Java SOA Cookbook by Eben Hewitt

The work a service can do must be described with an external interface. Some architects allow that such an interface can actually be tied to a specific platform, as in the case of a Java interface describing the operations on a remote session EJB. Services can certainly be approached in this manner, and such an approach may be justified within a given business context. Dictating that consumers must use a certain platform, such as Java or .NET, to consume a service can save valuable time and money and drastically simplify your implementation.

Many SOAs operate within a company, behind a firewall, in a known environment that is relatively static. I have talked with architects in such circumstances whose entire SOA is defined on EJB. That’s a very specific platform, and they think they are doing SOA, and they are smart and experienced people.

Their view is that it would introduce unwarranted developer effort, offer more complexity than benefit, and garner unnecessary runtime overhead to use SOAP and its many attendant specifications given their business context. So while many authors are tempted to indicate that a service must be defined in a manner that does not dictate platform, and while that sort of service is the chief topic of this book, my definition does allow for platform-specific implementations.

However, a service is generally created to address a systems integration problem, or at least has an eye toward integration issues. A WSDL is one way to describe functionality in a way that does not dictate implementation. While WSDLs may commonly use SOAP over HTTP, this is not a requirement; other protocols can be used for bindings, and the same abstract WSDL can address a variety of bindings, offering even greater flexibility.

HTTP is perhaps not the ideal transport layer for web-based services, but its simplicity and pervasiveness have made it the default choice. Consequently, there is considerable support for such service implementations.

RESTful web services use XML and native HTTP methods to define their interfaces, and this approach has many proponents who cite the complexity and “bloat” of SOAP-based services. I want to avoid this argument for now, and just indicate that REST sufficiently satisfies the condition of platform independence. It is less clear that it satisfies an emphatic interface that can operate as part of a service contract, however.

Because a service is not merely a piece of functionality, but something describable by a contract that constrains consumers, it is important that a clearly defined interface work within contract automation. Without a clear interface, service reusability opportunities shrink. Without platform independence, possible consumers go down and service components become more tightly coupled.

Of course, nothing is free, and you pay for platform independence with performance and complexity.

The world is filled with very useful programs whose functions can be invoked only from within the same virtual machine or within the same physical machines. These programs simply do not qualify as services. Just as in the real world, your customers have to be able to contact your business to contract for your cleaning or consulting or catering services. If you’re the only one who knows your phone number, or if you don’t have a phone, then there’s no show. If your function is not available remotely, it is simply not a service.

My third criterion for a service is that it generally carries out business functions, and generally does so by operating on business documents. What does this mean? A calculator that adds two numbers together may not be a good candidate for a service because integers are not business objects. They can never be defined in a particular way for your organization.

A “business object” means an instance of an entity in your business domain, such as a Customer, a Product, an Invoice, a Student, or an Application for Employment. You can decide for yourself what these will mean, as they are the entities that differentiate your business from others. Further examination of your add operation must question whether the idea of adding is particular to your business. It is not. Anyone in the world can add all day long, and will do so (presupposing any basic mastery of the task) in a manner identical to everyone else. Moreover, you have no opportunity for innovation in the method in which you add; you cannot conceive of and employ some custom scheme for adding within your operation’s implementation to gain a competitive advantage in the market. Unless you have a very creative accounting department, you don’t decide for yourself what integers and adding mean.

There is certainly a wide array of popular services publicly available that operate on facts. These include determining the distance from one location to another, or performing calculations such as shipping costs based on weight, or finding the location of the nearest store. While a zip code or a weight in ounces may not in themselves appear to be business objects, such services do perform a business operation that is distinguishable from something absolutely generic such as adding two numbers together.

This is just a general guideline. Consider a service that converts currency. There are many such publicly available web services, and a euro is the same for everyone, so these don’t appear to be business objects. But there is always the matter of perspective. At a bank, the idea of currency might be considerably more detailed in its definition than it is at a pet food store, making it a kind of business object to the bank.

