez for his
support of my discussion on dynamic policy adaptation (‘‘Policy Application
Points’’) in Chapters 11 and 12. Special thanks to Ken and Myrtle Ruth
Stockman for allowing me to use their nicknames in one of my examples, and
thanks to my ‘‘readability editors,’’ Helen G. Smith and Lois G. Schermerhorn.
I would like to thank my company, ManTech MBI (formerly McDonald
Bradley, Inc.) in Herndon, VA, with special and sincere thanks to those who
encouraged my writing of this book on my own time — specifically, thanks to
Danny Proko, Bill Pulsipher, Waymond Edwards, John Sutton, Gail Rissler,
Mark Day, and Ken Bartee. I would like to give my thanks (and apologies)
to my wonderful wife, Gwen, and my sweet daughters, Isabella and Emma!
Thank you for putting up with me as I went into isolation for countless nights
and weekends while writing this book. I would like to thank Ashland Coffee
and Tea, who once again didn’t kick me out when I camped out there for days
at a time for writing, research, and of course, caffeine.
Thanks to the Washington Redskins, who thoughtfully did not have a
good enough football season that it would distract me from writing on
Sundays. Thanks to other people, places, and things that most likely affected
my writing in a positive way (in no particular order): Gavin Sutcliffe; Eric
Monk; Nick Duan; Sue Lee; Joanie Barr; John Medlock; Kyle Hendrickson;
Tom Diepenbrock; Scooby-Doo; Jeff Phelps; Ruben Wise; Kim Gumabay; Mike
Hoops, the AMC Pacer, Ralph Perko, Kathleen Ferris, Brad Giaccio, Kevin
Moran; Mike Daconta; Leo Obrst; Fox; my community group (Russ and Debi
Garber, Ed and Lori Buchanan, Steve and Ani Tetrault, Ed Hoppe); Kyle
Rice; Thai Gourmet in Kings Charter; the Apostle Paul; Sean, Jen, Garrett, and
Parker Cullinan; Daniel Buckley; Ken Pratt; Adam Dean; Mike Rohan; Carl and


Acknowledgments


Sharon Smith, Emma when she sleeps past 4:00 a.m., Bill, Farron, Casey, and
Will Smith, New Hanover Church, Grace Community Presbyterian Church,
Mungo, and T3. Finally, all glory, laud, and honor to the one who was, who is,
and who is to come.
— Kevin T. Smith
Many ideas emerge from the everyday work of developing real solutions.
In addition to my coauthors, I would like to acknowledge the contributions,
criticism, and insights from current and former colleagues, including Steve
Dowse of International Asset Systems, and Brian Itow, Gary Marcos, Julio
Roque, and Matt Samsonoff of AZORA Technologies. Most importantly, I
would like to thank my partner, Canares (‘‘Chicho’’) Aban, for his dedication
and support during this project.
— Marc J. Balcer

xi



Contents at a Glance

Part One

Understanding SOA

Chapter 1

Realizing the Promise of SOA

Chapter 2


SOA — Architecture Fundamentals

27

Chapter 3

Getting Started with SOA

77

Part Two

Designing SOA

Chapter 4

Starting with the Business

119

Chapter 5

Service Context and Common Semantics

159

Chapter 6

Designing Service Interfaces


203

Chapter 7

Designing Service Implementations

253

Chapter 8

Composing Services

273

Chapter 9

Using Services to Build Enterprise Solutions

311

3

Chapter 10 Designing and Using Integration in SOA Solutions

353

Chapter 11 SOA Security

391


Chapter 12 SOA Governance

449

Part Three

Case Studies

Chapter 13 Case Study — Travel Insurance

495

Chapter 14 Case Study — Service-Based Integration in Insurance

541

xiii


xiv

Contents at a Glance
Appendix A Business Use Cases

579

Appendix B Evaluating SOA Services

589


Appendix C Additional Reading

621

Index

631


Contents

Acknowledgments
Introduction

ix
xxvii

Part One

Understanding SOA

Chapter 1

Realizing the Promise of SOA
Once Upon a Time . . .
Learning from History
What Went Wrong?
What Went Right?
What Can You Learn?
The Promise of SOA

The Challenges of SOA
Reuse
Efficiency in Development
Integration of Applications and Data
Agility, Flexibility, and Alignment
Meeting the Challenge
Reference Architecture
Common Semantics
Governance
Business Process Modeling
Design-Time Service Discovery
Model-Based Development
Best Practices in SOA Analysis and Design
Summary

3
4
7
8
9
10
10
11
11
14
15
16
18
19
19

20
22
22
23
24
25

Chapter 2

SOA — Architecture Fundamentals
What Is Architecture?

