Web Services

Erik Sliman writes "Why are all the IT companies suddenly interested in open standards with web services? An OpenStandards.net article explores the issues surrounding the somewhat vague term."

Well

At least Web Services don't force me to run binaries on my system to do stuff. But I'd rather have local applications running in a well-defined sandbox.

Re:Well

Being a journalist with very little programming experience, I am really disappointed that there are still people out there either dismissing WS out of hand because of 'hype', or desperately trying to work out how it must be bad because of MS/.Net "Instead of arguing about how the world's components will connect, Microsoft is seeking to prove that it can help to produce the best components at the lowest cost. Duh, isn't that what companies *do*?? Like, competition n all that? Web services are kinda good in that they are open and attempt to SOAP was designed by Dave Winer from Userland who is a bit of a legend, and some other company called Developmentor, and they pitched around for support from big co.s, but no-one except Microsoft and IBM were interested. Yes, he did also design XML-RPC afaik. And I think he likes it better. There's a whole lot of stuff there. Dave is weird but deserves credit for this as i'm sure some other people do. Oh yeah, back to Microsoft... yep, they've seen the future and it probably has somethign to do with WS. So they're going hard. As much as I resent them for inflicting most corporate worker drones with inadequate software and making my time as a helpdesk operator a total misery, in this case they are doing something that is kinda good. I hope IBM and other vendors come out with some really cool IDEs though, because the word so far seems to be that kids love VS.Net.

It's Like Most Bandwagons...

[telstar]

Those that lead have the most to gain, and those that follow stand to lose the most if they don't jump on board...
The success or failure of the actual concept is secondary to how soon they joined the party.

Re:It's Like Most Bandwagons...

[cbowland]

Funny you mention that. Below is the text of an email I just received from oreilly. I guess you can't hop up on that wagon fast enough (too bad the stepstool is so bloody expensive).

Planning for Web Services is a new report from O'Reilly Research, written by industry visionary Clay Shirky. This report guides CTOs and CIOs through the inflated claims, competing standards, and amalgam of acronyms to arrive at a realistic appraisal of the business impact of Web Services. Topics include how Web Services can replace EDI, who the major players are and what they really offer, as well as the hurdles to implementing Web Services today. A must-read for anyone developing a Web Services business strategy. $495 Save $100! Just use code # wsrelj when ordering by phone (800-998-9938 or 707-827-7000) or email (order@oreilly.com) and you can get this invaluable report for only $395. Offer expires May 10, 2002

Re:It's Like Most Bandwagons...

[20721]

Yeah, like selling furniture and pet food online? First time mover advantage!!!

Re:It's Like Most Bandwagons...

[interiot]

Microsoft uses this pretty effectively. People will jump on bandwagons without knowing all the details, so Microsoft spreads enough half-truths to encourage people to jump on their bandwagon instead of someone else's. After being on the bandwagon for a while, the users realize that microsoft's many bandwagons have rounded up millions of people and brought them back to the Microsoft ranch, and it's going to cost them extra if they want to get out.

Re:It's Like Most Bandwagons...

[Abnormal+Coward]

this is very true, last company I worked for (I can't name them!) jumped on using NT+SQL+DCOM/COM for there system, which was handling Voice recordings.

Result ?, DCOM is a bast to setup, NT didn't have the TCP/IP throughput that they needed. The SQL queqing system that they used filled up in NO time because they where storing voice data in a SQL database.

If they had done a bit of home work, they could of got a much better system using a combo of NT and *nix systems.

Cobra, (which yes they would of had to pay for) would of done the job much better.

I am sure theres database type products that are geared for storing large amounts of binary data ....

Jumping on the M$ bandwagon and using there technolgy is not always the best thing ... I can see it happening all over again with dot-net, sign.

and I have to try program this stuff!..

Web Services is Hype

[johann909]

Web Services is just more hype. It doesn't offer anything new that couldn't be done with rpc. It just wraps method calls in XML and allows you to register your service in an internet phonebook-like registry. It is going nowhere, and so are you if you waste too much of your time trying to find out how to kludge your it infrastructure with this crap

Re:Web Services is Hype

[stu-pendous]

It depends on what your infrastructure is... I could see how this might be useful in large Wall Street firms that deal with disparate feeds and formats of market data. But I agree... this is not for everyone.

Re:Web Services is Hype

[Ars-Fartsica]

It doesn't offer anything new that couldn't be done with rpc.

No one is claiming that it isn't rpc, but it is an agreed-upon open standard for rpc across public networks using simple transport protocols. No one else is doing this, and CORBA is web services so don't offer that up as a reply.

Re:Web Services is Hype

[johann909]

Does an agreed upon standard for something like RPC warrant all of the hype it is getting? I think NOT! Why not invest industry resources on things that matter and are not auxilliary, like web services and RPC. BTW, CORBA is absolutely not Web Services. It is an interoperability standard between binary modules, so I wouldn't think of offering that up as a reply. See... This is exactly the shit I am sick and tired of: Buzzwords misused and abused by people like yourself and people profiting off others stupidity. Web Services is another fucking VA Linux my friend. It is full of shit, and not going anywhere, unless people force it too, which they seem to be doing.

Becuase of Stupidity of course

[Telastyn]

It's becoming more and more common that the "Internet" is just Internet Explorer to most people. So some smart fellow thinks it'd be a grand idea if services could be served this way, to appease the lowest common denominator. PHB's get ahold of it, and wham! off it goes to the media, and in 2-3 years everyone (hopefully) realises what a bad idea it was.

If you want a unified 'client' for all services, make one, don't kludge everything onto http. Please...

Re:Becuase of Stupidity of course

[smagoun]

OTOH, HTTP is pervasive. So are HTTP clients. It's the "write once, run anywhere" model that Sun's been pushing with Java for so many years. You run the app in one place (on your server), and it's accessible to anyone with a computer and a modem. It even works on PDAs, phones, etc with a minimum of effort. I'll be the first to agree that HTTP isn't the best way of doing things for most apps, but the industry has never been about "best". It's about "good enough" and market penetration.

Designing your own protocol takes time, and implementing it for each OS/hardware combo out there takes even more time. Why bother to do that, when you can leverage a protocol (HTTP) and client software (browsers) that are already everywhere?

From management's point of view, web services are a no-brainer....

Re:Becuase of Stupidity of course

On the other hand, web-ifying everything is an absolute godsend to firewall administrators! I don't have to go and open up every port everytime my idiot users want to use yet-another application. If it works through the web proxy, fine, I'll look the other way as long as you don't bug me. If you need me to open a port in the firewall to get it to work then you better have a damned good reason and a security plan for it to justify it. I know that most whining slashdotters are college kids who think everything should be wide-open, but in the real world that isn't how it works. Default deny everything inbound and outbound should be the norm for anyone even remotely interested in security.

Re:Becuase of Stupidity of course

Designing your own protocol takes time, and implementing it for each OS/hardware combo out there takes even more time. Why bother to do that, when you can leverage a protocol (HTTP) and client software (browsers) that are already everywhere?

As an extra, while people are designing protocols for web standards to be used in the future, they can use HTTP now and prove the concept without forcing administrators to open new ports in their firewalls or learn about the new protocols to monitor the newly-opened ports. Eventually, web services, if they're successful, will move to their own protocols simply because http was not designed with them in mind, but in the short term http is the easiest way to prove that it can be done.

Re:Becuase of Stupidity of course

[Telastyn]

*nod* though what sort of security do you gain if everything you could do on a "wide-open" setup, could be done via port 80?

Think a little.

Re:Becuase of Stupidity of course

[ethereal]

So, you think you know security, but anything that's tunneled through HTTP/HTTPS is OK with you? You really don't understand security.

SOAP et al are a mistaken implementation for exactly that reason, in a typical Microsoft fashion: by running everything over HTTP, we can get things working quickly without wondering whether they are secure. Later on, there will be a ton of SOAP security holes and information leaks, but we won't be able to plug the hole properly since we can't cut off HTTP without strangling our businesses. I love innovation without cogitation.

An absolute godsend to good firewall administrators would be to have specific services on specific ports so that you could easily audit the use of such services separately and have a better handle on what's going in and out of your 'net. You could, for example, inspect SOAP packets for a particular service without having to slow down all traffic through your HTTP proxy. But since you're a lazy bastard, I bet you don't care :)

Re:Becuase of Stupidity of course

How is this insightful? The whole idea of tcp/udp ports was that service multiplexing would be done at the transport level, and things like tcp wrappers, proxies, etc., can be used to ensure service scalability/reliability/security. Now, just because firewall administrators are stupid, everyone has to multiplex at the application level, making everything fragile.

Re:Becuase of Stupidity of course

[goldspider]

"It's becoming more and more common that the "Internet" is just Internet Explorer to most people."

Very true! I wonder if that has anything to do with the fact that the first contact many people had with "The Internet" was Internet Explorer... which was conveniently disguised by that "The Internet" icon in early versions of Windows 9x.

It's no wonder why people use Internet Explorer and The Internet synonymously.

Re:Becuase of Stupidity of course

Well, from my experience, everytime any of my users seem to try to code a server it requires random ports and suddenly they expect me to open up 64000 ports in my firewall because they coded their apps without ANY thought of passing it through a firewall. Well, you know what guys? NO. Take your Netmeeting and shove it up your ass.

Re:Becuase of Stupidity of course

[feldkamp]

Whoa there...

Web services != HTTP Web services

While web services can be used over http, even microsoft is pushing to not use http, merely because http was not designed for this sort of thing.

Re:Becuase of Stupidity of course

from what I understand they are using XML, or a derivative, which is a replacement for HTML, where html is the language, and http is the protocol.

from what I understand they are still piggy-backing the protocol.

Re:Becuase of Stupidity of course

[Cally]

OTOH, HTTP is pervasive. So are HTTP clients. It's the "write once, run anywhere" model that Sun's been pushing with Java for so many years. You run the app in one place (on your server), and it's accessible to anyone with a computer and a modem. It even works on PDAs, phones, etc with a minimum of effort. I'll be the first to agree that HTTP isn't the best way of doing things for most apps, but the industry has never been about "best". It's about "good enough" and market penetration.

You've just described the web as it was (and is, and will be) since 1995 or so. But the web is passe now; even the PHBs have realised that adding an i or e to the start of a brand just doesn't cut it any more. They need new buzzwords! new paradigms! new... bullshit! Fortunately, the world's marketing people have stepped up to the line with a fresh new truckload of ripe, steaming horseshit. Web services? It's client/server. It's nothing new. And the rest of the hype - vague ideas about websites communicating your preferences between themselves - can either be implemented on the client (Mozilla's wallet, form manager etc); is only of use to a Microsoft-like conglomerate that wants to own /everything; and ISN'T GOING TO HAPPEN. Anyone here remember "DNA"? "Digital dashboard?" Remember in 1996, how VRML was going to make the "flat" WWW redundant? And XML, which was going to make all the 30 yeasr old EDI systems obsolete overnight? Pur-lease. Give me a break. Some of us have been working in this industry for more than a couple of years, and you know what? Once you've seen a couple of bullshit marchitecture hype waves come rolling in, then swoosh back down the beach leaving nothing but some rotting seaweed and a couple of old shampoo bottles... it gets real hard to get excited about an amazing new technological breakthrough when there's no new technology (or indeed anything else of substance) there.

Re:Becuase of Stupidity of course

Firstly, your point is ignorant. But I think you now know that. And Microsoft werern't the only ones developing Soap, and most ideas were from XML-RPC so blame the right people.

Most firewall admins are lazy, and they don't like openning new ports. While you're trying to push another port they are wary - and you loose time over a pointless argument that you're better to avoid.

And then your final inference that you won't be able to block SOAP because you won't be able to block ports... well, lets just say you've revealed how much you know there. I run ip-masq on my firewall and it's able to speedily rewrite packets - the machine is a P120. SOAP packets are clearly marked, and it would be of no effort to block them if the need ever rose. Also, firewalls could efficiently block them.

HTTP isn't the web. It's also WebDAV and many other protocols.

Re:Becuase of Stupidity of course

[fanatic]

even microsoft is pushing to not use http, merely because http was not designed for this sort of thing.

No, microsoft is pushing to not use http because http is an open standard, which they can't control and use to lock in users. Microsoft's stand on http, referenced here, was, as usual, stone-bullshit, obvious to anyone with a little technical savvy.

Re:Becuase of Stupidity of course

[ethereal]

I don't have a problem with XML-RPC really - it's good to be able to do things remotely via a standardized protocol. But I think that the latest implementations of that idea are not well-thought-out from a security perspective.

Most firewall admins are lazy, and they don't like openning new ports. While you're trying to push another port they are wary - and you loose time over a pointless argument that you're better to avoid.

It's not a pointless argument at all. The whole point of a firewall administrator's job is to keep track of what's going in and out and the cost/benefit analysis of that traffic. A good firewall administrator doesn't mind opening new ports; he or she minds opening up to new risks. Sometimes (almost always, I would argue) putting a new service on a new and distinctive port makes it less of a risk than commingling it with the rest of your HTTP traffic. Running everything over port 80 makes it easier to get things past a bad firewall admin, but that's not really the point - you should get a better firewall admin in the first place, or else just admit that understanding your security exposure isn't what you're interested in.

I run ip-masq on my firewall and it's able to speedily rewrite packets - the machine is a P120. SOAP packets are clearly marked, and it would be of no effort to block them if the need ever rose. Also, firewalls could efficiently block them.

It's one thing to rewrite packets on your personal firewall. It's another thing when it's the firewall/proxy for a large company, one that's possibly already overloaded, and may or may not even support rewriting depending on what sort of network appliance you've plugged in there.

Which is still missing the point, anyway - we have ports so that services can be more easily distinguished. It's nuts to say that we're now going to run everything over the same port just because we can't be bothered to make those distinctions, and then deal with analyzing and rewriting packets to make up for our failure to distinguish.

Re:Becuase of Stupidity of course

[deKernel]

In the Microsoft world Web Services == HTTP Web Services.
I have been developing a Web Service for about a year now on Windows, and let me tell you, without IIS (if you don't already know, that is a Web server), you are dead. Period. End of story. You are outta here. There is nothing in .NET that will allow you to communicate via HTTP without IIS running.
Microsoft might be squalking about HTTP not being good for Web services (which it is not), but even they don't have a better idea.

Re:Becuase of Stupidity of course

[ahfoo]

But browsers are not OSs.
I've been saying this since I first heard Gates start pushing it. Web services is a concept only someone who is clueless or hoping to keep others clueless about computing fundamentals could love, like Gates.
The argument of leveraging "what's out there" is totally misleading. OSs are already out there. Limiting yourself to a browser is essentially just taking the responsibility off the sysadmins by saying everything has to be squeezed into HTML so they don't have to worry about their security policy, but that's totally naive. In order for web services to be useful, they have to be powerful and you're back to the question of why you didn't just write a brown paper app with FTP, TFTP, SSH or whatever protocol you needed for the networking chores? How does squeezing this existing functionality into HTTP represent an improvement?

How could they not be?

[FurryFeet]

In today's world, connectivity is key. You pick up a phone and expect to be able to call any other phone on earth (granted, it may be expensive or hard, but it is possible), no matter if it's in another country, company, if it's a celular or a satelite phone.
That expectation moves to the Net. If you're going to hire net services, you expect to have a unified system that will allow you to do anything with one interfase, one bill, from anywhere.
Now, I can only see two posibilities for that to happen. One is Microsoft, but fortunately I see a trend where less companies are willing to empower the BMFH (Bastard Monopoly From Hell). The other is open standards.
And yes, this is a Good Thing (TM).

AKA RPC over HTTP

[alext]

In short, this is a simplified XML version of COM, CORBA or EJB, only without the specific requirement of a "component", "object", or "bean", or anything except... well... a "web service".