You probably don’t need an SOA if you don’t have a business of some size, or at least of some length of history. While programmers might enjoy writing a video game for their own personal use, no one builds an SOA out in the garage on Saturday afternoons. If you’re talking about an SOA, you’re talking about a business of some measure. And your SOA will realize its potential ROI (return on investment) if its constituent services operate at the appropriate level of granularity in order to maximize their reuse. Of course, this begs the question what is meant by “appropriate level.” That will depend on the business processes that define your services, and what related processes might be able to reuse them.

I must stress that this guideline is open to a wide variety of interpretations, and is presented as a starting point so that you can make some distinctions. You want to avoid being so vague that you do not have enough to work with. Indeed, there are utility or functional services that operate in the realm of technology alone; these are described in Identifying Service Candidates.

This refers to the idea that you must be able to decorate the service operation in some way in order to provide for functional and non-functional requirements. It is this aspect that elevates the service to something meaningful with an SOA.

If you are using SOAP, a variety of WS-* specifications (such as WS-ReliableMessaging or WS-SecureConversation) add capabilities to your service that do not impact the core business functionality, but make your service adaptable for use within an SOA. The ability to add HTTP headers, for example, is one way of decorating a REST-based service implementation. EJBs make the cut because, while the mechanism is not based on WS-* standards, interceptors do allow for decoration of like functionality.

The point here is that you want to be able to provision your SOA, and by necessity its constituent services, with technical means of governance (which we will discuss later). You want to be able to include policies at runtime that augment how the service can be used. The ability to interact securely, to allow for transactional operations, and, in some cases, to accept monitoring instrumentation are non-functional requirements that bridge the gap between a theoretically pure implementation of your Invoice Processing service and the real world that involves this particular network with these external constraints that must be accounted for. Baking such items into your service can severely curtail or obliterate its possibilities for reuse, especially in federated environments. But the need to deal with them remains; when possible, move such requirements into decorators.

This requirement may guide your choice of platform or implementation. The fact that there are so many non-functional requirements that so often come into play in software components (and the fact that so many of them are recognized by WS-* specifications) is a leading reason why I have chosen to focus on SOAP-based services in this book (and in building a real-world SOA). To have such common requirements dealt with in a standard way within these specs offers a boost to interoperability and maintainability, and allows developers to focus on their business problem.

What else might be true of the operation if it is to qualify as a service? It seems that a service is worth all the trouble to define and create only if it will be reused. A chief aim of SOA is that its components are self-contained and do not represent overlapping functionality. Its components should provide a degree of reusability. That is, they must not be limited to a narrowly defined business context that has little or no relevance elsewhere in the enterprise. It is possible that you will write a service that does not get reused. It is possible that your business will change directions, or that a service is too poorly defined, either too granular or too broad in scope, to ever fit into another use case. Sniffing out such matters is where architects are valuable.

Some architects will add the requirement that a service must be stateless. I agree that in general it is a good idea to ensure that your service operations are stateless, but I would not require it as a defining feature of services. If they must maintain state, they can do so externally through a database or other temporary serialization mechanism. Conversational state is often best avoided if possible, but when it must be maintained within the service composition, it can be handled through a specification such as WS-SecureConversation and WS-Conversation. This is a spec that has been around for a few years now, and is implemented in containers like WebLogic 10gR3.

While this is perhaps overstating the obvious, there is a small lesson here. Simply creating a set of services does not automatically render an architecture. Architecture, while it should guide the creation of services, is a diverse matter separate from the implementation of the services themselves.

In the term “SOA,” “service-oriented” modifies “architecture” as an adjective. That is, an SOA describes a sort of architecture one can undertake. It is not a development mode. You cannot simply annotate an EJB to indicate that it’s a web service and decide that because you now have a web service, you must have the felicitous beginnings of an SOA. If you are not very careful with your approach, you could indeed have the beginnings of a very elaborate, very expensive mess.

One point that must be made is that you cannot simply buy an SOA. You cannot expect a single vendor to hand over an SOA once your CIO writes a check. Building an SOA involves considerable analysis and integration.

