Questions from SOA Patterns Webcast
As I mentioned, I gave a webcast (thanks to Ron for the original material) today on patterns and anti-patterns in SOA, as part of the .NET Unwrapped series for financial services. Frankly, there was really nothing in the webcast that was financial services-specific, because this stuff generally applies across many domains. The same basic material was delivered as a webcast by Ron Jacobs, John Evdemon, Alex Weinert (from the Indigo team) and Ted Neward a few months ago, in a talk show format.
I promised the participants that I'd post all of their content-related questions here, and work to answer them. Here are the questions without answers. I'll start answering (and you should too!) as soon as possible.
Here's the deck.
Rob Asked: Doesn't the loosey goosey [anti-] pattern open you up for sql injection attacks?
Definitely - I was probably a little quick in my treatment of security on this one. This anti-pattern is a clear violation of the explicit boundaries and autonomy tenets. You're exposing all sorts of implementation details of the service.
Shuchi Mittal Asked: So Is the recommendation to have Service Interfaces represent Business Functions?
I think this question was in the context of the CRUD anti-pattern. Generally, services will represent some coherent, atomic, business-relevant operation. The term "service interface" generally refers to an implementation detail that is used to separate the service-specific implementation from infrastructural (e.g. messaging- or security-related) functionality. The service interface manages the contract, and the service implementation does the business operation.
Jm-luca Asked: the response of a function mus be clear but the parameter for that function could be an array or an object?
Let's use "service" instead of "function". Recall the fundamental principle that services only consume and produce messages according to contract and governed by policy. So everything into and out of a service should be considered a schematized message. Note that the programming model (functions, parameters, returns) is distinct from the messaging model, but you need to think about the schema and contract explicitly, rather than as a derivative of the code. When you look at Indigo (David Chappell article), you'll see that the syntax of the service model expresses the contract explicitly, but it does it in the code via attributes.
hw Asked: What type is FindCustomerByCountryRequest? Dataset?
DataSets aren't very interoperable; that is, there's no DataSet in the XSD type system. So we generally we want to avoid their use in service definitions (which would happen automatically if you're specifying messages via schema first). FindCustomerByCountryRequest is a message defined by an explicit schema, then generated into a data transfer object via xsd.exe or XSDObjectGen.
hw Changes Question To: Are these code available for review later?
The code is not currently available. However, this work is being turned into a series of whitepapers plus code examples, which should be available soon. Watch my blog for a link.
Ed Asked: Most important difference between WSDL as a boundary contract and, say, IDL?
(Applies to CORBA and COM IDL.) IMO, the key aspects are: 1. breadth of adoption: WSDL has become much more widely adopted than any (either) IDL; 2. there's an inherent "objectness" to IDLs, frequently causing unnecessary exposure of details of the implementation; 3. WSDL inherently expresses stateless interactions, where IDL can, used naively, lead you into a stateful object realm (which may be what you want, but isn't very service-oriented). As the articles below discuss, you can certainly build loosely-coupled, service-oriented systems using IDL as your contract language; however, there are some hurdles that web services (including WSDL) attempt to overcome. But, as we know, there are lots of ways to make mistakes with web services.
In the vision of SOA,
See "Why WSDL Is Not Yet Another Object IDL", the response from Steve Vinoski and the re-response from Savas Parastatidis.
Juma Asked: Is it bad to send SOAP Exceptions(SOAP faults) in a web service?
Nope. You're contract-bound, so tenet-compliant.
Shuchi Mittal Asked: Shouldn't the cache be updated when the request is received and you start processing it, in case the same request were to arrive while you are working on the first request?
This question is related to the Idempotent Message pattern. Very good point. Presumably yes, you'd want to handle that case by marking the cache when processing begins on the first request. Then there are options - you could fail the second request and perhaps indicate that it was a duplicate and the first was going to return. Or you could hold the second request and have it return when the first request produces a result. You'll need to be very careful with failure scenarios here, in case the first request failed silently somewhere deep in your business layer.
Sven Asked: Why should ASMX be used? WSE allows the use of service interfaces without using ASMX pages. I write my own service interfaces that inherit from SoapService. Why is ASMX better?
ASMX is better aligned with Microsoft's strategy going forward (i.e. Indigo). The WSE hosting model, outside IIS, will require more migration effort to get to Indigo than the traditional ASMX model. Also, IIS provides a robust host, whereas with WSE, you'll have to build that yourself. If you use WSE capabilities as extensions to the ASMX model and you avoid fiddling with the WSE pipeline, you should be in good shape for Indigo.
Ricky Asked: Re the CRUDy anti-pattern, RU saying that CRUD should be wrappered in some business process context? that U shouldn't just build "data access layer" services?
Basically, yes. Raw data access services probably don't deliver a lot of value, and likely don't produce a lot of service ROI. However, "entity services" that represent business entities (loans, policies, customers, claims) and business-oriented operations on those entities, make a great deal of sense, and are generally highly reusable across an enterprise.
pk Asked: i'm involved in writing a SOA. the requirement is to expose services available in-process, remoting and web services..is there a pattern that will work well with that scenario.
Pre-Indigo, the best guidance we have is encapsulated in the Enterprise Development Reference Architecture (formerly Shadowfax). See http://channel9.msdn.com/wiki/default.aspx/Channel9.EDRAWiki. Indigo will allow this precise model very seamlessly.
muthu Asked: Do you have examples of applcation blocks/starter kit that handle security/transaction/etc - that we can use as a starting block ?
On security, the examples that ship with WSE give you the basics on doing message signing, encryption, etc. Also see EDRA, linked to above.
redonisc Asked: Can you describe the benefits of using custom messaging instead of using dataset's in methods in a webservice. Better performance???
Generally, interoperability is the key force guiding you away from DataSets and to schematized messages (and the DTO pattern). Performance will also benefit, because serializing a DataSet can be inherently expensive, and a serialized DataSet contains some "extra" stuff (e.g. the DiffGram). The tradeoff I often hear is that DataSets bind very nicely to e.g. ASP.NET (WebForms) controls. To bind a custom DTO, you have to do more work, but it is possible.
Jm-luca Changes Question To: the response of a function mus be clear but the parameter for that function could be an array or an object?, could you say that soa is the new way to develop web applications or is just a new view of what we were doing
I answered the first question above: messages in, messages out.
The second part: SOA is a set of principles to help us build systems out of autonomous services, resulting in benefits of rapid integration, loose coupling and improved predictability and control. It's not just about web applications.
