Why you cannot describe a Web Service ... or how I bullied an Oracle product manager.

I am embarking on a new pet project at home, to do with Web Services. I won't go into too much detail in this posting as I am sure I'll be going on and on about it in the coming months. Basically though it is to do with generating dynamic proxies for SOAP Web Services and doing this from service descriptions such as WSDL and UDDI.

For this project I would like to be able to support a more fully WS-* stack, including WS-Security, WS-ReliableMessaging and WS-Addressing. The problem I am having can be seen with WS-Security.

There is no where in the WS-Security specification that advises on how you declare this requirement in WSDL documents. Therefore from a WSDL there is no way to know that you need to apply WS-Security.

WSDL is meant to desribe the interfact to the service, the clues in the name, however if the service is any more complex than basic SOAP this is not possible. This seems to me to be a glaring ommision.

The WS-Security Specification states that "Advertisement and exchange of security policy." is a "Non-goal", but surely is cannot be the responsibility of the WSDL group to deal with this.

You may have read my previous post Our WebDAV love affair? where I have a bit of a go at the WebDAV specifications, however there is one place where they have done amazing work which is understanding how to build a stack of specifications. In any of the extending specifications there are clear statements on how these effect the other specifications.

My major concern is that I cannot find any work going on in this, the the WSDL 2.0 Feature element might be something for this, but if the extension specifications continue to see this as something for other people to deal with then who will come up with the vocabulary for this to work.

The second part of the title for this posting is about me bullying an Oracle product manager. On Friday I went to the London Java Special Interest Group meeting where there was a presentation from RSA on Identity and Federation and then one from Oracle on the new WS-Security features in their App Server and JDeveloper 10g.

Part of this was a demo of building a WS-Security enabled SOAP Service in JDeveloper, which I have to admit looked to be an extremely easy process. The simple service was exposed, including building the WSDL, and then WS-Security was added to it.

I asked if the WSDL file had in anyway been changed when adding the WS-Security, and as I expected it hadn't. A couple of other people then commented on this, obviously not have come up against this problem before. Unfortunately someone then asked to see the building of a client stub for that service, which was also a completely painless process.

My bullying then came in the form of pointing out that the client blatently would not work as it had been built from the WSDL which did not advertise the fact that encryption and digital signatures where required. I feel I should publicly appologise to this guy and state that aside from this, which is not the fault of JDeveloper or anyone at Oracle, the demo was really good and their next generation product line does seem to be very good.

As for the problems with WSDL and the WS-* stack, well I guess we are all going to have to wait for this, and perhapse try to get the WS-I to expand their remit to look at this kind of thing.