A number of solutions exist for creating Java-based Web services from a variety of different providers. Options range from individual processing engines that plug into existing application servers to large enterprise-class platforms in which Web services is one of many components. Each option provides its own set of challenges and benefits while addressing different types of requirements. For the enterprise, Oracle's Application Server 10g provides a robust option.

The 10g version of the application server from Oracle provides a highly flexible and scalable Java-based Web services capability. The tools provided by the system allow for almost any Java object or PL/SQL function to be exposed as a Web service.

Web Services Support
The Oracle Application Server Web services architecture in 10g provides the infrastructure to expose a variety of objects as Web services, including:

• Stateless Java classes
• Stateful Java classes
• Stateless session EJBs
• Stateless PL/SQL functions or procedures
• Java Message Service (JMS) objects

Figure 1, from the application server's documentation library, identifies the supporting components for each of the above sources. The boxes on the right side of the figure represent individual servlets that handle the documents sent to and from each type of source component. For Web services that are stateful, HTTP session objects manage state between service calls. Both RPC and document-style Web services are supported by this architecture. The key difference between the two styles within the application server is the set of parameters and data types allowed in the implementing class. In the RPC style, Oracle supports instances of basic Java primitives and object types as parameters, along with Element, Document, and DocumentFragment objects from the DOM (XML API). Document-style Web service implementation classes only support instances of the Element object from the DOM (XML API).

Tools for Exposing Services
If you're using Java classes to implement Web services, the development should follow the same sound principles as when developing any other classes that will be hosted in an application server, since there are no physical limitations beyond those described in the previous section. Once the implementation classes are built, the developer must create the configuration file to describe how the service is to be assembled by the application server. This is a basic XML document not unlike a J2EE or Web application deployment descriptor. It contains information about the service itself, including name, description, and path information, as well as the individual services and their implementation classes (or other objects, depending on the implementation type). For the purposes of this article, a simple Document-style Web service was created as a standard Java class to accept an incoming document and store it in a repository.

With the configuration file complete, Oracle Application Server provides a tool called the WebServicesAssembler that reads the file information and generates the appropriate class files and deployment descriptors, and optionally the WSDL file and proxy classes for the service. This is a command-line utility that can easily be incorporated into any Ant script as part of a standardized build process. Inspection of the generated EAR file shows a Web application module with a specialized servlet for handling document-style Web services.

JMS Web services are slightly different because two JMS destinations and possibly an MDB are required, depending on implementation. In this scenario, a SOAP call goes through the following progression:

1. The Web service client sends a SOAP message to an HTTP servlet
2. The Web service listener servlet drops the message to a JMS destination
3. An MDB or alternate JMS client picks up the incoming message and processes the contents
4. The result of the operation is placed on a second JMS destination
5. The Web service listener servlet returns the service result to the Web service client via a SOAP message

The configuration file for JMS Web services also differs in that the connection factories and queues for sending and receiving the SOAP document from the Web services listener servlet are identified instead of the implementation classes

Similar changes are needed when developing Web services that are implemented by PL/SQL objects. In this scenario, the configuration file identifies the username and password of the host database, its JDBC URL, the JNDI name of the connection pool, and the package and procedure to execute.

In addition to the Web services architecture described above, Oracle Application Server 10g provides an alternative method for Web services implementations called OracleAS SOAP. This toolkit is based on the Apache SOAP implementation. It should be noted, however, that the Oracle Application Server documentation recommends that the Oracle Application Server Web services architecture be used to create and deploy new Web services applications.

Oracle UDDI Registry
Cataloging and publishing of available Web services is supported by the UDDI registry provided in Oracle Application Server 10g. This repository includes support for the SOAP API as defined in version 2 of the UDDI specification. Web services may also be published to the UDDI registry at deployment time from the Oracle Application Server Administrative Console.

Securing Web Services in Oracle
Oracle Application Server 10g allows administrators to secure Web services using the following techniques:

• Web services over SSL
• HTTP Basic Authentication
• Authorization via Oracle's implementation of JAAS

When interacting with secure Web services hosted on an Oracle Application Server instance, the client application must have the relevant system properties set. If JAAS is implemented for authorization, the username and password provided by the calling client may be used to retrieve a Principal object from the User Manager to be passed along to any relevant processes.

Conclusion
Oracle Application Server 10g provides a powerful, flexible, and scalable Web services architecture for Java-based systems. The tools provided isolate the developers from the required code to manage the details of processing SOAP requests and allow them to focus on creating business logic. The UDDI server provides the cataloging and directory services to publish available services. Overall, the 10g version of Oracle's Application Server provides a complete and robust solution for delivering Web services in Java.

Company Info
Oracle Corporation
500 Oracle Parkway
Redwood Shores, CA 94065
www.oracle.com
Phone: 1.800.ORACLE1
http://www.oracle.com/technology/products/ias/index.html

At the time of this writing, it was indicated that an upgrade to the Oracle Application Server was forthcoming with support for J2EE 1.4 Web Services, SAAJ 1.2, Apache WSIF, SOAP 1.1/1.2 and WSDL 1.1. Adds support for the WS-Security standard and provide a reliable messaging framework that supports the WS-Reliability standard. This release includes a new management console for managing Web services, a full design time in Oracle JDeveloper and for non-Oracle-IDE environments, a command line tool, and a set of Ant tasks for creating Web services. The new version is now available.

• Figure 1