Are Web Services Finally Ready to Deliver?

Web services, in brief, are a framework of software technologies designed to support interoperable machine-to-machine interaction over a network. Companies on different systems can use Web services to exchange information online with business partners, customers, and suppliers.

IDC estimates that worldwide spending on Web services-based software projects will reach $11 billion by 2008, compared to $1.1 billion in 2003. A Gartner survey of 110 companies also indicated that 54 percent are already working on Web services projects this year or have plans to begin soon. Figure 1 shows results from a 2004 Forrester Research survey of about 280 large North American firms. Survey respondents identified a total of 66 Web services that are either in production or in development.

"The industry is entering a critical stage in the acceptance and support for higher levels of Web services standards and technologies," said Sandra Rogers, director for Web services Software and Integration at IDC. "Users and vendors alike must acknowledge and support an environment that allows for phased change, and the ability of vendors to support and help businesses transform multiple generations of Web services will be vital."

Various standards organizations and industry consortia are developing Web services specifications without a unifying authority. Organizations such as the Worldwide Web Consortium (W3C), the Organization for the Advancement of Structured Information Standards (OASIS), the Liberty Alliance Project, and the Web Services Interoperability Organization (WS-I) have developed or reviewed numerous standards.

Because of this, noted Joe McKendrick, an analyst with Evans Data, "developers that we interviewed, who are assumed to be on the cutting edge of Web services deployments, are largely uncertain of what standards they will be supporting over the long run. Most have either never heard of or only know a little about the many specifications coming out of the standards bodies."

DUELING STANDARDS PROPOSALS

In several key areas such as business process automation, security, and reliable messaging, there are competing versions of standards. Some companies, said Girish Juneja, cofounder of Sarvega, a Web services company, have thus been reluctant to spend on Web services, particularly in advanced technologies, until standards issues are resolved.

"But the adoption of basic standards like XML, SOAP, and WS-Security has accelerated spending, and we'll see more enterprises adopting and deploying B2B Web services as a result of security issues being addressed," Juneja said.

The Web services market is poised for takeoff. An Evans Data survey indicated that one out of every ten companies is investing in Web services development and integration this year. About 13 percent of the respondents said that a majority of their development funds are going to Web services, and IBM is investing more than $1 billion a year.

Overall, almost nine out of ten companies say they're putting at least some development funds—even if it's only a couple of thousand dollars—toward Web services," McKendrick said. But if Web services providers can't resolve standards conflicts, potential customers may rely on incompatible specifications. Without adequate guidance on standards compliance, said Mike Gilpin, an analyst with Forrester, customers might eschew Web services altogether and rely on custom coding to make different vendors' products work together.

The W3C created the first round of Web services specifications, which tended to focus on low-level, core functionality such as Simple Object Access Protocol (SOAP) and Web Services Description Language (WSDL). OASIS has concentrated on higher-level functionality for Web services, such as security, authentication, registries, business process execution, and reliable messaging. Last year, WS-I issued guidelines to help developers build software that complies with Web services specifications covering basic data exchange and formatting issues.

These include:

SOAP 1.1—a specification authored by DevelopMentor, IBM, Lotus, Microsoft, and UserLand Software—transports a message between two points and can include extra information such as routing and the security mechanisms being used.
WSDL 1.1—authored by Ariba, IBM, and Microsoft—is an XML-based language that provides a description of the message, the protocols used (SOAP 1.1 or HTTP 1.1, for example), and the address of the Web service. WSDL 1.1. is a complementary technology to SOAP since it contains a description of the SOAP messages being exchanged.
The Universal Description, Discovery and Integration (UDDI) specification—originally developed by Ariba, IBM, and Microsoft—enables companies and applications to quickly find Web services over the Internet and allows operational registries to be maintained for different purposes in different contexts. UDDI lists available Web services from different companies, gives their descriptions, and provides instructions for using them.