For those wishing to simplify CORBA or EJB in the privacy of their own homes, the secret is to make the Service an Object. Now you would never have thought of doing that if I hadn't told you, would you? That's why Web Services are different.

Oh well, someone who puts 'simplified' and 'XML' in the same sentence is probably nuts anyway...

Re:AKA RPC over HTTP

[johann909]

"you would have never thought of doing it if I never told you"... crap I will never think of doing it even though you did tell me. Your post really sucks. You don't know what your talking about.

Trendy

[blankmange]

Not only is the "on the bandwagon", but open-source is one of those buzzwords that comes around and sticks in the lexicon of the public. Everyone sees/hears/reads that Microsoft is being sued because, amongst other things, they are not open-source. Open-source must be good then, if the courts are forcing MS to be that. Open-source gets good press; IT companies believe that they would have a favorable image if they offer something that they can point to and say "We use open-source code for that and look how great it is." Also, open-source should be more economical to run/code/acquire than proprietary solutions. I guess the problem with that is, if you are an IT company, why don't you have/use your own solution??

Re:Trendy

Everyone sees/hears/reads that Microsoft is being sued because, amongst other things, they are not open-source.

Huh? No they don't. I'd like to know what popular media outlet you're looking at.

Re:Trendy

Microsoft refuses to release its source code, therefore it is not open-source. Who needs to have this spelled out? I know that this was not covered specifically on the Entertainment Tonight report on the MS case, but this was pretty much everywhere else....

Another resource

[LinuxHam]

Check this out to see what IBM has going on..

Re:Another resource

Not really, it just means he works for IBM. e-business is an IBM phrase, I think.

Re:Another resource

[LinuxHam]

Thanks for your opinion, really. If you were spending OPM (other people's money) at $30 to $100 million at a clip even after the dot bomb, you'd see it in an entirely different light. Until then, well, you're just you.

You caught me in a good mood tonight.

Re:Another resource

Look at me, I'm spending other people's money! Whee, I must be really IN THE KNOW.
And I work for IBM. You know, the vampire company that has collected OPM since the end of the Second World War by being the law firm that specialized in tech and patented OPI (other people's ideas) in vast quantities because we had all the lawyers.
Isn't that cool? Aren't all you slashdotters so impressed by my smooth business schuckster style?
Whatever buddy. IBM is going to hell and I'm gonna have you fuckers doing pushups when you get here.

no big deal

standard web services

pourtoll device is Xtra.

We use web services

At work we've been using web services to make eligibility requests to insurance company databases. The reason it's nice is

1) no connectivity issues, it's just https over the Net, and

2) no data format issues. In .Net at least, you write a web service just like a local procedure. It has parameters which can be arbitrarily complex objects. Hit a button, it exports WSDL. Send that to your partner, who hits another button, now they can call your web service just like they were calling the procedure locally. No muss, no fuss, and any VB programmer can pick it up in a day and start using it.

Re:We use web services

It is this ease of use that Developers and Security Admins need to consider carefully... If you don't look out you are gonna have some rookie VB programer exposing your whole corporate database through a tunneled SOAP connections b/c it so easy that he forgot to put any security checks in or didn't get them auditied... The Security Admins can't do anything about this unless they want to shut off HTTP at the firewall... Wouldn't that make everyone happy.. Sometimes things can be too easy and you need to make sure there are plenty of safeguards in place...

Re:We use web services

[seann]

Your so a microsoft goon... The only proof I need is to hear you say "SQL" and pronounce it "Sequel."
Show your true userid!!!

Re:We use web services

We're a Microsoft shop at work. It pays the bills. I've been using Java at home.

Never got around to getting a userid.

Re:We use web services

True, but you're no more exposed than you are by any other web application. Your vb programmer could write a web service that exposes too much, but he could just as easily write a web page that hits the database and exposes too much. Either way, you don't let a rookie commit code to the external webserver.

Re:We use web services

[Random+Feature]

You can only do this if both you and your partner are using the same message format.

Microsoft .NET defaults to doc/literal message format. No other toolkits support this on the client side. So either you BOTH have to use the default (which is usually the case because VB programmers aren't known for their high IQs or programming ability) or you both have to know enough to change the message format to the more OPEN RPC/encoded message format.

Think about it for a minute - it's easy, so you don't have to think about it. You do whatever Bill thinks is best, which is to use a proprietary message format and force a closed service because no one else but MS clients can get at it.

But then again, maybe that's a good thing. I don't know that I'd trust a Web service written by a VB programmer.

Re:We use web services

[Sir+Robin]

Your[sic] so a microsoft goon... The only proof I need is to hear you say "SQL" and pronounce it "Sequel."

Huh? I have Linux on four different machines, sneer at M$ just like any other good slashdaughter ;) , and I pronounce "SQL" as "sequel". Googling for "sql sequel" shows that lots of people pun on "sql" => "sequel". Why do you have a problem with this?

Re:We use web services

Most people coming out of an IBM background (and that includes Microsoft) say "Sequel".

FYI, an earlier version was actually called SEQUEL

Your edumucation for today.

Re:We use web services

[anjrober]

How do you pronounce SQL then? I did large scale data warehousing/data mining for years, think many terabytes on an SP2, SAS and large Sun boxes, etc. Everyone I worked with said "sequel".

Re:We use web services

[seann]

I'd punch them in the jaw.

"S Q L"

Related recent /. story

[bigmouth_strikes]

Here's a related /. story regarding IBM and Microsoft's suggested security standard for web services.

Everyone wants our "products"

Is usually just marketing hype trying to drum up interest

So a link to openstandards and a link to sourceforge says that every business is interested in their "products" ?

hmmm

how about an independant unbiased review instead of blatent plugging

if this was a report from [insert big corp name here] we would all be crying foul

It's Default

[NickRob]

They want a hip name that makes it sounds like they're actually doing something. They really don't know what it means either. They just want to look good and hi-tech.

Microsoft's business model in a web services world

[jwinterboy]

I don't think Microsoft is as worried about a distributed computing world as the article suggests.

There are transition points along the way to a truly distributed computing world, however, that it has been worried about. In a truly distributed computing environment, every client, every desktop is a server. Who owns the desktop world today? Microsoft. That is the end-game, and Microsoft is well positioned to capitalize on it.

In the interim, however, before all the "standards" and "security" issues are worked out, server-based computing -- Larry Ellison's proclaimed NetPC -- will surface. Unfortunately, for Microsoft, this is where they are weak. Microsoft knows that there are already too many competing server platforms out there. So, it focused instead on making sure that open protocols were adopted so that any server-based products that are developed will always be compatible with its desktop client. To hedge its bets, it also pushed Passport so that even if server-based computing becomes established, it will have a piece of the pie.

When a truly distributed computing world surfaces, unless the open-source community finds a way to penetrate the desktop client, it will be a Microsoft world all over again.

Its a good time to ....

[grid+geek]

Its a recession. During boom times like the mid 90's companies were too busy dealing with sales and expanding like crazy to deal with demand. Now that most of the competition has died down, no one expects them to post record profits etc it gives people the chance to think about where to go next.

The web is all very well but HTTP et al. have some serious limitations and were never designed for most of the current technology. For example a dial up connection has the same bandwidth of a dedicated line in the 1970's so ASDL/Cable modems etc were never considered.

The reason for all the demand now is the scientific community and all the Grid projects around the world, just because there's a recession doesn't stop them and their data requirements make Google look like a small fry (20TB of data for Google vs 600TB for BaBar at SLAC).

The other issue is business - they've all got on the band wagon of internet sales as an extra sales channel so they can grow this, but its not going to be the sudden revenue increase it was initially. Web Services offer the opportunity for companies to increase productivity and efficency which is why the tech companies are investing in it now so when the economy changes and the corporate clients come back they have something new to go on about.

Re:Its a good time to ....

[swb]

Now that most of the competition has died down, no one expects them to post record profits etc it gives people the chance to think about where to go next.

We do that here, except now that its so slow we have the time to think about planning for tomorrow instead of this afternoon there's no goddman money available to make it happen.

It's starting to feel like the Staples shared-pen commercial.

Re:Its a good time to ....

The web is all very well but HTTP et al. have some serious limitations and were never designed for most of the current technology. For example a dial up connection has the same bandwidth of a dedicated line in the 1970's

Umm...http was invented in 1990, for use on an LAN in a physics lab.

That's what happening

[wiredog]

Well, sort of. The PHB's are realizing that web browsers aren't the best way to do web services/web applications and are looking for a better one.

The problem is that everyone has a web browser. Anything that aims to replace it has to get high distribution at low cost. You want all your customers to have whatever client you use. And it has to be based on a standard so that even if the customers client isn't exactly what you have, it's close enough.

And this is in a world where it can be difficult to get IE and Mozilla to play nicely together.

Re:That's what happening

> The PHB's are realizing that web browsers aren't the best way to do web services/web applications and are looking for a better one.

Cough. Since when have PHB's had minds of their own? They are fed, exclusively, by vendor hype.

> The problem is that everyone has a web browser. Anything that aims to replace it...

Well, yea, but web services mean you'd have build a "browser" that is "viewed" by a computer program, not an end-user. IE and Mozilla are end-user interfaces (and "web services" or no, you still have to deal with end-users at some point, I presume).

Web Services = Inherently Insecure

[hndrcks]

Web Services- you take the crackable and exploitable service on port 'X' and advertise it on port 80 or 443. Just as bad, just as exploitable - but now the IT people can't firewall it.

Re:Web Services = Inherently Insecure

[Dasein]

I'm tired of this crap. Let's put the shoe on the other foot. If you were going to accomplish the same task (letting customers access an API publish by your company) how would you do it?

Here are the choices as I see it:

1) Use CORBA. You have to bust a whole in the firewall. I don't know about you, but I would much rather trust an HTTP server than most CORBA Orbs I've seen. Grab the source to one and start poking. Look at the marshalling code in particular. There's also no provision for encryption in the IIOP standards, big problems for any NAT equipment, the list just goes on and on.

2) Use DCOM -- Yech

3) Use a custom protocol. Sorry but most programmers mess up network programming pretty bad not gonna trust this one.

4) Use EDI -- if you are seriously considering this one, get out a baseball bat, bash youself in the head, rinse, lather, repeat until it's all better.

5) Build a private network. This is expensive and troublesome. Using HTTPS with authentication is probably a better solutions.

This crap about web services being inherently insecure is usually based on running web services over port 80 or 443. If you really want to, you can run it over any port you like. HTTP communication endpoints are specified using essentially URLs, so http://www.example.org:8325/myservice. Uses port 8325. Now you can firewall all you want.

Other people think that web servers are getting exploited all the time so you shouldn't use them. IIS aside, most of the popular web servers have become more secure as a result of the attacks. I don't know of a single ORB or custom protocol implementation that's withstood the trypes of attacks that web servers have. So I feel more comfortable putting something out there that's been battle tested.

I think I've covered most of the options. If you have others that you think are better, I'm certainly open to hearing them. Just remember, not letting users have access to the APIs is not an option.

Simply put...

[gUmbi]

Simply put, Web services is SOAP and UDDI. SOAP is like RPC, UDDI is like LDAP. There is nothing really new here.

The reason it is becoming popular is:
A) it uses XML for procedure calls and it has a big-fat standard for type-mapping so it's not tied to a specific language or language-binding.
B) It can piggy-back on HTTP so it works through firewalls.

Web Services may have some issues when network/security administrators figure out people will be using RPC through the firewall.

Jason.

Re:Simply put...

[microTodd]

Web Services may have some issues when network/security administrators figure out people will be using RPC through the firewall I hate this argument. SSL, PKI, servers other than port 80. There are plenty of solutions here.

Slashdotted, posting anonymously

Web Services: the stuff that dreams are made of, or more hype from our
favorite technology gurus?

"You can say this has been a dream of computer
science for many decades. The momentum is there to drive [Web services] to the
same kind of central position that the graphics interface and HTML had across
all the different systems in the past." -- Bill Gates (Source: Informationweek.com,
Feb 11, 2002)