This is the “service” part of “service-oriented architecture” and I rely here on my definition in Defining a Service. It’s not an SOA if it’s not an architecture, or if that architecture doesn’t use the service as the common unit of measure (just as an object-oriented system uses the object or class as its common unit).

Without services, there is nothing to build on, monitor, or govern, and nothing to execute to provide your business value. But at the other extreme, one can labor long and hard, producing a perfectly lovely set of architectural diagrams with little relation to the real world. If you focus narrowly on cranking out a set of service implementations and forget the architecture—or, more likely, leave it out on purpose while dismissing the “astronaut architects” with their heads in the clouds—you will not only have no SOA, but you’ll have something even worse. You will have spent considerable time and money over-engineering a solution to the wrong problem. There is actually a name for this sort of furious work: the anti-pattern known colloquially as Just a Bunch of Web Services (JaBoWS). In addition, cowboy developers operating without architectural guides can inadvertently cause the business to fall prey to another SOA anti-pattern: Rogue Service, wherein there are services operating on the network that are not part of the known, governed set of services in the catalog. So a bunch of services without architecture or governance does not an SOA make.

In my view, it is debatable whether a “service” that is wholly outside the context of an architecture is actually a service at all. It is in part the contextual role within a supporting architecture that elevates an operation to the level of a service. This status is afforded, but not directly stated, by the last criterion in my definition of a service: it can be decorated with runtime extensions that handle certain technical non-functional requirements.

SOA represents a way of thinking about systems integration. An SOA serves to offer increased or new business functionality or opportunities by connecting multiple systems together. In its most straightforward form, this means that you can do B2B work more quickly.

CORBA, connector architecture, EDI, and point-to-point EAI efforts over decades have all demonstrated the ability to integrate diverse systems. But such efforts can be costly and brittle. They can distract developers and IT departments from addressing their real business problems, as they work for months getting systems to talk. These solutions all define their own formats for message exchange. SOA, in general, reuses XML as a standard means of message format, allowing integration efforts to leap into action more readily.

Some CIOs, in frustration with previous EAI projects and in an honest attempt to address their problems quickly and decisively, have thrown in the towel, called up their favorite vendor, and signed up for their entire stack in an attempt to avoid the integration problem altogether. But this can be a very expensive proposition indeed and it has the drawback of tying your organization to that vendor, locking you into operating on their time tables, and you’ll be able to provide only the functionality they expose.

So while integration happens, SOA attempts to address the pain points of integration efforts.

The idea that SOA facilitates reuse through loose coupling is a key modification of the point that it simply supports enterprise integration efforts. SOA suggests two distinct ideas: it facilitates reuse in the first place, and it does so by creating loosely coupled components.

Early enterprise integration or primitive service provider efforts have not focused quite so specifically on the idea of reuse. But it is now possible, given the new standards and the employment of a generic format such as XML in message exchanges, to realize enterprise services in a sufficiently general way that services can be reused.

This reuse can come in the form of general interoperability. If two software components can interoperate, that in no way means they are loosely coupled. But loosely coupled components have a greater chance of interoperating.

While reuse can be achieved as a side effect of ensuring that your services are loosely coupled, it is not a necessary aim for every service. It is possible that you have certain services that you know have little likelihood of being reused in a composition or within an unforeseen business context. Such services may have been created as pilot projects; or it may have made sense given the circumstances to create some functionality as a service in order to tap into a larger architectural infrastructure to make it more visible, for example, through a service inventory; or to take advantage of centralized schemas; or to quickly gain runtime metrics afforded by SOA monitoring tools.

Reuse is not strictly necessary within any given service. However, an SOA entirely populated by non-reusable components is likely not an SOA at all, but rather a fancy, bloated, over-engineered collection of point-to-point EAI dinosaur bones.

Be careful allowing a service to directly invoke another service (that is, to have itself be the client of that service), as this can strikingly reduce the business contexts available for reusing the service. Sometimes it seems necessary to make one service the client of another service within its implementation. But you are introducing a degree of coupling here that you might not want later. If you find yourself in this situation, consider using an orchestration technology such as BPEL (covered in Chapters 9 and 10).