WS-I, which has more than 170 members worldwide, isn't a standards body but a provider of guidelines and test tools for Web services interoperability. Its focus is on documenting which options to use and how to interpret vague specification text. Established in February 2002 by Microsoft, IBM, BEA Systems, and Intel, WS-I combines different Web services pieces in an installation-ready package, which it calls profiles.

The organization has made some progress in enlisting vendors to work together to resolve interoperability issues. WS-I's Basic Profile 1.0, issued in April 2004, is now considered the "essential guide to addressing interoperability issues that come up between Web services," noted McKendrick.

Even though WS-I was formed to create interoperatibility among Web services technologies, the process hasn't eliminated intervendor issues. For example, Sun Microsystems was originally shut out of the WS-I's founding membership at Microsoft's request. Sun complained, was admitted, and is now on the board.

"I'd love to get everyone to say there's one set of standards and keep overt agendas at the door, because you don't serve customers that way," said Dave Watson, CTO of Kaiser Permanente, which is active in WS-I. "But the agendas that form these groups don't allow that."

Business process automation

A number of companies such as BEA Systems, IBM, and SAP have developed the Business Process Execution Language for Web services. All three companies submitted BPEL to OASIS in May 2003. An OASIS technical committee is finalizing an approved version of the specification—although no date has been set yet for final approval.

BPEL uses Web services for business process automation. For example, a user booking a travel package online might want an airline ticket, hotel, and rental car—all of which have identical departure and return dates. Web services communicate with multiple providers in parallel to ensure that all criteria and price guidelines are met to complete the transactions. The real benefit is reduced development time and improved business process flexibility.

Another important business process called choreography is also useful for complex automation services. Choreography provides a set of rules that explains how different components may act together, and in what sequence, giving a flexible, systemic view of the process. The W3C's WS-Choreography Working Group, which includes Hewlett-Packard (H-P), Oracle, and Sun Microsystems (but not IBM and Microsoft), is working on the Web services Choreography Description Language Version 1.0 specification (WS-CDL).

According to Philippe Le Hegaret, architecture domain leader for the W3C, a key Web services goal is conformance—the integration of applications so they share the same rules of engagement.

"Because a well-defined choreography guarantees conformance across application domains, businesses gain faster time to market," he said. "WS-CDL defines peer-to-peer collaboration between Web service participants."

Reliable messaging

As Web services start to be deployed across enterprise boundaries and for collaborative e-business and e-transaction scenarios, and especially where significant economic value is riding on the messages (as opposed to casual email, for example), reliability becomes a critical issue.

Communications over the Internet (and intranets) is inherently unreliable, noted Le Hegaret, as current transport protocols, such as HTTP and SMTP, and other message delivery protocols admit conditions that don't offer guaranteed or ordered delivery. Yet Web services messages need to be delivered to the ultimate receiver, even in the presence of a component, system, or network failure.

Reliable messaging thus helps ensure the quality of services between two parties. It guarantees the delivery of a message, eliminates duplicate messages, and guarantees the ordering of a group of messages. A purchase order is a good use case to eliminate duplicate messages while ensuring that the order was received at the other end. A retransmission of the order without any ability to uniquely identify it would generate two purchase orders instead of one.

Guaranteed message ordering ensures that a group of messages will be received by the destination application in the order they have been sent. "This becomes important when a message makes the assumption that a precedent message was indeed received," said Le Hegaret.

Two specifications addressing reliable messaging have emerged. WS Reliable Messaging (WSRM), which has not been submitted to a standards body, is backed by IBM, Microsoft, BEA Systems, and their technical partners. WS-Reliability (WSR), supported by Fujitsu, Hitachi, NEC, Oracle, Sonic Software, and Sun Microsystems, may be approved as an OASIS standard by the end of 2004.

WSRM relies implicitly on the addressing mechanism defined in WS-Addressing, whereas WSR explicitly introduces its own address mechanism. An addressing mechanism provides the capability to direct messages—for example, replies/faults—to specific Web services; in other words, it is equivalent to a message routing mechanism.

According to Eisaku Nishiyama, a Software Division section manager for Hitachi, Ltd., both sides are making an effort to settle the differences.