In all the battles that Microsoft has had, the one that
has been disproportionately ignored by the technology media relative to its effect
on Microsoft's hopes and ambitions would have to be Microsoft vs. The Internet.
J2EE, Linux, open source and countless other fears of The Stronghold have taken
the show, while few have noticed the potential fundamental impact of the Internet
on Microsoft's business strategy. Microsoft loudly acknowledged the Internet around
1994, pointing out what a good thing it was, hoping that they would be able to
come up with a strategy to defend itself before people realized the Internet was
going to give Microsoft its greatest challenge. The distraction appears to have
worked, as few have considered the consequences this quantum leap in technical
progress could have on this industry giant. To technology purists, the Internet
was about open standards, connectivity, interoperability, peer-to-peer, and, inevitably,
distributed computing. While each of these arrows has threatened to chip away
at Microsoft's proprietary closed Windows platform, none has promised to devalue
the individual machine, Microsoft's pinnacle of success, more than distributed
computing. What became clear in the browser wars was that open standards was the
only way to win any war on the Internet. One may be able to truthfully say that
Microsoft has won the browser wars. Yet, what is also true is that the browser
has just enough holes through the open standards to ensure that no one can stop
the flood of new competitive technologies and open standards from leaking through
it. In this respect, open standards won the browser wars, even if we have to live
with a few idiosyncrasies that can make our browsers a bit obnoxious. Distributed
computing is about getting components and systems to interoperate to create something
bigger, independent of the physical machines the parts are hosted on. As each
computer reaches out to connect to another to create something bigger, the individual
machine becomes less noticeable. It becomes just one of thousands, then millions,
then billions of machines in a world of massive information flows to create what
we call the Internet. In order for this to happen, it was clear to all players
we would have to agree on the standards used to integrate all the components and
processes. While Microsoft had a chance of winning browser wars, in part because
the standards, notably HTTP and initial versions of HTML, were already defined,
and the browser is a user interface on, yes, the individual machine, distributed
computing promises to be different. In the new architecture, value will be defined
by the sum of the [distributed] parts. The ability to participate will define
the value of each piece of code. Aware that this phenomenon was inevitable, there
wasn't a single heavyweight in the industry willing to let Microsoft control how
all the world's computers and components were to connect to create this new era.
IBM, Oracle, Sun, HP, and countless others, with plenty of experience working
on projects to erode Microsoft's influence, were determined to doom any efforts
by Microsoft to control the standard protocols. With everyone willing to agree
on open standards, if, for no other reason, to ensure that Microsoft did not have
a chance, even Microsoft had to concede that the standards would have to be open,
and accepted by all major parties. We call the package containing these standards
for inter-process communications across the Internet "web services". They include
XML based protocols such as Simple Object Access Protocol (SOAP), and Web Services
Description Language (WSDL), and Universal Description, Discovery, and Integration
(UDDI). It is true that SOAP's inception started with The Borg, in addition to
IBM and Ariba. Yet, when it was submitted to the World Wide Web Consortium's open
standards process, and upon review we concluded there was nothing in there that
gave Windows a distinct advantage, or Microsoft in general, it quickly gained
acceptance even before being declared an official standard. SOAP is the primary
protocol for implementing web services. This XML based standard permits a consumer
to utilize the services of a web services provider. In short, this is a simplified
XML version of COM, CORBA or EJB, only without the specific requirement of a "component",
"object", or "bean", or anything except... well... a "web service". While all
the other web service standards have their place, SOAP is the only one that is
essential for the consumption of a web service. It is possible to create a simple
service and a simple consumer using nothing but SOAP, leaving out UDDI and other
overhead. What's the difference between web services, and COM, CORBA and EJB?
You are not likely to get a straight answer from the owners of the earlier technologies,
because doing so would be tantamount to admiting that they should have begun by
agreeing on open standards in the first place. The important thing is web services
is different; and the real important thing is that, for the first time in history,
all the IT giants in the industry appear to agree. Now we can finally begin large
scale distributed computing. Let's just start wrapping our COM, CORBA, and EBJ
objects in pretty little web services packaging, and pretend like the last decade
of bickering didn't really happen. UDDI, currently managed by UDDI.org, promises
to increase both the value and rate of growth of web services by enabling a more
structured version of what one can think of as a "web search for web services."
By allowing providers to submit descriptions of their offerings, and allowing
consumers to locate all the various web services available for a particular need,
UDDI promises to increase the benefits for both sides of the equation. Currently,
Microsoft, HP, SAP and IBM all manage UDDI Registries. It is worth noting that
Microsoft originally had something called DISCO that does what UDDI does. However,
when it became clear that UDDI was already popular, Microsoft replaced their proprietary
DISCO with its open standard counterpart. Let's give thanks, once again, that
disco is dead! WSDL does not appear to be an offical open standard, yet, as it
has only been submitted to and accepted by the W3C
as a "note", meaning that no one other than Microsoft, IBM and Ariba appear
to have worked on it. Don't tell every else, though, lest you ruin the web services
celebration. For all intensive purposes, it is being endorsed as a standard for
describing in a highly technical and structured way how a consumer of a web service
can access all of a services' parts, or at least that was my take on all the jargon
I read about ports, end points, bindings, messages, operations and french fries.
OK, maybe it didn't mention french fries; but, by the time you are done reading
it all, the one realization that will come to you is that you are probably ready
to eat again. The W3C has a working group called the XML Protocol (XMLP), which
builds upon SOAP to offer standards for implementing SOAP in many different communications
contexts. In trying to be all things to all people, XMLP is committed to being
independent of both programming model and mode of communications between peers.
It is likely to define at a higher level than the original SOAP submission how
our web applications will talk to each other, creating an XML based foundation
upon which we can build, at a distributed level, traditional development concepts
such as even-driven, state-transition and multi-threading programming models.
Why did Microsoft concede the inevitable so quickly and openly and bluntly, not
only giving in to, but helping to foster the open standards, when they have such
a history of fighting tooth and nail for every inch of Internet space? I suspect
that, like the Internet in the past, an offense with strong marketing can once
again hide the fact that Microsoft faces its greatest threat. With all eyes on
Bill's offensive .NET team, who would notice they were really on the defense?
Instead of openly opposing the enemy, Microsoft has chosen to embrace it, hug
it, love it dearly, for the world to see. How, with all that affection, can the
Internet possibly be a threat to Microsoft? Thus, .NET and the open distributed
computing protocols that enable web services are being sold like a marriage made
in heaven. To be sure, despite the Internet, growing global unity on open standards,
and the promise of distributed computing on a scale never before seen in the age
of computers, all hope is not lost for Microsoft. The theory that Microsoft has
chosen to prove is that the individual machine, and its intangible components
(software objects), will still have value in this new world where interconnectivity
is essential. Instead of arguing about how the world's components will connect,
Microsoft is seeking to prove that it can help to produce the best components
at the lowest cost. This is where .NET enters the picture. This is the new sexy
machinery Microsoft is showing off as the primary contender in the oncoming web
services war. With all its marketing might, Microsoft is betting the house on
this new architecture. After all, the only other option is to become irrelevant
in a world where a computer will no longer be considered "booted up" until it
is connected. Microsoft is not alone on the playing field. It has Sun to contend
with. Of course, Sun isn't just a company, but the representative of every J2EE
vendor and Java user out there. Together, they are a force to be reckoned with.
Heavyweights like IBM, whose annual revenues Microsoft still dreams of approaching,
have made J2EE the center of their applications initiatives. Oracle, BEA, HP and
countless others are pooling their efforts together. And, let's not forget various
open source organizations, from Apache to JBoss, like grass roots operations,
they promise to pluck Microsoft from the hearts of countless individual devotees.
Is Sun late to the web services game, as some have said? To this I say what game?
It is clear there will be a game, but it is not clear that the game has really
gone past the kick off. The reality is, a shift like this can take years to evolve.
Web services are poised to grow far more in 2004 than they will in this year,
the year of their illumination. So far, all we see is a lot of gossip, and very
few real life stories. The vast majority of the enterprises that will use web
services have yet to make a commitment to the specific means of how they will
leverage this new technology. Indeed, most are still pondering how they can benefit
from it. If you compare Sun to Microsoft, one can debate who was first to enter
the web services arena. Yet, if you compare them both to the market they are hoping
to appeal to, they are either early, or just in time. Nobody is late. Is it true
that Sun's roadmap is unclear? This has to be viewed from two perspectives. From
a technical viewpoint, we are primarily talking about the ability to take business
processes, and expose them via open standards protocols over the Internet. Does
Sun have a library for doing this? Yes, it does. You can download it freely today,
and begin anytime you like to create your first web services. Is it better than
.NET? This I cannot answer, since I have yet to use either one. However, the question
I have is whether or not the Java community, with its large base, corporate support
and open source initiatives, can produce a better framework over the next year
or so. This seems more important than who was first, since I suspect a year or
two is a better time frame for when web services is likely to really be revved
up on a large scale. The second perspective the roadmap question has to be considered
with is in the area of business. Web services is about more than just distributed
computing. To a business, it is about creating and consuming new services, or
utilizing old services in an improved way. The question each business must ask
is how can they best leverage this new ability to either create new services for
the market, or consume web services in a way that increases their competitiveness
and improves their bottom line. Can Sun or Microsoft really answer this question
for all the businesses out there? Is there a map that any one company can provide?
The truth is, the hardest road to identify is not the technical path, but the
business opportunities. If there is a delay in this game, it is to give pause
to consider everyone's options. It is the great huddle of corporate decision makers
assessing how the next play can help them win the game. To this, I submit, silence
from Microsoft and Sun will do more good. It is not their job to run everyone's
businesses. To return to our original question, is the whole "web services" thing
hype? Web services is at least a solid beginning to a new era of distributed computing
that is as inevitable as paved roads. If web services is not hype, what remains
to be questioned are the tools and services the hype masters themselves know you
do not have to choose. Will .NET be the answer for everyone? Will Java take the
lead through its community involvement and open source support? Will supply and
demand for web services skyrocket in the next few months? These are things to
be hyped. Will web services and distributed computing change our lives? Now I
hear a ring of truth.

Because...

[Richard_at_work]

Where i work, the only thing that the end user has on their desktop apart from the standard tools for the job, is IE (no, we dont permit anyone to install Mozilla, basically because theres no point and we wont support it). SO the more things we can pump over the standard http protocol to the end user the better. It gives the end user a standard portal to all the services we provide them, and also its easier to apply a template. And we dont have PHBs here, all these decisions are made by the people that have to implement them, and the people that use them.

Re:Because...

[ethereal]

Where i work, the only thing that the end user has on their desktop apart from the standard tools for the job, is IE (no, we dont permit anyone to install Mozilla, basically because theres no point and we wont support it).

If you're not part of the solution...

SO the more things we can pump over the standard http protocol to the end user the better.

...you're part of the problem.

And we dont have PHBs here, all these decisions are made by the people that have to implement them, and the people that use them.

I think you're missing the people that think about the consequences of those decisions - you know, things like "does running a service over port 80 magically make it secure?" and "hmmmm, so if we're going to do everything over port 80, what was the point of our firewall again?".

On the other hand, having no PHBs means that you can theoretically turn on a dime and start improving things almost immediately. Good for you!

Re:Because...

[Richard_at_work]

I think you're missing the people that think about the consequences of those decisions

Hmmm i see your point, but no, we arent missing the people that think about the consequences, since we are also the peoplethat have to deal with network security and such.

- you know, things like "does running a service over port 80 magically make it secure?" and "hmmmm, so if we're going to do everything over port 80, what was the point of our firewall again?

Im more talking about webservices to internal users, our own internal employees and those on VPNs. Yes, you are right, jsut switching the port doesnt magically secure a service, but then are all services on that port goingto be used as a secure transmission method? no. any service that we run, we code in the appropriate level of security. And firewalls can be made to do a lot more than control access in or out of the network based solely on port number or services type :) Since us implementors are exactly those persons who have identified the problem, researched the solution and implemented a version of that solution, and we have direct longterm access to the end users and the results that our applications are having on that end user, then i dont think we are in a tight spot at all.

Re:Because...

[jacobito]

As another poster mentioned, SOAP, XML-RPC, et al are not much different than using HTTP POST to pass messages to a CGI program. In fact, as far as I can tell, that is what they are. The only difference is that with web services, the messages are formatted as XML. So don't we already have a problem?

Maybe there's something crucial that I'm missing; I have not worked extensively with any of this shiny new web services stuff myself.

MOD PARENT UP!!

That's got to be the most informative thing I've read on Slashdot all day.

Re:MOD PARENT UP!!

Thanks. A friend I have who uses Linux (he's very intelligent) told me that often the top half of the page gets "Slashdotted", so it's useful to repaste the top of the page lower down. I want to do my part in the Slashdot community.

Marketing Hype = More $$$

[Lysol]

I'm actually knee deep in the poop of webservices and 2++ things that come to mind on this subject:

1. they're not actually useful. i mean, who's gonna publish their auction webservice or requisition web service for someone else to use? it's nice that u can get order tracking for fedex - i guess that's useful - or stock quotes. but, beyond that, there's no point.

2. companies like bea (esp bea) and ibm need more revenue and hyping web services to sell 'corporate developer' tools is their way to go. bea esp. is learning from m$ with their whole 'all in one visually appealing code completion server starting package' server and gui tool. and this appeals to a large market of 'corporate developers'. by corporate developers, and i'm taking this straight from the horses mouth, i mean developers that are not full blown ejb/c/python, etc... people. basically newbies that can open an ide and connect to a db via some sort of control. definitely not vi or emacs people.

however, if u use their tools (which i do, unfortunately on a daily basis), i don't see how a corp dev. is gonna understand hooking into ejb's and such. it's not as trivial as their canned sales demos make it.

it's really all about the market making more money for itself. "oh, well, any app server's can do ejb, but hey, can yours do web services?" check out xmethods, anything interesting there? hardly.

there might come a day where these services are avail for rent as components and that might be useful the same way components are now, but until then, no use beyond the good ol stock quote or google search. come to think of it, is the google search really useful at all?

Re:Marketing Hype = More $$$

[rylos]

I agree that the hype is heavy for Web Services. However, I do see benefits for using Web Services.

Making Web Services work in a useful way sometimes takes some creativity. Take Google as an example. With the recent release of the Google API, I was able to use PHP and SOAP to access their search results. One of the methods offered through the service is spell checking. By integrating this spell checking with my company's internal search engine, I now have the ability to make search term suggestions to users. This functionality would be very difficult to provide if it had to be created from scratch.

Web Services will NOT work for all things and in all situations, but they WILL work for some things and in some situations. Creativity is the key.

Re:Marketing Hype = More $$$

[mini+me]

I can think of many things I'd love to see exposed via web services (or another RPC type protocol).

What if all the functions of Slashdot were avaliable via SOAP? Then anyone could easily write a Slashdot application that looks more like a news reader, or whatever you want. The value of such a program is debatable, but at least it would be an option. How about weather information, traffic reports, interest rates, currency exchange rates, etc.

Interest rates and exchange rates are an excellent example of how web services could be used. If you are writing a financial application you could then always have up to date rates which would require no human input. Then a web service call could then be made to a bank to make the transaction. All automated from a single program. No human interaction needed.

Web services make perfect sense when someone has information that can be useful to someone else that would otherwise not be avaliable. It allows people to build applications that would not be otherwise possible due to lack of information. It gives computers access to the vast knowledge of the internet instead of just humans.

Of course if no one creates any useful web services then all of this technology will go to waste.

Re:Marketing Hype = More $$$

[cxgd]

What if all the functions of Slashdot were avaliable via SOAP? Then anyone could easily write a Slashdot application that looks more like a news reader, or whatever you want. The value of such a program is debatable, but at least it would be an option. How about weather information, traffic reports, interest rates, currency exchange rates, etc.


Or what if all functions of slashdot were available via CGI . Then anyone could write a slashdot application.....

There's nothing new under the sun.

Re:Marketing Hype = More $$$

[mini+me]

I meant the functions of Slashdot itself on slashdot.org. Sure Slashcode is avaliable, but you only have access to your own data, not Slashdot's.

The only way right now to do what I proposed for a Slashdot application is to parse out all the HTML. This is a tedious task and will break as soon as something in the HTML page changes.

Web services are nothing new, RPC, Corba, it's all been done before. It doesn't have to be done in SOAP, but that seems to be the standard they want to push. But this is the first time I've ever seen remote functions avaliable to the general public and that right there is the value of it.

Re:Marketing Hype = More $$$

[0x0d0a]

This functionality would be very difficult to provide if it had to be created from scratch.

You ever use aspell?

Re:Marketing Hype = More $$$

I agree.

Web services are mostly hype. I've been hearing it, ad nausium, and the only thing I can get out of it is...

1) "XML" is a means for expressing any arbitrary hierarchitical "database". I know this, I've done much XML. I like XML. It has a place.

2) To pass a "database" as a "parameter" in an RPC call means the code that initiates/responds to the call must still understand the data structure, just like they'd have to understand a "CSV" record. For all the hype, you'd think they were writing the freaking application for you.

3) In fact, "Web Services" only write a parser for you. Fine. Now you've exchanged one complex database format for another. Unless, the exchange was trivial in the first place, then what was so hard?

Bottom line? Since XML can exchange any quantity of unique data, you're left with what I call a non-standard standard. If you had a million ways to express an interface yesterday, and you have a million ways today, what's so standard?

And how is this going to "save the world"?

To be honest, if you've used Apache/PHP you know how nice it is to have all that data handed to you all nice and pretty. But, most of the apps, like the Google API, could be specified in any number of more simplistic, record oriented, ways.

My next bugabo is along the lines of a quote in the article, "Your PC isn't booted until it's connected.".

Bah.

And they aren't joking. Things like MS storing your .doc files on their servers are already a matter of disscussion in more than a few Corps.

I don't need 50 points of Corporate service to boot my PC, all that must favorably conspire to permit me to use my machine.

Re:Marketing Hype = More $$$

> How about weather information, traffic reports, interest rates, currency exchange rates, etc.

All available today, and much more, using the basic HTTP/URL standard. I don't want to let out any secrets, or anything, but there is a whole world of "low level" interactions going on out there. Even today. Even without SOAP et. al.

> Interest rates and exchange rates are an excellent example of how web services could be used.

A way less costly than layering a bazillion gratuitous and expensive products onto the problem might be:

http://InerestRates.com?Type=Mortgage

Might be able to get you a response that contains:

2002-04-23
PNC Financial,6.66,3 points
Cittbank,6.74, 0 points

A simple and incomplete example, but the point is nobody says an HTTP request has to be met with an HTML response.

> It allows people to build applications that would not be otherwise possible due to lack of information.

Um, no. The information isn't available because the owners haven't made it available. It is not a technological problem.

Re:Marketing Hype = More $$$

[J.+Random+Software]

SOAP is a design toolkit (like yacc, TCP/IP, and electrical schematic symbols). Since the abstractions are standardized, you can use it to concisely and thoroughly specify a protocol and have some hope of interoperating with the same knuckle-draggers who could never get IIOP to work.

Re:Marketing Hype = More $$$

A big part of my job is to shoe-horn data into systems maintained by those very knuckle-draggers.

I'll tell you, matters of getting them to understand bits on the wire are the very least of my problems.

Best approch to date? Write both sides of the application, the entire application, yourself. Why stop with just the protocol?

Re:Hate school?

no way, jose. just because i hate the way school is going right now doesn't mean i'm going to drop out. we're not all fuckwads like you who give up on stuff...

This article is not standards compliant!!!

[curunir]

Anyone else see the irony in an article about standards that has so many grammatical errors?

Re:This article is not standards compliant!!!