27
28
xv


xvi

Contents
Architectural Styles
Architectural Principles and Practices

Chapter 3

29
30

What Is Service-Oriented Architecture?
1. Defining a Service

2. Defining How Services Are Built and Used
3. Integrating Packaged and Legacy Systems into the Service
Environment
4. Combining Services into Enterprise Processes
5. Specifying the Technology Infrastructure
Specifying the Technology Infrastructure
Specifying the Application Infrastructure Required to
Support Services
6. Defining Common Semantics and Data
7. Aligning Services with the Business
8. Determining How to Use the Architecture
Determining the Development Environment, Frameworks,
Infrastructure, and Tools
Defining Metrics for Measuring Success
Business-Driven SOA
SOA and Other Architectures
Enterprise Architecture
Software Architecture
EA, 4+1, and Services
What Is a Service?
A Word about Information Architecture
Service Characteristics
Service Granularity
Service Dimensions
Loose Coupling Is King
Location Transparency
Interface and Implementation
Data
Versioning
Interoperability and Platform Independence

Usage, Assumptions, and Knowledge
Common Service Patterns
Service Types and Purpose
SOA Reference Architecture
Summary

33
37
38

50
52
53
56
60
64
65
66
66
67
67
68
68
70
73
75

Getting Started with SOA
Overview of SOA Implementation Methodology
SOA Reference Architecture

Minimum Architecture
9-Month Checkpoint
18-Month Checkpoint
Long Term

77
78
82
83
84
84
85

39
39
39
39
40
40
40
41
41
41
41
44
44
46
49



Contents
Business Architecture
Business Processes
Information Design
Service Identification
Service Specification
Service Expectations
Interaction Model
Service Constraints
Service Location
Services Realization
Buying Services
Outsourcing Services
Building Services
Summary of Service Identification and Realization Concerns
Service Life Cycle
The Service Design Process
Top-Down Approaches
Enterprise System Analysis
Business Process Model
Bottom-Up Approaches
Utility Services
Service Enabling
Middle-Out: The Best of Both
Process Summary
Activities
Artifacts
Repositories
Governance
Process Phases

Architectural Context
Business
Design
Implementation
Test
Practical steps
Summary
Part Two

Designing SOA

Chapter 4

Starting with the Business
Business Architecture
Enterprise Business Architecture
Project Business Architecture
Value Chain
Business Context
Understanding the Business Motivation Model
Ends

85
86
88
90
94
96
97
97

98
98
99
99
102
102
104
106
106
107
107
108
108
108
109
109
110
111
111
111
111
111
112
112
112
112
113
115

119

121
124
124
125
126
132
134

xvii


xviii Contents
Vision
Desired Results
Means
Mission
Course of Action
Directives
Influencers
Alignment and Traceability

Chapter 5

134
134
134
134
135
135
136

136

Business Process Management and Modeling
Basic Business Process Model Components
Executable Models
Business Process Models in an SOA World
How to Create Business Process Models
Use Cases
Use Cases and Business Process Models
One Use Case, Multiple Scenarios
Step Reuse
Documents
Conditional Business Process Models
Conditional Flows
Conditional Operation Outputs
Recap: Processes and Services
Organizing Services
Domains
Types of Domains
The Service Inventory
Summary