"We invited the WSRM proponents to join the OASIS Web services Reliable Messaging Technical Committee and, even after they published WSRM, we have continued to suggest to them that they submit the specification to the committee," Nishiyama said.

"It's just natural in business that there are different approaches to the same problem," noted Andy Astor, vice president of standards strategy for webMethods, a Web services infrastructure company. Astor also serves on the WS-I board. "We're confident that as they converge over time, a consensus will emerge, and we'll have a standard that will benefit everyone."

Security initiatives

As Web services become an integral component of the e-business infrastructure, security becomes paramount. Two security initiatives currently are under development.

WS-I. The WS-I issued a revised Security Scenarios document in February laying the groundwork for the scope and requirements of the WS-I Basic Security Profile, a set of nonproprietary Web services specifications. It subsequently released a public version of the working draft in May and is still soliciting feedback. To date, no standards organizations have released security scenarios.

WS-Federation. IBM, Microsoft, BEA Systems, RSA Security, and VeriSign have developed WS-Federation, a security specification that replicates some of the features of the Web Services Framework (WSF) and the Security Assertion Markup Language (SAML) 2.0.

To date, WS-Federation has not been officially submitted for formal standardization. WS-Federation describes a standard technology framework for creating and authenticating user identities, then using Web services to share that identity within a company or with customers or business partners. Proponents say the specification would let companies using different security schemes do business securely, which would help facilitate e-commerce transactions, for example, when moving from an employee web portal offering access to a health maintenance organization to one offering access to retirement account information.

"WS-Federation overlaps with functionality promised in SAML 2.0 and the Liberty Alliance specifications," said Juneja. "The good news here is that both specifications are still evolving based on the demands of the marketplace, so there will be some convergence."

Liberty Alliance. The Liberty Alliance Project is a consortium of more than 150 companies and nonprofit and government organizations from around the globe. Liberty Alliance is committed to developing an open standard for federated network identity that supports all current and emerging network devices. Key members include Sun, HP, Nokia, Intel, General Motors, and Novell.

A variety of companies use the Liberty ID-WSF specification, and some vendors and products have earned the right to display the Liberty Interoperable logo by passing a series of interoperability tests. With the Nokia WAP Gateway, for example, mobile phones can use Liberty Single Sign-On and Authentication by functioning as a Liberty-enabled proxy and providing access to external identity providers. General Motors is incorporating federal identity management and Liberty specifications within MySocrates, the employee intranet. America Online uses Liberty specifications to extend access to AOL's Internet broadcasting service, Radio@AOL, beyond the computer and into any room with a TV or stereo.

Federated identity allows users to link identity information between accounts without centrally storing personal information. Users can control when and how their accounts and attributes are linked and shared between domains and service providers, giving them greater control over their personal data. In practice, this means that users can be authenticated by one company or Web site and be recognized and delivered personal content and services in other locations without having to reauthenticate or sign on with a separate username and password. This provides a framework that helps large corporations interact with business partners and customers without re-entering credentials.

For example, Company A has several inventory and production applications within its portal and wants the employees of Company B to access these applications. Without a federated identity, A must manage the credentials, profiles, and logins of each employee from B. Federated identity allows employees from B to access A's applications without the burden of managing the identities. An employee who no longer works for B will be locked out of A's applications immediately without any identity management from A.

Sun Microsystems and several other companies developed the Liberty Alliance Project's Web services security specification, portions of which were submitted to the OASIS Security Services Technical Committee in connection with work on OASIS' SAML v2.0 Committee draft.

According to Patrick Gannon, president and CEO of OASIS, the specification is expected to be submitted to OASIS members for approval as a standard at the end of 2004. Gannon said the committee has also used this material to add features to SAML that provide some interoperability with the Liberty specifications.

"Liberty retains its separate existence as a project and organization, and OASIS members have indicated that they expect SAML to be compatible with multiple methods of identity management, not just Liberty," Gannon said.