[PigleT]

...the article probably doesn't validate as clean HTML either, when the rest of the world is way on with XHTML1.0 and XSL and stuff, does it?

Re:This article is not standards compliant!!!

Yeah, what's with "all intensive purposes"? It's "all intents and purposes". What a better way to show the world you're an idiot trying to seem smart.

Re:This article is not standards compliant!!!

[daeley]

Ah, but it's "openstandards" which translates to "do it any which way," I believe. :)

Nobody knew what CORBA was for until the web

[mmacdona86]

Not companies routinely make information available to the Internet, and routinely make use of information that other companies provide. Unfortunately, lots of times this is more difficult than necessary since all the information is formatted in pretty web pages for people to see.

Web services just means that you are providing the same data in a format for other companies' programs to use. This is an excellent idea, particularly when you can charge for providing the data.

This was always the idea behind CORBA, but I think people didn't get it because since both ends of the communication were to be programs, it was too abstract. Now that people do these kinds of information exchanges everyday with web servers and browsers, it's much clearer what the point was all along.

Web services takes the CORBA idea and adds the web momentum. You leverage the communication infrastructure built for the web. SOAP is a hell of a lot less efficient than IIOP, though.

Re:Nobody knew what CORBA was for until the web

You leverage the communication infrastructure built for the web.

Right. So you do this by synergizing your paradigm shifts?

Re:Nobody knew what CORBA was for until the web

No, see, what he said actually made sense.

Hardly one button

[Lysol]

xml maps are not easy. while complex types are neat, this is no easy task. xml can be confusing as hell, much more than the objects they wrap.
some stuff does work and yah, it's nice over https, but it's really a technology about 70% hype and the rest maybe some varying degree of usefulness..

Re:Hardly one button

xml maps are not easy. while complex types are neat, this is no easy task. xml can be confusing as hell

The guy who implemented this for us did so before he knew the first thing about XML. It is one button if you're using Studio.NET. I don't know how it is with open-source tools, but if they don't make it this easy, they're behind.

Re:Hardly one button

The .NET tools were created by the largest, most fully-staffed software development house on the planet. MS may not be very good at what they do, but they have *resources*.

The open source tools for "web services"-- not counting the W3C's reference implementations, which were designed as a guide to programmers less than they were to be functional-- meanwhile, were designed by a remote, disorganized group within a community which didn't become interested in web services until VERY recently, and which mostly is still not *that* interested.

Of course the open source tools will be "behind" .NET. :)

Probably the most important thing to understand about the open source community is that it has even more inertia than microsoft. There's so many people and so many differing motives that while "the community" is continually sending out tendrils in every direction, it takes it forever to get it started moving in any serious way in any direction.

The advantage of "the community", of course, is that once you get it moving in a specific direction it's just about impossible to stop..

This is, of course, though, just my opinion, but either way i think it's safe to say that all the open source "web services" projects that will have any serious impact at all have yet to be *begun*..

Re:Hardly one button

[DerOle]

But he's right. In .NET importing a web service is just one button. And if don't like .NET, use the GLUE plugin for JBuilder and again, it's just one button. I simply love web services, cause they makes things so easy and distributable. You don't have to care about the whole Client/Server comunication stuff, just use it.

Re:Hardly one button

And it works across many different languages.

Want to write the backend in C and the front end in Java? No problem. Or even the other way around.

They're not

[Anonymous+Brave+Guy]

Why are all the IT companies suddenly interested in open standards with web services?

They're not. The only people actually interested in "Web Services" are those who make large-scale business apps, those who are in niches where the technology might help, and those who thrive on marketing buzzwords. The remaining 90% or so of the IT world frankly couldn't give a funny line.

CORBA is too heavy & EJB is too RMI/IIOP depen

[sleight]

Before I begin, I want to make clear that I'm an XML skeptic. To me, XML is nothing more than formatted text -- utterly devoid of value until two or more parties agree on a shared vocabulary (in the form of a DTD or Schema).

To be simple, CORBA is too entirely too complex. Until recently, even Orbix's (the lead vendor of the pack) offerings have been extremely "flexible" with their degree of compliance to the CORBA spec; Orbix 2.x had CORBA 1.x and 2.x features side by side without any clear delineation of which feature was compliant with which spec.

EJB is respectable if you're a CORBA or RMI shop.

Now, let's be realistic. HTTP is already there. It works. Sure, it's not stateful but, historically, people have been kluging statefulness in using cookies for years. XML isn't necessarily ideal but, if you want to be programming language indepent then you have to choose some sort of format. Why not formatted plain text? Sure, it's a little wasteful on the bandwidth but it's flexable.

To the above mix, we just add UDDI in place of a JNDI or CosNaming and away you go.

Sounds nice in principle but I have yet to see it in practice. ;)

Mirror

[ttyp0]

http://distributed.foundries.sourceforge.net/

Re:Mirror

[ttyp0]

Posted wrong text, it's actually a mirror of http://www.openstandards.net/viewOSnet3C.jsp?showM oduleName=ARTICLE_webservices

Ummm... hm. Some random thoughts.

[mcc]

This whole thing has me just kind of lost.

The mess of SOAP and RDDI and GESCOM and all these vaguely XML-related, something-to-do-with-port-80 acronyms don't leave me all that impressed; near as i can gather, they're nothing but platforms for people to build platforms on top of, and they won't be of much use until someone takes the foundation of tangled acronyms and builds a common client app that lets you actually use all of these things. I don't take this all this seriously, because knowing the computer industry, i'm pretty sure that by the time "web services" becomes actual services you can use using programs you can download, these services will be using a specific, jury-rigged enough implementation of "web services technology" that you'll be unable to use a given service except with their specific client, and there will be a huge incompatibility rift between MS-based and non-MS-based web services, and basically all of the nice, compatibility-engineering abstractions that the W3C is trying to put together now will be thrown out the window just because the current "web services" standards are so rediculously complicated that no one will be able to come up with an implementation of those standards that really *uses* the full potential of the protocols.

The thing is, though, i really don't care to understand "web services". I understand the following, and i really think it's all i need to know:

I like XML-RPC, because it gives me a really neat, simple way to do simple message passing between programs over the internet, without any more overhead than is absolutely necessary, it's cross-platform and cross-language, it isn't awkward to use in any of the programming languages i've used it in.

XSLT looks really really awesome becuase it's useful and relatively simple, and i really hope we start seeing some tools that can automatically generate some of the XSLT for you, since like all XML tech it's just really verbose.

J2EE looks *interesting*, and all i wish was that it could be interfaced more easily with other languages. I love Jython, but i don't know if i can embrace Java completely until it's possible to let java communicate with arbitrary languages a bit more easily.

Twisted looks neat but i don't think i'll ever use it.

I think CORBA would rock my world if it were a bit simpler, or just if someone would find a way to integrate it with the compiler, or just cut out the complicated crap that surrounds using it. C# (whoo, someone's finally figured out that if you make a bunch of languages with the same features but different syntax and macro between them, people will think it's "language cross-compatibility"..) is not the correct way of doing this.

I think "web services" these days comes down mostly to taking the problems with CORBA (it makes stuff simple! but you have to read a 1500 page book before you can start using it!) and putting <html brackets> around them.

I think this article was very interesting, especially the claim that .NET is just microsoft trying to take existing standards and take credit for them. (Although i found it funny that the article gives MS full credit for SOAP. Wasn't the guy who made XML-RPC on the SOAP creation team?)

I would like to know when someone is going to find the balance between J2EE's "everything is nice and fits together and is simple and you just sit down and start doing object oriented programming, but you're chained to the java vm" and the .NET/'web services' "here's a bunch of complicated, bloated standards that take way more bandwidth than they need and that are so abstract you can use them from any language, but also make so many compromises you really don't want to use them unless you're using C# (or a special version of python written for .NET, or a version of C++ that looks exactly like c#..)

You know, it would be really nice if we had *real*, good, turing complete macro languages built into the popular programming languages. Maybe then we wouldn't have to take the C# route of rewriting the compiler just because you want to make it possible to declare a method a "web service" using a single keyword.

Re:Ummm... hm. Some random thoughts.

"and they won't be of much use until someone takes the foundation of tangled acronyms and builds a common client app that lets you actually use all of these things."

Check out Radio UserLand. - It is what you say.

Integration is less expensive

[estoll]

Everyone is jumping on board because consuming Web Services is less expensive. If everyone jumps on board offering services with an open standard protocol, developers consuming those services won't have to spend as much time learning how to integrate what those services offer. I don't understand why so many people are getting bent out of shape about Web Services. Many of you have spent years working with different protocols, so I can understand your frustration when there is so much hype around Web Services-- you've spent so much time helping distributed computing concepts mature, why can Microsoft come in and throw all my work away? I am curious to know from people who have experience with distributed applications-- what are Web Services lacking? Is there a specific reason that Web Services will ultimately fail? I can fully appreciate your frustrutions if you can forsee everyone jumping on the Web Services ships only to realize it was extremely limited from the beginning and nobody saw its failure from the beginning. However, if Web Services are powerful enough to bring the Internet to the next level, why are they so strongly criticized?

Re:Microsoft's business model in a web services wo

I don't think Microsoft is as worried about a distributed computing world as the article suggests.

There are transition points along the way to a truly distributed computing world, however, that it has been worried about. In a truly distributed computing environment, every client, every desktop is a server. Who owns the desktop world today? Microsoft. That is the end-game, and Microsoft is well positioned to capitalize on it.


Taking a look at MS' research group shows a lot of work in distributed computing anyway, and what we're looking at with distributed computing is more desktop machines, rather than more servers. Sure, the desktops all basically become servers of one service or another, but the machines are still inherently desktop-class systems.

They also moved away from 9x towards NT, where they already have a lot of the remote administration tools and similar things that become important with distributed computing, where a task might need to be delegated on the fly in a particular network if it's priority level changes vs. other tasks (ie to take from a couple of existing distributed clients, we really need to break this encryption now, whereas SETI can wait, so change the tasks on X number of clients accordingly).

Microsoft blames hype for .net woes

[terrymr]

Microsoft is blaming industry hype for the general lack of consumer interest in .net services. Their decision to delay the launch of My Services was apparently because of some kind of consumer backlash against over-hyped web services. read the register article

Re:Microsoft blames hype for .net woes

[sheldon]

My Services has very little to do with .Net or web services. It was simply an implementation using the technology.

Your interpretation would be akin to claiming nobody is interested in using the Web because boo.com failed.

Re:Microsoft blames hype for .net woes

[terrymr]

Not my analogy, Microsoft said it !!!

Nicely understated

[alext]

Web Services may have some issues when network/security administrators figure out people will be using RPC through the firewall.

Mmmm, yes. Especially when they realize that they can't discriminate based on the target Object (there ain't one).

As we all remember from college, most protocols are layered, which allows encrypted bits to be layered inside routing / security bits, but an XML document can't be layered (it can't contain other XML documents).

Re:Nicely understated

actually xml CAN contain xml ie:

this tag is part of an embeded xml

the only trick here is to escape the so your parser won't freak

Re:Nicely understated

[21mhz]

As we all remember from college, most protocols are layered, which allows encrypted bits to be layered inside routing / security bits, but an XML document can't be layered (it can't contain other XML documents).

As all the current college students know, XML Namespaces allow layering or otherwise blending of various XML applications. For example, some solutions can pass XML-RPC or SOAP payloads in Jabber messages, thus building on top of the Jabber message passing, presence and authentication framework.

Re:Nicely understated

[alext]

Mo. Namespaces allow nothing of the sort - an XML Document cannot contain another XML Document, with or without namespaces.

This is why HP came up with the hack of putting SOAP messages in mutipart-MIME wrappers - this was necessary to pass XML Docs as arguments in a SOAP doc. Your Jabber stream is using a similar wrapper - a wrapper which is not XML.

Re:Nicely understated

- an XML Document cannot contain another XML Document,

What about putting one within CDATA ?

Re:Nicely understated

You're trying to tell us that XML documents cannot include other XML documents? If so, you clearly no nothing about XML; if not, forgive my misunderstanding.

Shameless Self-Promotion

[cybermage]

Hey Erik, nice ad:

Organization:
Joshua Branch
Erik Sliman
1449 Larchmont Ave., Dn
Lakewood, OH 44107
US
Phone: 216 228-7361
Email: erik(at)joshuabranch.org

Registrar Name: Register.com
Registrar Whois: whois.register.com
Registrar Homepage: http://www.register.com

Domain Name: OPENSTANDARDS.NET

Created on: Fri, Dec 17, 1999
Expires on: Sun, Dec 17, 2006
Record last updated on: Wed, Mar 06, 2002

Administrative Contact:
Joshua Branch
Erik Sliman
1449 Larchmont Ave., Dn
Lakewood, OH 44107
US
Phone: 216 228-7361
Email: erik(at)joshuabranch.org

Technical Contact, Zone Contact:
Register.Com
Domain Registrar
575 8th Avenue - 11th Floor
New York, NY 10018
US
Phone: 902-749-2701
Fax: 902-749-5429
Email: domain-registrar(at)register.com

Domain servers in listed order:

DNS13.REGISTER.COM 209.67.50.208
DNS14.REGISTER.COM 209.67.50.209

Re:Shameless Self-Promotion

[microTodd]

Why do a WHOIS? Erik's name is on the byline.

Re:Shameless Self-Promotion

Other tipoffs:

1. his contact info is the page to contact openstandards.net
2. his name is in the friggin' byline

Re:Shameless Self-Promotion

[cybermage]

Why do a WHOIS? Erik's name is on the byline.

OpenStandards was /.ed at the time. Also, I think there's are degrees of shamelessness. It's one thing to submit a story you've found someplace and think others might like. It's a bit shameless to submit a story about an article you wrote that another site posted. It's the epitamy of shameless to submit a story you wrote that is posted on a site you own.

I posted the whois information so that everyone could see just how little research /. needed to do to know that the submitted story was just an Ad.

Re:Shameless Self-Promotion

[cybermage]

re: Other Tipoffs

OpenStandards was /.ed at the time. Also, I think there's are degrees of shamelessness. It's one thing to submit a story you've found someplace and think others might like. It's a bit shameless to submit a story about an article you wrote that another site posted. It's the epitamy of shameless to submit a story you wrote that is posted on a site you own.

I posted the whois information so that everyone could see just how little research /. needed to do to know that the submitted story was just an Ad.

Web services can be VERY useful

For large business problems, Web services can be VERY useful - I'll give you two real examples

You have a database of every Newswire story for the last month. Inside the company you have at least 3 different apps that want to search these wires, and return what the user asked for.

You put the search engine(s) beind the service, and the apps call the service, which get the results as an XML document. The web site does a little XSLT and goes, the Fat clients do their thing, and go. We were doing this a couple of years ago (XML results) - but now we have a way to make it easier

We also have a limited database of tapes that subscribers can order. We return info on orders, contents and the like via web services. It's a way for our clients to attach to our database with their client apps. Yes, we have a web site, but thisway they can have the data they want, they way they want it

A good way to thing of both of these is something like the Google web service

Web services really do matter

[jamesmartinluther]

While there is a great deal of hype surrounding web services, this group of technologies is going to dominate how the internet is used in the next few years.

It has been an ordeal to get web sites to interact usefully without an end-user clicking on a web page. One big problem is trust. An other is protocol. Sites have so many different ways to get information and to submit information. Worse, site administrators have different ideas about how to make various forms of raw data available to others. Exactly where it is to be found is but one stumbling point, much less how it is structured.

With stuctured data in the form of web services readily available, and clear protocols as to the use of a site's structured data, there will be a lot more interaction between sites and developers of sites.

Most importantly, web services will allow users and sites to become more alike and on more equal ground. This is a powerful change that is already upon us in the form of web sites like slashdot.org and early web services like Napster.

Forgotten the OMG already?