137
139
140
142
143
143
144
144

146
146
148
148
148
149
151
152
154
155
156

Service Context and Common Semantics
The Importance of Semantics in SOA
Core Information Modeling
Objects and Attributes
Classes, Attributes, and Instances
Attributes and Instances
Associations
Association Multiplicities
Finding Classes
Defining Types
Simple Types
Numeric Types
Symbolic Types
Enumeration Types
Composite Types
Implementing Types
Beyond the Basics
Identifiers and Uniqueness Constraints

Identifier and Identity

159
160
163
163
164
165
166
166
167
167
168
168
169
169
170
170
170
170
171


Contents
Contrived Identifiers
Multiple Population Identifiers
Subpopulation Identifiers
Specializations
Derived Attributes
Value Constraints


Chapter 6

171
171
172
172
174
176

Structuring Information Models
Documents
Defining Documents
Adapting the Information Model
Multiple Documents
Documents and XML
XML Schema
Types in Schemas
Document Variations in Schemas
Designing for Change
XML Patterns
Derivation Using Abstract Classes
Derivation by Extension
Derivation by Restriction
Disallowing Derivations
Russian Doll
Salami Slice
Venetian Blind
Best Practices for the SOA Architect
Using Abstraction to Avoid ‘‘SOA Stovepipes’’

Reuse Standards to Avoid Reinventing the Wheel
Develop Information Models Based on Use Cases
With Change, Crawl, Walk, Then Run
Summary

176
177
178
179
180
181
184
185
187
188
190
192
193
194
195
195
196
197
198
199
200
201
201
202


Designing Service Interfaces
Services Revisited
Service Characteristics
Granularity
Scope
Visibility
Interaction Styles
Parameter Passing
Document Passing
Data Passing
Request/Reply
Events
Mixed Style
Design Guidelines
Isolating Responsibilities
Understanding Overall Context

203
204
204
205
205
206
207
208
208
209
210
211
212

213
213
215

xix


xx

Contents
Identifying Granularity
Stateless Interfaces
Exceptions
Designing Documents

Chapter 7

217
218
220
221

Interface Design Illustrated
Overview of Models and Diagrams
ACME Insurance Example
Conceptual Architecture
Problem Space Model
Use Case Diagrams
Actors
Initial Scenario Diagrams

Purchase Insurance Scenario
Enterprise Service Context and Inventory
Detailed Scenario Diagrams
Information Model
Service Specification
Solution Model
Service Model
Service Definition Diagrams
Operations Procedures
More Information Model
Document Model
Summary

222
223
224
225
227
227
228
229
230
232
234
239
239
241
241
243
246

246
248
249

Designing Service Implementations
Basic Service Architecture
Layer Responsibilities
Using Activity Diagrams for Modeling Operational Logic
Implementation Components
Implementing the Interface Layer
Document Receipt
Syntactic Validation
Transformations
Implementing the Business Layer
Semantic Input Validation
Performing the Business Logic of the Operation
Computing and Returning Results
Implementing the Resource Layer
Implementation Design Illustrated
Business Layer
Create Quote Operation (Quoting Service — Request
Quote Scenario)
Price for Quote Operation (Automobile LOB Pricing)
Summary

253
254
256
257
259

260
261
261
262
263
263
264
267
267
268
268
269
269

272


Contents
Chapter 8

Composing Services
Understanding Service Composition
Separation into Service Layers
Orchestration and Choreography
The Relationship between BPM and Composition
Architectural Models in Service Composition
Hierarchical and Conversational Composition
Conductor-Based and Peer-to-Peer Composition
Service Composition Implementation
Programmatic Composition

Service Component Architecture Composition
Event-Based Composition
Orchestration Engine–Based Composition
Centralized and Decentralized Orchestration Approaches
Service Composition and Business Rules
Service Composition and Transactions
Incorporating Human Activities into Service Composition
Orchestration with BPEL
Composition Example — Case Study
The Problem
High-Level Design Decisions
Process Modeling
Dos and Don’ts in Service Composition
Avoid Static, Programmatic Orchestration
Use a Layered Service Approach
When Using BPEL, Use Abstract Processes
Summary