Also, it can be difficult without service-level agreement (SLA) monitoring software and metrics in place to keep track of how much traffic a service is receiving from where. If your service crosses business domains, it becomes particularly important to consider that it could see sudden, unexpected explosions in traffic due to compositions external to your current subject. Another problem with direct invocation is that it adds complexity to your topography without allowing visibility through tools. There are tools by the big SOA suite vendors that show dependencies across the service-related resources stored in your enterprise repository, but they can be very expensive.

The architectural solution to this problem is that when you want to have one service directly invoke another, consider whether you can create an orchestration (or process service, as defined in Identifying Different Kinds of Services) instead. As a service wraps a system or subsystem, an orchestration wraps a set of services that together make a flow. But the orchestration is itself exposed as a service, so it looks just like any other service to the client.

An SOA will mean something different to different organizations, and I encourage you to consider your specific definition and decide what elements to emphasize within your own business context and its attendant constraints.

A top-down approach starts from a high-level business view. Using this approach, you examine a road map laid out by the business that sets established business goals for a given time frame. You then evaluate the goals for potential service creation. This is not a process that simply maps a list of prioritized business projects directly to services. It requires instead that you use existing architectural documents and business process modeling techniques to determine what in your enterprise would make the most sense if written as a service.

The architects, CTO, CIO, or other responsible party in your organization should have an IT roadmap that is based directly on a business roadmap. That roadmap may exist at various levels of granularity or span a variety of timelines or departments within IT. But such documents can serve as the basis for identifying hot topics that can be examined as candidates for service creation. The roadmap itself, if it exists, will be too high level for service design. But once items on the roadmap are approved for work, start with identifying the business processes that are involved. Mapping the business processes required by a project will often point to an external system that you might be able to integrate via services, and will frequently point to internal systems that can be wrapped as services.

Businesses that are relatively young, have few disparate systems, or are generally very forward thinking might benefit most from this approach. It is easier for businesses to champion SOA efforts in such a scenario, as they get new products delivered that have been on their wish list.

A bottom-up approach starts from the view of a legacy technology. It takes existing functionality and wraps it in a service in order to achieve more general business goals such as increased agility, interoperability, or eased integration. This can sometimes be termed “service enablement”: the basic functionality exists already, but you make it available as a first-class citizen within a service-oriented architecture.

This approach starts by identifying “pain points” within the enterprise that could be usefully addressed as a service. This is a common approach if you have had no architects doing forward planning work with your systems integration, and find yourself with an “accidental architecture” of rampant, undocumented, proprietary, or generally ugly point-to-point communications. If this is the case, you must approach such an effort with caution, taking care to understand the processes that are already using this tightly coupled functionality.

The business realizes value with this approach by freeing up previously complicated intersections of technology for greater agility and flexibility going forward. This can translate directly into shorter time to market.

This approach may work best for companies that have been in business for decades, have lots of legacy systems, use a wide range of disparate platforms (possibly as the result of many mergers or acquisitions), or have many existing point-to-point connections. But beware of simply taking the existing interfaces of these legacy systems and then making a web service out of them. A bad interface that runs with SOAP over HTTP is still a bad interface. Designing the interfaces so that they will be usable going forward often means that you have to do some overhaul within current state business models (that you might have defined using a top-down approach for something else).

A bottom-up approach rarely works. IT can end up being the driver, which you don’t want. The business needs to be aware of SOA and assist in the governance and the definition of processes. The interfaces of the future are not likely to be found in legacy code. Legacy code can be wrapped with new interfaces. And this usually means that you start not at the top or the bottom, but in the middle, according to the requirements of your business processes. You can then find ways to reuse existing systems with a new facing appropriate for the process.

Document the service candidates you elicit with an enterprise view. Do this as an iterative process, using a standard format, in order to visualize your service-enabled enterprise. This documentation must ultimately be composable into a larger enterprise service catalog.