[alext]

What's the difference between web services, and COM, CORBA and EJB? You are not likely to get a straight answer from the owners of the earlier technologies, because doing so would be tantamount to admiting that they should have begun by agreeing on open standards in the first place.

Perhaps that's why the "owners" joined the OMG, and later Sun's JCP? However, one company refused to participate in these efforts - I wonder who? If you can guess, congratulate yourself that you're more qualified than the author to write the next Web Services column!

Oh come on.

Back in the Netscape days "The Internet" meant Netscape for many (stupid) people.
Even now, for many (also stupid) people, "The Internet" is AOL.

Most people don't have any idea how the internet works, hence, when a site is down I still hear about how "The Internet isn't working".

SOAP != HTTP (necessarily)

[oops]

There's a common assumption that SOAP is only transported via HTTP.

From the Apache SOAP faq

The writers of the SOAP 1.1 protocol [http://www.w3.org/TR/SOAP/] note that: 'SOAP can potentially be used in combination with a variety of other protocols; however, the only bindings defined in this document describe how to use SOAP in combination with HTTP and HTTP Extension Framework'.

eg. you can transport SOAP via SMTP.

Re:SOAP != HTTP (necessarily)

Exactly. IBM for example will suggest using WebSphere MQ as a transport for SOAP. Why not?

It WILL happen

[Ars-Fartsica]

The web will at some point be home to more metadata than html. The web at some point will traffic more bots and agents than documents.

Its silly to presume the web will remain only as a document archive with rudimentary data exchange facilities.

This is the first step to really exposing APIs over the network in a truly heterogenous fashion. It will take time, there will be major failures, and there will be a lot of hype, but it will happen.

web services not replacing something

[bigpat]

I think in IBM's mad rush to push web services onto the market, they are neglecting the fact that there is a limited market right now for this sort of thing and they are pushing web services as a way to build all web applications, where it uneccesarily adds another layer of complexity.

Web services is not a way to build applications which are never intended to be accessed by other applications directly.

Re:web services not replacing something

[mini+me]

Web services is not a way to build applications which are never intended to be accessed by other applications directly.

While this is true, if you built your websites on top of web services then the web services could still be availble to all. This would allow your program (ie the program that creates your website on the fly), as well as anyone elses program to access the data. We need to think beyond formatting web pages. A lot of the information out there would be useful to machines. Why not let them have an easy way to obtain the data?

Ostriches

I am going to get modded as flamebait I am sure, but I think that most of the replies here indicate the prevailing attitude coming from IT workers (not "The Management"),

• "Another protocol?"
• "SOAP, don't you use that to wash up? Why would we need that?"
• "I know X (CORBA,COM,JAVA,etc.) Why do I have to worry about Web services?"
• "More Microsoft Hype.. We won't be doing that here"
• "Non-web browsing on port 80?!?! Security risk!!!"
• "I will just use a custom (ie home grown) interface for my apps, that way, if people want to use them, they have to know the protocol!!"

This is what got us into trouble before... By before, I mean before the rest of the world moved to "IE 6" or "MSN Browser" or "AOL". And "The Management" was being wined, dined, and 69ed by the Microsoft Marketing machine (which is ALIVE AND WELL FOLKS!!) being convinced that Micro$oft software and implementations were the only solutions to your computing problems.

The best way to prepare for these things is to KNOW about them, learn them, get your head around how they work, and their implications... by getting our heads out of the sand. That way, when "The Management" asks your opinion (They might, you never know!) you can speak with authority and confidence and be able to fight the good fight.

FYI: SOAP is not transport/port specific

[e2d2]

FYI: SOAP can be used on ports other than just 80 and used by transport protocols other than HTTP/HTTPS such as SMTP, FTP, Jabber, and BEEP:

http://www.pocketsoap.com/specs/smtpbinding/
ht tp://beepcore.org/beepcore/beep-soap.jsp
http://x ml.apache.org/axis/
http://mailman.jabber.org/pip ermail/rpc-jig/2001-O ctober/000016.html

Just a few links but you can search www.google.com and get an idea of what SOAP really entails.

Re:FYI: SOAP is not transport/port specific

[ethereal]

Actually, I'm aware of that, but look at how it is actually being implemented in the field and how it is being evangelized, especially by Microsoft. One of the prime selling points (picked up by many people in this article) is "you don't have to punch new holes in your firewall". As long as that is the popular perception of web services, then the security isn't going to be there.

Re:FYI: SOAP is not transport/port specific

[Twylite]

...and this goes to show just how serious the security issues of SOAP are. SOAP is meant to be a data format which is transport indenendant, and is also intended to activate services.

So, if you want a decent firewall protecting your network, you must now use a stateful firewall which is capable of checking for SOAP messages in every know (and unknown!) SOAP transport ... otherwise some complete arb can RPC to services on your internal network (possibly with the assistance of another complete morons inside the firewall wanting to expose services for reasons that don't serve the company).

Let's review:

• Stage 1: dedicated protocols and ports for all applications; block off the port and you're happy.
• Stage 2: some services start sharing common protocols and ports; you can't block the port anymore, but must rely on filtering provided by the service(s) in question. Security risks increase. Can you say "portmapper"?
• Stage 3: some services start adding arbitrary execution services, like CGI and mail handlers. People without security understanding or expertise can develop these services, and create HUGE security holes. Firewalls must now redirect requests through a filter which can guess at what should be denied, because it looks like an execution request.
• Stage 4: nasty administrators block off port 80 (and others) completely because of the shit you are causing by having executable services which they can't filter out reliably. Clever employee/hacker moves services off the default port, to some other permitted port (http on port 25, for example). Stateful firewalls are added to ensure that the protocol allowed through an open port is the correct one.
• Stage 5: Major corporations band together to fuck the network administrators by creating a standand for executable services which can run over any protocol (more or less), successfully bypassing most stateful firewalls and existing filters. Administrators are powerless to lock down the network because they would have to deny ALL incoming and outgoing connections (you could always be providing a SOAP-over-POP3 service with SMTP for replies). Centralised security goes for a ball of chalk, and every individual computer must be secured to prevent a compromise of network security.
• Stage 6 (the future): Stateful firewalls with protocol plugins deny EVERYTHING except what they explicitly recognise as a SOAP request for an approved method of an approved object. Finally we can, once more, control who is doing what with our networks.
• Stage 7 (the concern): Because SOAP is now a ubiquotous way of communicating, we end up with one encoding for communication. We also only need one protocol, say BEEP, because the original functions of all other transports are defunct. All "firewalling" is concerned with filtering SOAP messages according to their target object and method; so "firewalls" must redirect all communication (in and out) via SOAP proxies. The routing and channel handling built into SOAP and BEEP are used in preference to underlying mechanisms (like TCP/IP), and a network built on RPC on top of heavyweight, redundant protocols emerges.
• Stage 8 (the hope): The network becomes self aware, realises it is butt ugly and (a) commits suicide; or (b) redevelops itself with a binary protocol with the minimum possible overhead.

Maybe this is a good thing. Everyone gets to communicate. Instead of hackers creating their own, limited distribution backdoor protocols, there is now one global standard backdoor protocol - at least the security experts can set their sights on a specific target!

Web Services - Unreliable, Insecure, Slow, Buggy

Web Services provide a method for remote procedure calls over HTTP(S). Since they involve a remote call, they require that the remote server be up. They also require that a Web Services directory server (UDDI) be available. So in the simplest case, a Web Service requires that 3 systems be up simultaneously to function properly. Because of this, calling a Web Service cannot be as reliable as calling a procedure locally.

No standards yet exist for Web Service security. Until such standards are promulgated, Web Services will be used only on intranets, if at all.

Because Web Services require multiple HTTP (request-response)s across the Internet, they are inherently 1000's of times slower than an API call on a local machine. They require more memory and CPU (on both requesting client and on responding server), additional OS context switching, as well as additional network overhead and latency when compared to a local procedure call. While the additional bandwidth and time required to process each Web Service request is music to network hardware vendors' ears, it would mean a drastic increase in Internet traffic.

Because the various implementations of SOAP (Web Service's underlying protocol) differ, clients and server on various vendors' machines will not currently interoperate.

All this pales when one considers the effort involved in getting the IT groups of two cooperating corporations to agree on what a term such as "business partner" means and how it is to be represented in XML and/or a database. While this has nothing to do per se with Web Services, it is unfortunately required before one can begin to define any Web Service.

Today, remote procedure calls are used on the Internet, but not nearly as often as local procedure calls, and certainly not nearly as often as Web Services Proponents would have you believe. A world of Web Services would attempt to distribute processing across the internet, and would fail miserably. Contrary to the premises of the Web Services architecture, the only viable future architectures are those that integrate and centralize processing and that minimize remote procedure calls.

It will be interesting to watch

[e2d2]

I think the service model is an interesting one to take note of and watch over the next few years as the major players roll out their solutions. What I'm most interested in seeing is this technology used to deploy applications across an enterprise. I think this is really where this model can shine in the near future. Currently a lot of enterprises are moving their applications to web and internet based architectures because it can decrease costs of deployment. We all know the Heavy Client vs. Web Client argument and I think there are reasons for using both of them in certain situations. Now imagine corporate users having the ability to subscribe to their enterprises applications as needed. Application management can be consolidated into central locations and the cost of deployment can be decreased significantly. I think what we will need to focus on are tools to enable such deployments and the management of said software in a large, sometimes global, environment. Third party developers can still use the same subscription licensing or develop new licenses for such distribution and the company maintains control of their own information and don't have to rely on 24/7 uptime from an outside service. There are hurdles of course but the technology is here and we heading in that general direction.

I think this is where the first applications in this area will be built and used successfully. The same technology used to deploy applications using web services across enterprises can be used to distribute applications to consumers.

My personal opinion is that service based companies don't exacly have the best track record. I bet chances are pretty good that anyone reading this has had a bad experience at one point with a service provider such as the phone, electric, or cable companies. And also people like the idea of owning something. I myself feel like my whole life is a rental sometimes and it bothers me. It's going to take a lot to push users in this direction and the ones that can execute the best will win. But there is no guarantee it will work. It takes more than just a push or shove to generate a new market, but it can be done.

50% Meat, 50 % Filler

[BroMan]

As it stands now Web services are just the next step in the evolution to a platform-neutral, language-neutral distributed software environment. I see alot of M$ bashing going on, which is somewhat misplaced since some of the biggest backers of web services also happen to be M$'s biggest foes (read - IBM). M$ is however, trying to pull off one of their famous hijacks, with .NET. If they succeed it will be at least partly because of their competitors failure to take the initiative.

Getting back to web services though, they can possibly fill a niche in enterprise computing - and that niche is the ever-present, never fully solved question of how to tie together disparate platforms and software applications in a common enterprise environment. CORBA is the oft-quoted answer, but it is expensive to implement, and hard to get right. Wells Fargo has implemented an interesting solution for distributed programming using something they call Model Driven Architecture.

Looking at getting systems working together from an IT managers perspective, your always looking at the Big Two - time and money. 'How can I get this system working with my current resources in the least amount of time?'. The complement to that is 'How do we maintain and augment this solution once it goes into production without going through birthing pains?'.

The promise that Web Services is making to IT managers is that they will be able to lower their TCO and increase their ROI by cutting down on the number of changes they have to make to existing systems, while at the same time increasing their flexibility in adding new functionality. To others it makes the promise of providing services that can be metered and billed (wasnt that the promise of CORBA, EJB's, insert favorite distributed model here?).

Of course this is all a pipe dream until they solve some big issues, like security. Transaction management is not as important since web services can actually be implemented in any kind of language you want (read - Implement your own damn transactions).

However I think most IT managers will go blue in the face the first time their Fund Transfer web service is hacked because of a weak 56 bit SSL connection ;)

Re:50% Meat, 50 % Filler

Transaction management is not as important

So how were you planning on propagating the transaction context between two different services so that they are able to understand each other?? In other words, how can two separate web services take part in the same transaction?

This is quite important indeed if Web Services are planned for any real application where reliability is required.

Re:CORBA is too heavy & EJB is too RMI/IIOP de

[sheldon]

"Sure, it's a little wasteful on the bandwidth but it's flexable. "

The bandwidth issues can be mitigated by compressing the http stream as per the HTTP 1.1 spec.

haha "busted"

haha "busted" i believe is the terminology

shame on his pathetic attempt to get people on the bandwagon or is this just another slashvertisment ?

nicely spotted, props

yeah im Anon cause im not accepting cookies

MS Browser wars

[damien_kane]

What became clear in the browser wars was that open standards was the only way to win any war on the Internet. One may be able to truthfully say that Microsoft has won the browser wars.

Microsoft may have won the browser war with Internet Explorer, but it is not because of open standards.
Any web developer will tell you that javascript et.al., although founded on the same basic functions and routines, is quite different from one browser to another.
Microsoft did not win the browser war through open standards, but by bundling it with Windows.

The fact is, people are too ignorant and lazy to download a completely separate browser, even though it may be (and generally is) more secure than IE. Because of this, the majority of the global online community uses Internet Explorer. The reason this has not changed is because companies realized this. They have thus developed their pages using proprietary MS javascript extensions.

Why build a nuclear car when 99% of gas stations sell gasoline?


"Computer games don't affect kids. If Pac-Man Affected us as children, we would spend all of our time running around in darkened rooms eating magic pills and listening to repetetive electronic music..."

Re:MS Browser wars

[d0st03vsky]

Actually, you've pointed out the problem with pinning hopes on Standards: Even if Browser A and Browser B are both 100% compliant with Standard X, it's a virtual guarantee that they'll still be incompatible.

I believe IE is 100% compliant now for DOM/JavaScript/ECMAscript. It's virtually complete for CSS-1 (I think it misses a few, but I'm not sure on that); It's also the first browser to implement the P3P Privacy standard.

So standards are a good thing, but they've never been intended to be the silver bullet to merge everyone's divergent products into one.

Let the flames begin... :)

Re:MS Browser wars

> Why build a nuclear car when 99% of gas stations sell gasoline?

What the fuck does the other 1% sell?

Re:MS Browser wars

Well... you have a point with IE's popularity, but are barking the wrong tree with Javascript.

The problem is not Javascript per se but DOM (Document Object Model). Don't be embarrassed, most people don't understand the difference. Java/ECMAScript implementations are compatible enough to be practically standard, and features that are not compatible are not usually used, even by people who are mostly aiming at IE (plus most extra features are in NS browsers, not IE... thanks to JS being created at Netscape). But DOM is where things really diverge; DOM is how browser features are exposed to JavaScript. There have been attempts at unifying DOM (with level 1 and 2 specs from W3C), and there is some progress. IE5+ and NS6 do have fair amount of common coverage (plus esp. IE still has backwards compatibility for their previous implementations of features).

Finally, I don't think majority of web sites cater only for IE browsing, at least not web sites that actually sell things. It's easy enough to make reasonably backwards compatible forms based interfaces, and that's what they do. Thus many sites still work with version 3 'major' browsers (IE and NS).

CORBA is NOT that complex

[Def+Mango+Raygun]

Sheesh, why does everybody say CORBA is too complicated, the following few lines of code initialize our (Visibroker) CORBA service:

// Initialize the ORB.
orb = org.omg.CORBA.ORB.init( args, null );

// Initialize the BOA.
// Need to cast boa for java 1.2.x
boa = ((com.inprise.vbroker.orb.ORB)orb).BOA_init();
// Export the newly created object.
boa.obj_is_ready(service);

// Wait for incoming requests
boa.impl_is_ready();

and here's a typical method call;

/**

Operation: ::com::appdesigngroup::appsecurity::IBaseSecurity: : uthenticate.