273
274
275
276
278
279
279
280
281
281
282
285

286
290
292
295
297
299
301
301
302
303
307
307
308
308
309

Chapter 9

Using Services to Build Enterprise Solutions
Enterprise Solutions versus Applications
Service-Based Enterprise Solutions
Layered SOA Architecture and Multitiered Application
Architecture
Locating Services
Example: Implementing Service Access for Policy Issuance
Versioning: Dealing with Service Changes
Version Deployment and Access Approaches
Example: Coping with Changes in Policy Issuance Solutions
Architecting Security for Service-Based Solutions
Using a Security Gateway

Using an Interceptor in Security Implementations
Example: Architecting Security for Policy Issuance Solutions
Exception Handling and Logging in Enterprise Solutions
Monitoring and Managing Enterprise Solutions

311
312
313
317
321
325
325
327
329
330
330
331
333
333
337

xxi


xxii

Contents
Business Activity Monitoring
Technical Monitoring and Management of SOA Solutions


338
340

Enterprise Service Bus-Unified Infrastructure for Enterprise
Solutions
Defining ESB
ESB Architecture
Stand-alone ESB
ESB as a Service Container
ESB as a Framework
Choosing an ESB
Summary

343
344
346
348
348
349
350
351

Chapter 10 Designing and Using Integration in SOA Solutions
Challenges of Integration in SOA
Characteristics of Islands of Data
Characteristics of Islands of Automation
Characteristics of Islands of Security
Integration in SOA Defined
Integration Services
Integration Access Implementations

Using Messaging Infrastructure to Implement Integration
Access
Using a Message Broker to Implement Integration
Using Existing Web Services to Implement Integration
Using JCA/J2C Adapters to Implement Integration
Using Web Service Wrappers to Implement Integration
Using Direct Database Access to Implement Integration
Using an Enterprise Service Bus to Implement Integration
Special Considerations for Implementing of Integration
Data Mapping in Integration
Security Support for Integration
Transactional Support in Integration
Versioning Integration
Dealing with Large Messages
Data Virtualization and Enterprise Data Bus
Summary

353
354
354
355
355
358
360
364

Chapter 11 SOA Security
SOA Security Goals and Fundamentals
Authentication
Authorization and Access Control

Two Types of Access Control — DAC and MAC
Federated Identity and Cross-Enterprise Access
Confidentiality
Integrity
Non-Repudiation

391
392
392
395
396
397
400
401
404

365
367
369
372
374
375
376
377
378
380
381
383
384
386


389


Contents xxiii
Web Service Security Standards and Specifications
WS-Security SOAP Messaging
WS-Trust
WS-Federation
WS-SecureConversation
WS-SecurityPolicy and the WS-Policy Framework
SAML
XACML
XML Signature
XML Encryption
SOA Security Blueprints
Separation of Security into Components and Services
Authentication and Identity Blueprints
Identity Propagation for SSO Solutions
Point-to-Point Authentication
Access Control Blueprints
Controlling Access to Data, Not Just Services
Access Control Policy Enforcement Approaches
Auditing and Troubleshooting
Flexibility with Dynamic WS-SecurityPolicy Adaptation
Complete Architecture Analysis
Applying Concepts from This Chapter — A Simple Case
Study
Establishing Enterprise Security Services
Defining Identity Propagation and Access Control

The Security Game Plan for the SOA Architect
Plan from the Beginning, Focusing on Requirements
Crawl and Walk before Running
Use Accepted Standards (in a Standard Way)
Understand the Details of the Standards
Understand the Impact of Security on Performance
Try to Keep It Simple
Summary
Chapter 12 SOA Governance
SOA Management and Governance Defined
The Case for SOA Governance
The Reality of Change in Real-World Deployments
The Need for an Enterprise Big Picture
The Need for Explicit Run-Time Service Policies
The Need to Separate Policy Logic from Business Logic
SOA Governance and the Service Life Cycle
Design-Time Governance
The Service Identification Process
The Service Design and Specification Process
The Service Implementation Process

405
405
406
409
410
410
411
413
415

415
416
416
419
420
425
427
427
428
435
436
437
437
440
441
443
443
444
444
445
446
446
447
449
450
453
453
455
456
457

459
462
464
465
467