Be careful of attempting to model your entire business up-front. Circumstances are likely to change before you complete such an effort. It is reasonable to take a more modular approach here, working with a single business domain, system set, or problem, and model that using an iterative approach. Eventually your models will meet at domain or functional borders.

The reference architecture can help ensure the success of your architectural efforts in a variety of ways:

Your SOA reference architecture can be a deliverable, a living set of resources that can be used for a variety of purposes, and not simply some documentation that accompanies your code. As a deliverable in its own right, it works well when implemented within a website that is easy to update, such as a wiki. Members of the SOA team or governance board or the architects involved at your organization can create a site that they populate with architectural models, standards and conventions documents, and resources for evangelizing and education, and that can perhaps serve as a gateway to runtime tools.

As a suggestion, the items outlined in the following sections might be useful within a reference architecture.

While some of the items indicated here may seem excessive, remember that the purpose of the reference architecture is manifold: it serves to instruct newcomers on the way that you want web services done in your organization; it helps experienced developers find and use web services that your organization has written or endorsed; and it helps the governance board or Center of Excellence make decisions regarding service candidates and future architectural directions.

SOA is in many ways about aligning IT with the business so that eventually there is a blurring of lines between the two. How this emerges will be very dependent on your organization and its culture. But SOA requires considerable support. It represents a new way of thinking about systems, and there are many APIs to learn. While there are free and open source tools to use as application servers, enterprise service buses, business process execution and more, many organizations will make expensive software purchases. That process can require lots of time and input from the business. The investment that the business must make in education of the team and evangelizing to the larger IT group means real time and money that initially are not spent getting something new. It is frequently viewed as a sunk cost in infrastructure that the business hopes will pay off in the long run.

For these reasons, it is important to win the business over; otherwise, the investment upon which an SOA team is dependent could dry up. The way to win the business over is to show them the money. Choose a project that will have some immediate return so that the business can remain supportive. Illustrate clearly that the real return on SOA is realized over the course of several years, as IT may be more responsive and ready to quickly address changing business needs.

The project should have limited scope. It should represent functionality that is somewhat isolated from systems that are not well known. But you will get the most out of your pilot project if it does span multiple systems. It cannot be merely a proof of concept about web services, but must be a full-blown, real-world project. Otherwise, you run the risk of underestimating scalability requirements and overall complexity.

Introducing SOA can lead to a lot of new APIs for developers, new application servers, new languages, and new infrastructure. It represents a new way of thinking about development. Thinking in services is different from thinking in objects. Making a switch from functional or procedural programming to object-oriented programming can take time, and represents a dramatic change for developers. I have seen Java classes in excess of 15,000 lines of code, with a single method 700 or 800 lines long. Just because you’re writing in Java and a program compiles and runs doesn’t mean it’s object-oriented, and doesn’t magically make it good. Do not underestimate the difference that services can represent for OO developers too. You need to take the time to educate everyone on the team (though not necessarily at the same time). That takes development time away. If the project has a very large scope, it might never be completed when you have so many external considerations.

You want to be able to isolate unknowns so that you can more easily identify problems during the development and quality assurance phases of the project. Be careful of choosing a product that uses brand-new products. The team will already have a number of mysteries to deal with when working with new infrastructure and APIs. Isolate your changes so that the SOA enablement work can be a leading focus. Consultants can help here.

Consider the target consumers for your initial service. You mitigate your risk by choosing something that is internal to your business, rather than customer-facing. This gives you time to build out a little infrastructure before the external world gets involved, introducing new and unanticipated issues. Internally consumed services will help you focus on implementing your first services properly, and shield you, for a time, from more advanced and complex issues such as federated security. Internal services may also represent an opportunity to gauge traffic with greater confidence.