#pragma prefix "com/appdesigngroup/appsecurity/IBaseSecurity"
st ring authenticate(
in string user,
in string credentials) raises(::com::appdesigngroup::corba::util::UserExc eption, ::com::appdesigngroup::corba::util:: SystemException
);
*/
public java.lang.String authenticate(java.lang.String user, java.lang.String password)
throws com.appdesigngroup.corba.util.UserException, com.appdesigngroup.corba.util.SystemException
{
return authenticate(user, password, enforceExpiration, false);
}

Yes, I know Visibroker has a non-standard registration service, but it has a full-blown naming service if you need it. If you're just calling your own methods, then you can simplify things a lot. And yes, you have to run the IDL compiler, but we just put that in our makefiles (yes we still use make), and it's taken care of automagically. New developers don't have to learn all the gritty details.

I don't see how this is much more complex than RMI or SOAP, but the advanced stuff is there if you need it. And I don't see how parsing an XML tree every time you need to check a data element is speedy or efficient.

stupidest argument ever

[mikemulvaney]

You don't have to run SOAP services on port 80. If you need to protect them with a firewall, then you should probably run them on some other port.

SOAP isn't any different from CGI. I'm posting this message in a web browser, and it is going to port 80. The horror! If slashdot ran a SOAP service, you could write other clients to do the same thing. Instead of posting to 'postcomment.pl?subject=stupidest+argument+ever&co ntent=...' or whatever, it would encode that stuff in XML and send it to a SOAP proxy.

That's all SOAP is. You can just relax about the use of HTTP. I don't understand why people see something like this, and immediately react with hysterics.

-Mike

Re:stupidest argument ever

[jacobito]

SOAP isn't any different from CGI. I'm posting this message in a web browser, and it is going to port 80. The horror!

somebody either mod this up, or tell me why it's wrong, because it makes sense to me.

Whoaa Site Buzzword Alert !!!

looks like Openstandards site is all about buzzwords

Taken from the "about us" page

"dedicated to increasing the synergy of international IT collaboration"

"creating synergy"

"opportunities to foster synergistic cooperation"

"fostering proprietary standards"

"the greater the demand for innovation leveraging it"

maybe he should try plain english, even consumer TV adverts are laughing at this kind of "dotcom" speak

Re:Whoaa Site Buzzword Alert !!!

[fungus]

Haha I first noticed that they have only one original story, and few (between one and four) links to other stories every month.

Then while reading the about page, I really felt sorry for the site owner. He thinks his website is so great, but in fact there is really nothing to brag about.

Still a good laugh, and yet another proof that slashdot story moderators are lobotomized monkeys (or money savvy).

---
34 4c a ff 2e 0b 2a cc f1

Thank you..

[FatSean]

People seem to forget Web Services != SOAP, and SOAP can run on any transport anyway...

Re:Thank you..

Hello?!? You "security" people do know that a Web Service, like any other website, does not have to run stictly off of port 80 right? Just like when you set up a site to run off your cable modem that uses port 8000...

How long can this go on...

[talks_to_birds]

...and how long will the sheep put up with it?

"News for nerds, stuff that matters"

OK.

Now check this out

"Web Services
Revision 2
March 5, 2002"

umm..

In my timezone, it's April 23..

And we're expected to pay for this "news"?

t_t_b

Re:How long can this go on...

[jacobito]

Yeah, but how timing-dependent is any of the information in the article? Also consider that the editors may have been saving this article for a slow day. In any case, I don't find the relative datedness of the article to be terribly troubling.

What's wrong with HTTP?

[Meowharishi]

HTTP and XML have become my favorite way of data communication between client and servers. Its a fine protocol for many different uses. Plus it is a protocol that just about every firewall lets through.

Re:What's wrong with HTTP?

[Telastyn]

Becuase it was made with a simple thing in mind:

Send short request, get slightly longer short response back; end.

If applications actually used this, that'd be great, but in the real world they don't. Almost every application is better served by a persistant connection.

And just because firewalls only let those things through, doesn't mean they should.

Re:What's wrong with HTTP?

Stateless network programming is an art. Just because you can't grock it doesn't mean it isn't valid.

Re:What's wrong with HTTP?

[dwsauder]

HTTP works for simple request/response interactions only. Not every interaction fits into that pattern. For example, you may want to control a interactive voice response (IVR) unit. You ask the IVR to play a prompt, then collect digits entered by the user (on his telephone keypad). If the user is entering a card number, you may allow a couple of minutes before the IVR times out, or before the number is completely entered. Once the IVR has the number, it must get that number back to the requestor. The requestor may also want feedback, say, to get the digits as they are entered. Because of the long timeout allowed, and the need to get feedback, this just doesn't work with HTTP.

As an even more extreme case, consider the situation where you want to start a lengthy computation on a computational server. Your HTTP request starts the action and the HTTP response indicates that the computation has started successfully. However, when the computation finishes, perhaps hours later, HTTP may not work to report the completion event. Constant polling isn't a good idea, either. Sure, HTTP communication could happen the other way. But HTTP traversal through a firewall or NAT is usually asymmetric, so the reverse HTTP connection may not be a possibility.

Re:What's wrong with HTTP?

Transaction programming works, and is in many ways, no almost every way, a better model than "client server" when using the web.

Then, when you have lots of transactions, you could try using persistent connections.

Re:What's wrong with HTTP?

> HTTP works for simple request/response interactions only.

Yes, that is the beauty of them. We call it the Transaction Processing model. Sorry it is not the timeshare model you may be used to, but you can accomplish just about anything in either model. But, TP is about the only way you're going to pull off high volume, mass access, applications.

HTTP/1.1 persistant connections removed the last real problem, all those wasteful and expensive TCP connections when doing a transcation sequence.

> you may want to control a interactive voice response (IVR) unit

I don't know IVR units, but most machine-machine intractions benefit greatly from an orientation towards transaction processing techniques. Your description sure looked alot like a transaction sequence to me.

Why can't an HTTP server take some time before it concludes its response? Minutes? Hours?

> where you want to start a lengthy computation on a computational server
...
> Constant polling isn't a good idea, either.

Maintaining an otherwise dead connection isn't the best idea, either. What happens when your PC crashes, dumps the connection, and the host kills your job with just seconds left to run?

Your HTTP request can start the job and hold the link open until the server responds, with an answer or a "please check back" message. Or, if we don't want to waste connection resources for such a long request, you could offer the submitter a time when the job is likely to be scheduled to run, or complete.

There are many ways to skin the cat.

GLUE

Cool, didn't know about GLUE. But the links I found on Google are busted - where can I get it?

I would think that Java's introspection would make this sort of thing relatively easy to develop, compared to, say, C++.

Re:CORBA is too heavy & EJB is too RMI/IIOP de

[mikael]

> EJB is respectable if you're a CORBA or RMI shop.

Mind you, I'm developing a system for distributed learning, and as the back-end I've got EJBs and I expose the interfaces trough SOAP. I think it's sweet to expose the power of EJB with SOAP.

Mikael

SQL

The only proof I need is to hear you say "SQL" and pronounce it "Sequel."

Any C programmer should understand that two syllables are better than three. However, in this case the true pronunciation is "Squeal."

Re:CORBA is too heavy & EJB is too RMI/IIOP de

[brundlefly]

Before I begin, I want to make clear that I'm an XML skeptic. To me, XML is nothing more than formatted text -- utterly devoid of value until two or more parties agree on a shared vocabulary (in the form of a DTD or Schema).

Oh please, give it a rest. XML is a tool, nothing more and nothing less. It just happens to be a tool with a lot of support tools, making it extremely easy to use. It also suffers from the fact that it got hyped even more than Web Services. (There are no fewer than 30 glossy magazines devoted to XML, that's how stupid our thinking on the topic has become.)

Of course it's not the holy grail. But as far as "two or more parties" agreeing on a shared vocabulary, those 2 parties are usually named "client" and "server". Both written by the same entity. Most browsers have an XML parser built in, and those that don't can use a JavaScript parser in under 5k of code. All servers have an XML parser. So the 2 parties you are talking about just happen to be the same 2 parties most commonly associated with Web Services. Namely, the web service provider and the browsing client.

Let me add that Web Services is just a new spin on the old Application Service Provider (ASP) from 1998.

Sad, so sad

Guess it's too much to expect that some people will have the integrity to post a Slashdot story saying "hey, I wrote this article (or there's an article on my site) about [subject] and here's the [link!]. Rather than trying to pass yourself as a third party who happened to find this great and interesting article. Pathetic, truly pathetic.

Re:CORBA is too heavy & EJB is too RMI/IIOP de

[TummyX]

To me, XML is nothing more than formatted text -- utterly devoid of value until two or more parties agree on a shared vocabulary (in the form of a DTD or Schema).


The point is it has structure and you don't have you write your own parser. You just have to agree on the semantics of the xml data.

Congratulations

[CoreyG]

Your understanding of XML, "...XML is nothing more than formatted text -- utterly devoid of value until two or more parties agree on a shared vocabulary (in the form of a DTD or Schema" is exactly what XML is defined to be. See? Point #2 is probably the most appropriate here.

Simple answer

Set your firewall to disallow outside access to webservers inside the firewall. Then be careful about who you allow to commit code to external webservers. You should be doing this anyway, because a database-backed webpage can overexpose information just like a database-backed webservice can.

I suppose you still have to worry about people calling external services and handing out secrets, but that seems like a less-likely scenario to me.

Re:Web Services - Unreliable, Insecure, Slow, Bugg

Calling a web service for something that can easily be done in a local function is silly. But what about information that isn't available locally? That is where web services will be useful.

Nice article. Funny even, in parts. but. . .

[Traksius+Egas]

This quote struck me kinda funny:

Distributed computing is about getting components and systems to interoperate to create something bigger, independent of the physical machines the parts are hosted on. As each computer reaches out to connect to another to create something bigger, the individual machine becomes less noticeable. It becomes just one of thousands, then millions, then billions of machines in a world of massive information flows to create what we call . . .

THE BORG? Sorry, but that's the first thing that came to my mind.

Web services solve a business problem

[vanguard]

The problem with CORBA, RMI and EJBs is that deploying them is a problem.

They are each nice is that they enable you to reuse code by tapping into them from a non-local box. For some of those above mentioned technologies, you can use them from different languages. However, they each require a client stub.

When you need to push a client stub around before you can access the system you have a deployment problem. With SOAP, you can consume those services right away without the need for a client stub.

I see solving the deployment problem as SOAP's chief advantage.

Vanguard

PS Now can anybody tell me why Gartner Group thinks that web services will take off inside the enterprise before it does across the web? Why use them internally when I don't have a deployment problem inside of my company?

Firewall admins -- loosen up

[0x0d0a]

Oh, really?

Nothing's more idiotic than administrators who "secure" their systems by allowing nothing but http and mail through. Everyone who wants to do anything remotely starts tunneling it. SSH is a nice, secure way to do most things, but every firewall in the world blocks it. All the files that would have been scped from my machine end up being sent in plain text via mail or http. Total pain in the ass.

Firewalls seem too often to be less about security and more about (a) covering one's ass ("The break in? But we had a firewall up! The vendor must be at fault...we'll switch immediately!") (b) providing job security ("Well, sir, I'd have a hard time training that new H1B to operate this system here...why, the firewall alone has quite a collection of rules of my own devising that are automatically generated..."), and (c) Making the admin's life easier ("Well, looks like there's some security hole out there...I'm sure that no one's been able to drill through our firewall, so I'll just install the appropriate patches on the workstations during our next upgrade process rather than immediately").

Seriously, the job of the network admin is to *let the people who are directly making money for the company make money*. You may not like the sales guy down the hall, he may not be able to set up that firewall or know how to fix a sendmail installation. Fine. But your job is to make his computing experience as easy as possible and let him get his work done. Sure, security is also an issue, but it really seems to me that if you can't be bothered to open a port in your firewall for a user that needs to go in or out, something's wrong. ("..as long as you don't bug me".) Christ. If they *do* hack it up to the point where it can squeeze through a proxy, they've just moved the weakness to http.

I'd almost say that you're a troll, but I'm not quite sure...

Say what?

I only started seriously looking into "web services" yesterday, so I'm a newbie. However, I think I can poke some holes in the poster's arguments.

They also require that a Web Services directory server (UDDI) be available

You don't need a UDDI server to run "web services," whatever they are. Google's SOAP service seems to work just fine without the use of a UDDI server. You don't need a discovery server if you've already discovered the service you want to use.

No standards yet exist for Web Service security

How about SSL, HTTP BASIC-AUTH, XML Signature, Digital Signature for SOAP, SOAP Encryption, XML Key Management Specification... Also in the news recently is a major proposal, WS-Security. Also read the press release about other upcoming proposals. I don't know a lot about many of these specs, because as I said, I've only been looking into this stuff for one day. However, it looks like there is a lot of effort here, so if some of the standards aren't quite here yet, it looks like they will be soon.

Because Web Services require multiple HTTP (request-response)s across the Internet, they are inherently 1000's of times slower than an API call on a local machine.

"Web services" don't require HTTP at all. And, since the obvious point of the whole exercise is to communicate with other systems on a network, pointing out that calls are slower than on a local machine is pointless. You know, web browsing to a machine across the Internet is also inherently 1000's of times slower than browsing on your own machine--yet seems to be popular. There are also techniques like WSIF for invoking web services where the client and the server could be on the same virtual machine, if appropriate.

Because the various implementations of SOAP (Web Service's underlying protocol) differ, clients and server on various vendors' machines will not currently interoperate.

I don't know much about this one either, but it doesn't make sense on the face of it. The whole idea of defining a common wire protocol like SOAP is for interoperability. Maybe it's true, but it seems like anyone who makes such an implementation is doomed to have their implementation sit unused. Of course, if you are Microsoft, you might be able to pull it off...

All this pales when one considers the effort involved in getting the IT groups of two cooperating corporations to agree on what a term such as "business partner" means and how it is to be represented in XML and/or a database.

I suppose this would have to happen in any integration effort of any kind, so it doesn't seem to be a convincing argument against "web services" (unless you are opposed to integration on general principles).

Today, remote procedure calls are used on the Internet, but not nearly as often as local procedure calls, and certainly not nearly as often as Web Services Proponents would have you believe. A world of Web Services would attempt to distribute processing across the internet, and would fail miserably. Contrary to the premises of the Web Services architecture, the only viable future architectures are those that integrate and centralize processing and that minimize remote procedure calls.

It seems like this is the same thing that web servers do today. However, instead of a human user sitting in front of a GUI initiating every request and consuming the data, "web services" let computer programs initiate the requests and consume the data. Why should this be intrinsically doomed to failure when done with "web services" in a computer program, when it seems to work pretty well for the human user of a web browser?

I dunno, just seems like the poster got up on the wrong side of the bed or something. I'm no "web services" zealot, but it seems like there is a lot more potential there than the poster thinks.

Re:Say what?

[Dasein]

Too bad you're an AC. Nice job expecialy for someone who just started looking at web services.

Re:Say what?

You don't need a UDDI server to run "web services," whatever they are. Google's SOAP service [google.com] seems to work just fine without the use of a UDDI server. You don't need a discovery server if you've already discovered the service you want to use.

That's fine if you can guarantee that the SOAP server will always be up. But what if it's down? What if your Web Service provider goes bankrupt? One reason UDDI is proposed is for failover of Web Services, when a Web Service server is down. In that case it might be possible to "discover" another server for the requested Web Service. If you don't use UDDI, then your reliability goes down.

Concerning the security of Web Services: while there is much effort, there are still no standards. Nor are some of the proposed standards guaranteed to be free of tariffs: both IBM and Microsoft have retained the rights to charge for the use of Web Services.

"Web services" don't require HTTP at all.

This is correct: please feel free to use SMTP for your Web Services!-))

But seriously, most discussion of Web Services implementations assume use of HTTP. The main point the author (validly) makes is that Web Services are remote procedure calls made over a network and that such calls are 1000's of times slower, require far more memory, CPU, bandwidth and overhead than a local procedure call on the same machine.