NEXT-GENERATION APPLICATIONS

A primary goal of Web services is to unlock a new generation of e-commerce applications.

"Web services is about accessing and connecting data and unlocking the value of that data, especially in legacy systems," said Ron Favali, a spokesperson for IBM. "The real value comes in the new ability to mix and match componentized business processes with a componentized IT structure. Trying to solve a specific business issue is much easier if you can isolate the technology needed to address the business issue, which Web services enables."

Joe Keller, vice president of marketing for Java Web services at Sun Microsystems, added that Web services "also allow IT organizations to build a new class of software applications that vastly improve their ability to integrate the hodgepodge of software applications and architecture that are found in most enterprises today."

But the uncoordinated Web services standards process has resulted in some companies "predeveloping" a standard and then turning it over to a standards organization. For submitting vendors, notes McKendrick, this is just smart business, as it helps lead to a critical mass of new applications that interoperate with their own applications and tools.

"The downside is that it perpetuates the lock a particular vendor may already have on the market, giving their formerly proprietary approach the blessings of becoming an open one," he said. "Still, there's no better way of promoting a technology solution."

But Keller noted that Sun advocates using recognized standards bodies, where all work is conducted in the open, with equal access to technology.

"IBM and Microsoft believe it is more efficient to develop specifications in a closed process, and then turn it over to a standards body for its blessing. This has resulted in overlapping industry efforts, which Sun is working hard to drive industry convergence on. There is no real evidence that the closed approach results in faster standards," said Keller.

WHAT'S NEXT FOR WEB SERVICES?

"There are multiple standards competing for each problem space in Web services," noted Evans Data's McKendrick. "Generally, however, for every set of competing standards, there is a clear leader, either by virtue of backing from the dominant players or because there are usable implementations. More damaging than competing specifications are vendor politics, which creates much fear, uncertainty, and doubt in the Web services space—a familiar beast to anyone that has been in IT over the past two decades."

But OASIS's Gannon disagrees. "The media often exaggerates the concept of standards wars," Gannon said. "Web services standardization is a huge area with much ongoing work that needs to happen—and is happening. It makes sense for some of this work to take place within W3C alongside related infrastructure specifications, and for other work to take place within OASIS alongside related infrastructure and implementation methods."

Web services have no value if they're not interoperable, and interoperability is based on standards compliance. For the immediate future, noted McKendrick, Web services hold the most promise for boosting IT productivity.

"Web services only show their value when deployed on an enterprise basis. There is still a lack of understanding among non-IT managers about what Web services can accomplish," he said. "IT budgets are still tight, and we have to show corporations how Web services can save money and eventually increase revenues—in a big way. We haven't done this yet."

If more than one standard emerges for the same Web-services task, some companies could create adapters—layers of software that transparently translate concepts from one technology into equivalent concepts in another technology, supporting the latter without having to implement it—or simply maintain two sets of products. But Sun's Keller said while this may bridge the difference between how two different specifications implement similar functionality, "it's a Band-Aid solution that will only be used until it becomes clear which specification will gain market traction as the preferred approach. This is not a great solution since it adds performance overhead and additional complexity to a services infrastructure."

"Having two standards to solve a particular problem will complicate the implementation of Web services," said W3C's Le Hegaret. "However, it will not prevent their adoption. "It's safe to predict that many competing Web services efforts will consolidate."

Whit Andrews, research director for Gartner, said WS-Reliability and WS Reliable Messaging "are very likely to become a single effort."

Yet Ron Schmelzer, an analyst with ZapThink, said no one wants to give up their product differentiation. "Vendors rarely decide which standards are best," he said. "It's the end users and customers who decide based on a value immediately seen, or a huge company like Wal-Mart or Boeing saying, 'we'll do it this way.' Then it becomes mandated. End of story. There is no right way—with Web services there will continue to be give and take between simplicity and completeness."

Neal Leavitt is president of Fallbrook, CA-based Leavitt Communications, an international marketing communications company. He writes frequently on Internet and high technology topics. Contact him at neal@leavcom.com.

Return to: Articles Index