This may be obvious; consider whether the functionality really satisfies the criteria highlighted in Defining a Service. Be careful to not have external forces choose a pilot for you if the proposed project wouldn’t actually make a good service. This happens—SOA teams get formed, and then the boss insists that the pilot must be whatever the next thing on the project list is, regardless of whether it is actually a useful service candidate. Writing services initially adds considerable complexity and expense to a project in the hopes that the benefits will outweigh such costs in the long run. If the service will never be reused or never be invoked from another platform, you might not have a very good service candidate on your hands, which means you might not realize much ROI.

Make sure that the service you choose will give you an opportunity to explore the full development life cycle. If you plan on utilizing a “start from schema” approach, for example, you want to address this head-on in your pilot, as it precipitates work surrounding the custodianship of the schemas, modifies the build process, and so forth.

It might be an overarching SOA goal of your organization to move your work in an architecturally neutral direction. This can be the case in companies with decades of legacy data tied to a specific platform. Finding a data service that wraps some central entity representations can help reduce ETL (Extract, Transform, Load) or data movement operations.

If you have subject matter experts for the given problem domain available, you can mitigate considerable risk. Introducing new systems, new software, new processes, and new problem domains at the same time that you introduce services and SOA creates a dangerous concoction. If you are working with vendors or consultants, make sure they have a background in the vertical business area you’re addressing (financial, retail, etc.).

While it is important to realize business value early in establishing an SOA, be careful not to bite off too much in the initial stages. SOA pilot projects often lose track of their deadlines, miss certain requirements, or fail altogether. Choose a project that won’t undermine your business if it takes some extra work to get it up and running as a service.

This makes service enablement of existing pain points an attractive pilot project. There is already a process or functionality in place to fall back on should it prove necessary. Obviously I am not recommending that you plan to fail, but things happen, and it’s smart to be realistic about it up-front.

Do some research on architectural frameworks, methodologies, and design patterns, and select some that will support you best given your environment.

Once you have completed the initial pilot, the second project, which should probably be considered a pilot extension, becomes very important. The chief goal of the pilot is to establish a foundation for SOA, understand the technical implications, and create something of value using new constraints and new strategies.

The second project provides a key opportunity to build out some of the organizational and cross-cutting concerns that SOA precipitates, such as governance (see Establishing Governance). The second pilot will, for this reason, need to have a similarly limited business scope as the initial pilot. Don’t leap into rewriting your payment infrastructure with your second SOA project. You need time to learn the behavioral patterns of your new tools and time for the education and daily reality of running the production services environment to set in.

You can also use the second project to build on your initial architecture. You may add functional or meta services, such as a rules service or security service. You may introduce BAM tools at this stage, or deepen your work with WS-Policy or security concerns in general. You might clarify and refine how you will handle service versioning, which may not have been a central focus of the pilot. You might take advantage of some more robust features of orchestration than you may not have had time or need to explore initially.

These things should have been laid out in your SOA roadmap. The roadmap will change, but keep it updated, and remember that SOA is a long-term investment. Plan big, but start small.

Organizations that attempt SOA without governance in place can fall victim to a variety of ailments, including total failure of the SOA initiative. There are a few common, avoidable pitfalls.

You can’t govern what you don’t know about. So, to ensure that all of your service-related code and documents are visible, implement a central repository that has the documents of record for each version of each service. This will help track these important documents during design and runtime.

This is a reality. Beware of developers and architects who seek to advance their careers at the cost of populating your SOA with frivolous functionality or over-engineered solutions. You can recognize these types by their endlessly new answers to problems that have already been solved.

Governance can handle this problem by making all service-related development efforts transparent, and by managing solution implementations.

One bunny is pleasant to find in your yard. Two bunnies are even better, chasing each other hither and yon. Fifty bunnies is a problem. Just because something is good doesn’t mean that more is necessarily better. The cake you’re baking might need half a teaspoon of salt; add a tablespoon and it’s ruined.

Once you get good at services, it will be tempting to make lots of them. Review your landscape. Not everything should be a service. Allow services to proliferate in your organization in the manner of multiplying bunnies, and expect performance, maintenance, and management problems. Remember the old saw, “just because you can, doesn’t mean you should.”