However, instead of a human user sitting in front of a GUI initiating every request and consuming the data, "web services" let computer programs initiate the requests and consume the data. Why should this be intrinsically doomed to failure when done with "web services" in a computer program, when it seems to work pretty well for the human user of a web browser?

Perhaps because the Web Services Architecture is not nearly as intelligent (and possibly not as patient!) as a human sitting in front of a browser? In fact, there is little intelligence in the architecture at all.

Rather than attempting to distribute intelligence into the network where it can fail due to servers down, or lost connections, or data transmission errors, it would be simpler to centralize it on an "intelligent agent" that functions much as a human in front of a browser. But even that simpler approach, which has been investigated much more thoroughly than Web Services, has shown only limited applicability.

I dunno, just seems like the poster got up on the wrong side of...

The discussion?-)

Re:Say what?

both IBM and Microsoft have retained the rights to charge for the use of Web Services.

Yikes! He's right! See

• IBM, Microsoft patents pose dangers and
  
• IBM drops Internet patent bombshell
  

From the first article:

IBM and Microsoft have been quietly busy behind the scenes for the last two years building a toll booth that could position the two companies to collect royalties on most if not all Internet traffic.
...The documents indicate that the two companies are currently maintaining their rights to pursue a reasonable and non-discriminatory (RAND)licensing framework as opposed to a royalty-free-based framework. The RAND framework is widely acknowledged as the one that keeps a vendor's options open in terms of being able to charge content developers and Internet users a royalty for usage of relevant intellectual property.

... but are just a small step, not giant leap

With stuctured data in the form of web services readily available, and clear protocols as to the use of a site's structured data

Hopefully this will happen at some point, but do note that neither XML nor SOAP directly fix any of that. They provide "lexical" level, tokenization, but no semantics. And DTD/Schema don't provide that either, "just" grammar. On top of that, end systems _STILL_ need to come up with actual protocol. New XML-based languages are developed all the time to (supposedly) fill the gap, but low-level XML-derivatives don't (IMO) really make the task all that much easier.

I'm just saying that web services is just a beginning, not anywhere near the goal. Just like XML itself is literally nothing, meta-language that makes it slightly easier to create actual markup languages.

Re:... but are just a small step, not giant leap

[jamesmartinluther]

I agree with you that XML and SOAP are merely forms of grammar in the bigger scheme of things. They are just layers in something which is still "under construction" (I can still see that animated .gif construction dude...shudder).

Check out this recent W3C submission by HP called WSCL: http://www.w3.org/TR/wscl10/.

The XML Schema spec improved upon DTD in a big way (mainly by "xmlizing" the description and adding input and output data types). But it was not nearly enough. WSCL extends this API-describing capability by describing the entire architecture of an interactive web service.

Once services out there make use of WSCL things will get somewhat more interesting. Now I'm sounding like Linus in the pumpkin patch again...

- James

not just buzzwords

[maxmg]

I'm currently working for a medium-sized systems integrator and we are making use of web services where appropriate. You are right in saying that the technoloogy is mainly targeted at business apps, but certainly not only large-scale ones.
The latest development tools and middleware packages (which is, unfortunately, what I have to deal with day-to-day) offer easy support for communication based on web services.

This apporach cuts the time needed to integrate disparate systems so we can get on with coding the actual business logic and ultimately deliver a better tested, more feature-rich product in less time, which is all our customers care about.

Just my 2c.

Poisoned technology again

[Alex+Belits]

"Web services standards" are robbing network programming from its greatest advantages -- possibility of asynchronous processing, data transparency and flexibility in the data models. Programmers don't neet SOAP or RPC of any kind, they need data encapsulation standard, and one that is not tied to poisoned technology such as XML, Unicode ot Java (yes, those are "open standards", but they are stuffed with idiosyncrasy of their developers and therefore promote all kinds of ideas, in my opinion, stupid ones, over other ideas that are superior for a lot of applications, yet excluded and made impossible to implement over narrow-minded standards).

Imagine a standard that only allows to address the service by sending HTTP-like request, yet then the connection transforms into a asynchronous bidirectional one, with possibility to stream data in both directions -- with ot without synchronization. Imagine "document" that is just like XML, but without all the Unicode crap (data is transparent -- if one wants to use unicode, mark it as unicode, and make software aware of it, otherwise just don't), without end of document, so data can be streamed endlessly and become available as the tags/fields are parsed.

This would be far superior for any imaginable purpose to all those little "standards" that Microsoft and Sun originate, and W3C ruberstamps by dozens, that would be a truly useful tool that will improve network programming. However I don't believe any software company will now work on it -- no idiosyncrasy in the standard means no advantage, monetary or political, to its originator over everyone else. Only truly free software/opensource/open standards project would be able to accomplish this. I am just afraid that people won't realize this until it will be too late.

Re:Poisoned technology again

[Dasein]

I can't tell if I'm feeding a troll or not, but here goes:

"Web services standards" are robbing network programming from its greatest advantages -- possibility of asynchronous processing, data transparency and flexibility in the data models.

XML is transparent. It's text. Granted it's unicode text. If you don't like it, use UTF-8 and play like unicode doesn't exist. Just don't expect anybody to sympathize if you're system breaks when a Japanese company tries to use it. Unicode isn't a big deal to use, really. Trust me.

Programmers don't neet SOAP or RPC of any kind, they need data encapsulation standard, and one that is not tied to poisoned technology such as XML, Unicode ot Java (yes, those are "open standards"

Okay, what's the difference between SOAP and a "data encapsulation standard". You do realize that SOAP isn't just RPC. You can use any XML encoding you like inside the data payload not just RPC encoding.

, but they are stuffed with idiosyncrasy of their developers and therefore promote all kinds of ideas, in my opinion, stupid ones, over other ideas that are superior for a lot of applications, yet excluded and made impossible to implement over narrow-minded standards).

Care for an example?

Imagine a standard that only allows to address the service by sending HTTP-like request

I can. It's called HTTP.

yet then the connection transforms into a asynchronous bidirectional one, with possibility to stream data in both directions -- with ot without synchronization.

Granted this is difficult to do. Streaming data one direction at a time over http is easy. Streaming it both directions is not. Can you cite an application where you'd want to stream in both directions at the same time? In my experience, most applications need to request something then receive back a response.

Imagine "document" that is just like XML, but without all the Unicode crap (data is transparent -- if one wants to use unicode, mark it as unicode, and make software aware of it, otherwise just don't),

I consider unicode transparent. I have editors that work just fine with Unicode. Emacs on Unix and wordpad on Windows. If you don't want your document to have non-ascii characters in them, mark them as UTF-8 and just write them out as ASCII. Not hard. You will have problems with people trying to send you text that contains non-ASCII characters but you have that problem with ASCII. Do it like this: <?xml version="1.0" encoding="UTF-8"?>

without end of document, so data can be streamed endlessly and become available as the tags/fields are parsed.

You can do this with XML and SOAP. There absolutely no reason that you have to wait for the entire document to get at the data. If you're using an implementation that loads everything into a DOM before you get a whack at it, find another implementation. It's not a protocol problem. This would be far superior for any imaginable purpose to all those little "standards" that Microsoft and Sun originate, and W3C ruberstamps by dozens, that would be a truly useful tool that will improve network programming. This only time when it would be superior is when you wanted to stream data in both directions at the same time. You forgot IBM, MIT, Canon, HP, IONA, and Akamai. All have contributed to the SOAP standardization efforts.

However I don't believe any software company will now work on it -- no idiosyncrasy in the standard means no advantage, monetary or political, to its originator over everyone else.

That may be true. It's hard to get someone interrested in a protocol that isn't part of an existing standard.

Only truly free software/opensource/open standards project would be able to accomplish this. I am just afraid that people won't realize this until it will be too late.

YOU have realized it! Now it's time to make it happen. If you truely have something better, post a link to it as a reply to this message. It's great advertisement for your project and could bring you lot of new like-minded developers.

I'm dubious about your claims. That's just because I happen to like SOAP. It can be a little daunting to understand all the technologies involved in using SOAP but no more so than CORBA, DCE-RPC, SUN RPC, SMB or any other network protocol. I'd love to see you step up and actually post a link to a technical document that explains what you're talking about.

Re:Poisoned technology again

[Alex+Belits]

XML is transparent. It's text. Granted it's unicode text. If you don't like it, use UTF-8 and play like unicode doesn't exist.

That works only with ASCII -- texts in other languages give horrendous parsing errors if processed as UTF-8, so I would have to convert it to Unicode. The problem is, most of applications aren't going to expose enough information to actually make the conversion, text may be in some charset, and charset is known on the upper level while communication happens on the lower one. And, of course, some data is just binary.

Just don't expect anybody to sympathize if you're system breaks when a Japanese company tries to use it.

That's the problem -- I want to follow standards, not invent creative ways to break them to avoid ideas they are poisoned with.

Unicode isn't a big deal to use, really. Trust me.

I am Russian. I know EVERYTHING about this "not a big deal" bullshit.

Okay, what's the difference between SOAP and a "data encapsulation standard". You do realize that SOAP isn't just RPC. You can use any XML encoding you like inside the data payload not just RPC encoding.

Data encapsulation does not assume that data is being sent to something in chunks, and then the sender expect the response or even completion. It just defines that if I want to send an array of integers, I format them in certain way. But if I want to send endless stream of structures that each contain, say, date, variable-length array of integers and three strings (what would be perfectly reasonable for, say, telemetry system on some device -- it will continue working even if it's absolutely sure that no one listening anymore), I should be able to do it without thinking that variable-length array of integers may happen to be megabytes long, and have to fit in memory for formatting or parsing.

Care for an example?

Unicode, SGML-isms in XML and RPC-ish processing.

Imagine a standard that only allows to address the service by sending HTTP-like request

I can. It's called HTTP.

No, it isn't. I have implemented HTTP, and one of possible [ab]uses of my server allows to use HTTP connection for bidirectional communication after it's established. It was a blatant violation of HTTP spec, and therefore I had to write a library that specifically disallows this if only its normal API is used.

yet then the connection transforms into a asynchronous bidirectional one, with possibility to stream data in both directions -- with ot without synchronization.

Granted this is difficult to do. Streaming data one direction at a time over http is easy. Streaming it both directions is not.

Both things are easy, it's just one doesn't violate the standard, and another one does. People would gain more from extending the standard for bidirectional connections than from all "standards" crap that came from Microsoft and Sun since invention of HTTP.

Can you cite an application where you'd want to stream in both directions at the same time?

Remote console over HTTP-ish proxy. X session over HTTP-ish proxy. SSH session over a HTTP-ish proxy. Typical bidirectional protocols, and they would greatly benefit from URLs as possible destinations if firewalls will interpret those URLs as proxying requests, handle authentication (in the case of X, where authentication information must be passed), etc. Access to various equipment's semi-real-time reporting and control. TV-like access to semi-time-dependent broadcast -- user infrequently sends control commands, while huge amount of streamed data is being sent to him when it's being produced by sources that he have defined in his last control request that may remain active for many days/terabytes.

In my experience, most applications need to request something then receive back a response.

Then all applications you have seen, are "embarrassingly RPC-able" (an equivalent to "embarrassingly parallelizable").

I consider unicode transparent. I have editors that work just fine with Unicode. Emacs on Unix and wordpad on Windows. If you don't want your document to have non-ascii characters in them, mark them as UTF-8 and just write them out as ASCII. Not hard. You will have problems with people trying to send you text that contains non-ASCII characters but you have that problem with ASCII. Do it like this: <xml version="1.0" encoding="UTF-8"?>

_I_ am the person who will most likely send something that is not ASCII. I don't want to be forced into a kludge that excludes even my native language from being usable, so the only alternatives I have is to slavishly follow Unicode requirement, or declare that I would rather break the standard, remove encoding from the header and consider the protocol byte-value-transparent, just like HTTP always was until some assholes started promoting their "esperanto for computers". The second alternative is looking better and better with every new "standard" issued.

You can do this with XML and SOAP. There absolutely no reason that you have to wait for the entire document to get at the data. If you're using an implementation that loads everything into a DOM before you get a whack at it, find another implementation. It's not a protocol problem.

1. The standard is specifically made in the assumption that things are "called" when the data is arrived. Streaming never "calls" anything, it may be processed in part by calling a lot of things as data is becoming available, and structure of the stream may never have an end. Is an XML document with a list that is never closed, compliant with the standard? And with infinite length?

2. There are no implementations that do that. And the requirement to "verify" XML before it's used make this impossible (BTW, what a moronic idea, to verify the format -- verify what, that sender doesn't have bugs so horrendous, they violate the standard? there is more probability that data contains complete bullshit rather than that sender formatted it wrong), but even if it's not verified, XML is made specifically to make writing compliant libraries extremely difficult, in the hope that no one would ever try to do that and will just use the implementations made by Sun and Microsoft (or expat, if they are feeling suicidal).

However I don't believe any software company will now work on it -- no idiosyncrasy in the standard means no advantage, monetary or political, to its originator over everyone else.

That may be true. It's hard to get someone interrested in a protocol that isn't part of an existing standard.

Unless you are Sun or Microsoft.

Only truly free software/opensource/open standards project would be able to accomplish this. I am just afraid that people won't realize this until it will be too late.

YOU have realized it! Now it's time to make it happen. If you truely have something better, post a link to it as a reply to this message. It's great advertisement for your project and could bring you lot of new like-minded developers.

I will have to do that anyway -- my current project is cluster management, and I will have to design and implement a shitload of control/monitoring-related functionality. And no, SNMP isn't even close for being usable for that purpose, it's like umm... what would be a good example?.. oh, found, "ip over pigeons" for video streaming.

I'm dubious about your claims. That's just because I happen to like SOAP. It can be a little daunting to understand all the technologies involved in using SOAP but no more so than CORBA, DCE-RPC, SUN RPC, SMB or any other network protocol.

Understanding is easy, agreeing isn't. All protocols that you have mentioned are heavily poisoned -- why don't you use something else as an example. Say, SSL. It's just as complex, has very few working implementations, yet completely poison-free, it's made to serve its purpose, not to promote someone's way of doing things over all competing ones. Or HTTP, a protocol that is un-poisoned in 1.0, and slightly poisoned in 1.1. Or MIME. Or C language (ok, it's simpler than most of things, but its use is more complex), or C++ without the "standard" libraries. Those things are complex enough, yet they are made for goals other than excluding competing minds. And then look at all the garbage that ITU (more widely known by its former name CCITT)produced -- the purest poison that one can find in the "noosphere" -- standards all tied to each other, with complex, mind-bending and cumbersome 30-50 years old pieces pulled out of their graves to make implementations impossible, so only masochists will try to reimplement those and discover that existing implementations are buggy and incompatible with standards. Then try to honestly answer, where on the scale between those things XML and SOAP are.

I'd love to see you step up and actually post a link to a technical document that explains what you're talking about. ----- I am. Both as a profession and a hobby.

I will do that if/when I will decide to make standard base for my control/monitoring applications. If I will get nearly as much shit from "standards makers" as when I tried to prevent mandatory-Unicode-fication of FTP (yes, there was a draft about that, I have no idea if it ever made into RFC, but in either case no one ever tried to implement that), I would be content with keeping the protocol "published-proprietary", a standard specific for the product. But what I am certainly not going to do is to use SOAP or other XML-RPC-isms as an internal protocol.

Re:Poisoned technology again

Dude.. if you want asynchronous, bidirectional communications, just use sockets like you do now. Nothing very hard about that is there?

Soap is two things; a messaging system and a data representation method. It isn't a terribly efficient one of either, but it's effective at both. (You could, however, if for some wierd reason you wanted to, *use* a soap data representation to send a data object over an ordianary socket; the data encapsulisation and messaging mechanism are seperable.)

As far as the messaging system goes, though, it's a messaging system. not a full communications package; a simple messaging system. if your problem isn't well suited to simple mmessage passing, then you shouldn't use SOAP message passing. Use something else.

web services aren't "robbing" you of anything; they're a least common denominator appropriate for *some* things. If you need something more than what they can handle, just don't use them. Or use them in tandem with something more complex.

If you are forseeing a future in which you are forced to interface with other machines over SOAP to perform tasks which SOAP is totally unsuited for, and you have to bend over backwards to get "compatibility" with these machines-- well, that may well happen. Stupid people probably will use SOAP for totally inappropriate purposes. If you ever have to deal with that situation, I'm sorry.

However, that isn't SOAP's fault; it will be the fault of the people who decided to implement the inappropriate protocol over SOAP, and they are the ones you should take the problem up with (once it arises).

Stupid people can design bad protocols *now*. Stupid people do design bad protocols *now*. SOAP isn't going to design bad protocols for them; it just offers a often-inappropriate alternative.

SOAP could be better; what you suggest (a bidirectional whatever) would be really neat. But i doubt it would get as popular as SOAP, becuase it's more complicated. SOAP is popular *because* it's simple.

I suggest you try BXXP. I am not sure, but it sounds like it is EXACTLY what you want. It has failed to catch on where SOAP has caught on because it is more complicated. If i am incorrect in this i apologize.

By the way, you still have not attempted to explain in any way why you dislike unicode. you also have not attempted to offer any *alternatives* to unicode. Honestly, tell us, i am curious.

Re:Poisoned technology again

[Alex+Belits]

As far as the messaging system goes, though, it's a messaging system. not a full communications package; a simple messaging system. if your problem isn't well suited to simple mmessage passing, then you shouldn't use SOAP message passing. Use something else.

I would have no problem with this statement if SOAP was designed to support some specific subset of tasks, or could be dubsivided to standards that define access to methods, data formats, etc. But the problem is, the standard is "everything or nothing" -- either one has to subscribe to all pieces of ideology that it's stuffed with, or not use it at all. And it is presented as a solution to everything -- including problems that it has nothing to do with, and can be applied to only through ugly and inefficient kludge. If standard was separated from the very beginning into data formatting, object model(s), text/non-text handling, it would be useful for everyone -- if not one part than another. But no, "standardizers" want to push the whole thing down people's throats, or declare implementations "nonstandard". This is selfish and unproductive.

If you need something more than what they can handle, just don't use them. Or use them in tandem with something more complex.

SOAP, being "everything or nothing" kind of standard can't be used in tandem with ANYTHING other than SOAP itself. It requires complete compliance and loyalty to the design on all levels. It dictates the basic protocol model, so the only way to use anything else "with" it is to support basically two distinct protocols with different data models. But if another protocol is more flexible, why would anyone use SOAP? Anything SOAP can do, can be done better by a subset of data-formatting protocol using SOAP-ish semantics over it.

web services aren't "robbing" you of anything; they're a least common denominator appropriate for *some* things.

They are certainly not the least common denominator of anything. They are arbitrarily chosen to promote certain way of using network, that, if used by someone, disallows the programmer to improve performance and design over implementations that are promoted by originators of the "standard" thus automatically making the crap made by Sun and Microsoft the best of the breed -- because everyone who will dare to improve either flexibility or performance hits the wall of what is allowed by the "standard". And beyond the "standard" there is nothing but uncharted space -- every attempt to create data formatting standard is turned into "why reinvent something, we have SOAP".

SOAP could be better; what you suggest (a bidirectional whatever) would be really neat. But i doubt it would get as popular as SOAP, becuase it's more complicated. SOAP is popular *because* it's simple.

SOAP is NOT simple, it's merely implemented, shrink-wrapped and promoted in glossy magazines as the only game in town. In fact bidirectional asynchronous transfer is easier to implement, it's just SOAP creators specifically excluded it to make the standard that promotes their narrow-minded ideas by excluding everything else -- and then they will claim that since SOAP exists and supported by "major players" while everything else is at most being developed, then SOAP should be used for everything, despite all its limitations. Software industry is only starting to recover from similar game played with Windows and their "simple" and "wonderful" Win32 API.

I suggest you try BXXP [mundi.net]. I am not sure, but it sounds like it is EXACTLY what you want. It has failed to catch on where SOAP has caught on because it is more complicated. If i am incorrect in this i apologize.

I have looked at RFC, and it has absolutely nothing to do with what I am talking about. I disagree with semantics of the messages and internal format restrictions, not their encapsulation in HTTP or TCP.

By the way, you still have not attempted to explain in any way why you dislike unicode.

I use a non-iso8859-1 language in my everyday life, therefore I don't have to explain everyone why I am qualified to decide if Unicode is good or bad. Full explanation would take many pages, and I have posted it multiple times into Unicode-related discussions, only to find out that others have no idea what I am talking about because they are happily using "Unicode" in the form of ASCII or slightly mangled iso8859-1 with their languages while I am forced into using my language in a completely screwed up way because it's not in first 256 bytes of Unicode. So here I would keep the short answer -- because I am Russian, therefore automatically qualified to make judgment about "encoding for foreigners", and I have shitload of trouble handling Russian texts with it, as opposed to any other representation of text.

you also have not attempted to offer any *alternatives* to unicode. Honestly, tell us, i am curious.

Declare byte-value transparency of protocol and remove mandatory encoding in header. If somene really needs to pass a multi-language document over XML, allow "charset" attribute everywhere where "lang" is allowed, and in the absence of charset declaration never attempt to do any language-sependent text processing. If "charset" is "UTF-8", unicode lovers will get their object of worship without forcing everyone else to do the same. Most of data that travels across the network is not designed to be directly viewed by humans, so if the creators of software do not think, charsets should be labeled for display at the time of data transfer, there should be no requirement for doing the labeling or converstion at the protocol layer. XML is created with the assumption that the primary purpose of any kind of data is to be directly displayed in a pretty-looking page, and this is what was used to justify mandatory Unicode. The problem is, declaring charset for a tag or substring is just as easy for displaying, however when the program just exchanges raw data it helps a lot if there are no arbitrary requirements for its format -- even if metadata about charset exists somewhere it may not be present, or known, when the data is being transferred, and this design decision must be respected.

Re:CORBA is too heavy & EJB is too RMI/IIOP de

[dwsauder]

SOAP is supported by Microsoft and IBM, Sun, BEA, and so on. That observation alone seems to suggest that SOAP will go much further than either DCOM or CORBA.

A few years back, I used to wonder what the world of distributed computing would be like if Microsoft decided to support CORBA. Maybe with SOAP, we will get a chance to find out.

BTW, I think Microsoft has no choice but to play along with open standards in web services. If they were to choose otherwise to push their own proprietary web services "standards", their proprietary standards would probably be adopted no more than DCOM.

You're all missing something, ironically

Many of you have been commenting on SOAP, and its integral relationship with Web Services.

What none of you (that I see) has mentioned is... drum role...

MICROSOFT INVENT SOAP

Therefore, it must be crap. Right? Let's boycott SOAP. Quick!

a succinct definition:

[jnana]

"A Web service is an interface that describes a collection of operations that are network-accessible through standardized XML messaging."

If you want to know what web services are -- and why they will be extremely important for e-businesses (especially B2B) and are not "just RPC" -- see the following paper, from which the quote above was lifted: http://www-4.ibm.com/software/solutions/webservice s/pdf/WSCA.pdf

Absolutely wrong

[jnana]

Have you heard of parameter entities:

<?xml version='1.0' ?>
<!DOCTYPE foo SYSTEM "foo.dtd" [
<!ENTITY MyInclude SYSTEM "MyInclude.xml">
]>

This will include the file "MyInclude.xml" whenever the following entity appears: &MyInclude;

Re:Absolutely wrong

[__past__]

Not that this would be legal in a SOAP message...

Re:Absolutely wrong

[jnana]

Right, but the OP said "XML Document cannot contain another XML Document, with or without namespaces", which is wrong.

no-brainer, sounds like IT at work.

[twitter]

Designing your own protocol takes time, and implementing it for each OS/hardware combo out there takes even more time. Why bother to do that, when you can leverage a protocol (HTTP) and client software (browsers) that are already everywhere?

So, sticking propriatory formats like .DOC and what not on the web is a good idea? Give me a break. This junk only works on M$ platforms and not very well there.

We use this trash at work and it sucks. It's all tied in with M$'s bloated, ever changing formats and "standards". Email has gotten so thick from people mailing power point presentations, and word docs that the poorly perfoming servers are crapping out. Oh yeah, all that goofey mail carries a bandwith cost. Sigh, when a few kilobytes of text will do, it get's sent as a word doc. This might be because the default and only allowed mail client defaults to word as an editor, and plain text gets all screwed up at the recieving end. Really, the software forces you that way. Oh, and the asp bullshit? It's kind of like an evil VB crossed with Access used to put blinky things on people's pages and prevent anything but an M$ encumbered computer from looking at it. The slob in the next cube is forced to deal with it, on his two huge monitors that attempt to make up for a lack of virtual desktops. It's the best M$ scripting ever! "Objects" and tabs and buttons, oh my! It does not always work and when it does, it does not work well. A typical use is to hand you a Word DOC though OLE and a link while pretening to be a "web page". The OLE is quirky enough that Word fails to work correctly, if Word has a correct mode of operation. Other uses I've seen are inferior tables that blink and hand you a couple of forms that may or may not collect information and send you a word DOC. So there you have it. Poor perfomance, high cost, incompatibility and formats that won't work in two years. What else can you want from a "service"?

The person who recomended that junk is going to be fired. It's one thing to get suckered for a few insignificant desktop machines that replaced typewriters and secrataries. I can even forgive the poor joker who thought that M$ file sharing might be useful, and the other poor fool who bought copies of front page. After all that, the rework, the broken formats, the masses of equipment that got obsoleted in four years, the broken prommises and costs that exceeded mainframes by wide margins then doubled, there is no forgiveness. Further folly is willful ignorance.

Now that's a story everyone knows, or will know if they work for a M$ "partner". So ends the rant.

Re:no-brainer, sounds like IT at work.

[Tony-A]

Hehe, that's what will kill proprietary formats like Microsoft Word's DOC. Unless it's readable on Microsoft's Internet Explorer, Opera, Netscape, Galeon, Konquerer, a few varieties of PDA, or any of a few dozen no-name brand browsers yet to be, it's going the way of the Dodo.
If I can't read what I've written now five years from now, essentially regardless of what I am using five years from now, it's almost suicidal not to be looking for some format that's useable and that I can read five years from now.

Re:no-brainer, sounds like IT at work.

So, sticking propriatory formats like .DOC and what not on the web is a good idea?

That is both offtopic and a troll. .doc files and other such formats have very little to do with "web services".

that's nice

[twitter]

Just a few links but you can search www.google.com and get an idea of what SOAP really entails.

So what does M$ $oap entail? I seem to remember reading about how their junk was going to do stupid stuff like let others arbitrairily run executables on your machine. With the current poor state of M$ user/permission set up, this is like making an email client that automatically runs attachments. Woops, there they go again.

U REALLY ARE A SPUPID FUCKEN TROLL AINT YOU

that is all.

Sums it up.

Clearly, you are an "old school" Computer professional. You know, one that knows a computer can actually function, learned that reading is fundimental, that most of what needs done can be done simply, etc.

I'm with you.

But, Microsoft has created an army of dis-educated clones that don't know any better. In many ways, so has Sun, HP, and IBM, too. All the better to make a buck. If a system doesn't depend on 50 buzz technologies, they just can't get it up.

The trouble is, there are just too many zombies to fight.

Re:CORBA is too heavy & EJB is too RMI/IIOP de

[Malcontent]

Parsing the XML is not the problem I can parse a comma delimeted file with a while loop and an explode. The problem with XML is that people abuse the hell out of it. People send you XML which changes with each invocation for example. Besides there is no real validation in XML so you have to code all the validation anyway. XML does not save code, it does not save bandwith. It's just a buzzword.

Re:CORBA is too heavy & EJB is too RMI/IIOP de

[Malcontent]

I don't think I'll hold my breath to see how compatible MS SOAP is with everybody elses. There are already subtle differences between the MS soap and apache soap. Also the ms parser does an ebrace and extend by executing script in the XML (which just sounds like a recipe for disaster to me).

Stupid question

[Tony-A]

Would you actually be safer blocking web and email and leaving everything else open?

Re:Stupid question

[ethereal]

You'd be safer if you understood the risks and benefits of the network services you make available to the outside world. You can't just say "ports 25 and 80 OK, other ports bad" and have that be security. Insofar as SOAP tries to pretend that you don't have to understand security and at the same time makes more things available over port 80 than it was originally intended for, it is a security liability.

Re:CORBA is too heavy & EJB is too RMI/IIOP de

[Twylite]

I'm in agreement on your synopsis of XML. I have an article [my ISP] on why XML doesn't meet its stated goals and, in general, sucks. But its too long to post here.

The problems with HTTP as a transport are: 1. it is heavy; 2. it isn't stateful (as you point out); and 3. its INTENDED as a security backdoor. SOAP stemmed from work on XML-RPC, and both explicitly point out that the use of HTTP gave them an easy way to circumvent firewalls.

Heavy? Yes. There are several overhead fields on requests, and typically even more on responses (since server's don't tend to be terse just because you're asking for a web service). 20 'int's encoded as strings have an insignificant overhead compared to one or two lines of HTTP header information. And we won't even get into SOAP packets...

Compression (of which some have glibly spoken) is not an acceptable solution. Accepting or responding to a compressed SOAP message involves a series of filters or parsers: http, gzip, xml, soap, field encoding. The processing overhead is tremendous - even on an otherwise idle system with a Gb ethernet, SOAP cannot get near the performance of traditional (binary encoded) RPC mechanisms (on slower networks). Not to mention that you STILL have the HTTP header overhead, because those are not compressed.

The first question people should probably be asking is: Why not ASN.1 ? Its also standard, it has a ridiculously longer history than XML, and is in widespread use. It is a terse and efficient binary encoding. And that's its perceived downfall: somewhere, someone decided (with little technical knowhow or forethrough, I might add) that human-readable protocols were a good idea for data communication between machines.

Why are companies jumping on the bandwagon? Because either they stand to make a lot of money out of developing new technology, or the stand to make money out of selling new technology, or out of converting customer applications to use or support new technology, or they are customers who have their suppliers (and internal MSCD intelligencia) telling them how wonderful and great and cool and really important it is that they break their fully working existing systems and reimplement them with a new protocol. Just because.

Firewalls

[alftheo]

It seems to me that the whole point of using HTTP instead of any other protocol, is that organizations are blocking off access to all ports but port 80. The point of this is that you cannot do (much) harm using only a webserver on the other end.
Now, using SOAP, you can tunnel any service through HTTP, and bypass all that security. In effect, all the available ports get compressed into one.

How long before the network admins realize this and start filtering that access?

The Answer to your Question.

""Why are all the IT companies suddenly interested in open standards with web services?"

The fog has started to clear and they can see the
Cage Billg is building for everybody.

Re:CORBA is too heavy & EJB is too RMI/IIOP de

[kevinank]

I've argued that for significant uses you don't even have to agree on the semantics of the data. The producer and consumer of the data can each form seperate semantic meaning for the same data as long as the meanings they form are useful to them.

You for example might produce a document that includes a field 'OrderID' which identifies the order number assoicated with the data in your database. Looking at the data I might have no use or interest in 'OrderID', but still be able to draw out (for example) the name of the customer without any prior agreement as to the meaning of the fields you provided.

The distinction becomes significant when you consider the number and types of communications that can exist. If each one must be standardized or agreed to in advance of use, then XML becomes a much weaker tool for data interchange. Instead someone looking at the data can make an educated guess about the uses that they would like to make of the data you provide, and even if those meanings don't overlap with your meanings, just so long as they get utility from their interpretation the result is still useful.