Resteasy Project: JAX-RS Restful Web Services implementation

February 25, 2008

billburke java, jboss, REST, Webservices 12 Comments

I’m pleased to announce the first beta release of the JBoss Resteasy JAX-RS implementation!

After about 4 months of on and off development, I finally have a working version of the new JSR-311, JAX-RS specification. For those of you who don’t know, JSR-311 is a RESTFul Web Services implementation for Java and is slated to be included within Java EE 6. The spec is still a bit of a moving target, but its still pretty useful. Let me know what you think!

Features:

  • JAX-RS implementation (almost full, still have a few minor things here and there)
  • Portable to any app-server/Tomcat that runs on JDK 5 or higher
  • EJB 3.0 and Spring integration
  • Client framework to make writing HTTP clients easy (JAX-RS only define server bindings)

Where can I find out more?

All information, including where to download it, is available on our Resteasy WIKI.

Is JAX-RS (Restful Java) just another IDL?

January 21, 2008

billburke java, JAX-RS, REST, Webservices 3 Comments

I was reading a bit of Steve Vinoski’s blog on how some think REST requires a definition language like WSDL or IDL. He first mentions it within Serendipitous Reuse, and further expands on it in the blogs Lying Through Their Teeth: Easy vs. Simple, IDL vs. Human Documentation and More REST and IDL. If you are a REST fan or detractor these blogs as well as the blogs they link to are a good read and gets you thinking about things.

I’ve been implementing JAX-RS, JSR-311, off and on the past few months. Vinoski’s blogs made me think, is JSR-311 just another definition language? The language being Java + JAX-RS anotations? Maybe I’m dwelling over the obvious here, but let’s do the exercise anyways…

Vinoski paraphrases Ryan Tomayko on what might be the erroneous use of a RESTful definition language:

Among other things, Ryan touches on one of the favorite assertions of the REST detractors, which is that REST can’t be effective without an interface/service/resource definition language. After all, without such a language, how can you generate code, which in turn will ease the development of the distributed system by making it all look like a local system? Not surprisingly, the first comment on Ryan’s blog entry is exactly along these lines.

First of all, I don’t think JAX-RS is trying to make a distributed system look like a local one. Yes, its trying to remove a lot of boilerplate code. Yes, using JAX-RS could turn a POJO into a distributed RESTful resource.

public class BookStore {
    @GET @Path("/books/{id}")
    @ProduceMime("application/json")
    public String getBook(@PathParam("id") int id) {
         ... return a json representation of the Book
    }
}

JAX-RS does have some characteristics of a definition language. From the @GET and @Path annotations, you can determine how the resource is going to be invoked on. But, IMO though, it is more of a mapping language than a definition language. Its mapping a URI and http request/response to the invocation of a Java method. Its not trying to make our distributed system look like a local system.

Now, what about the idea I had of providing a client framework using JAX-RS annotations?

public interface BookStore {
    @GET @Path("/books/{id}")
    @ProduceMime("application/json")
    public String getBook(@PathParam("id") int id);
}

The idea here would be you generate a RESTful client proxy from a JAX-RS annotated interface that you could invoke on without writing http client code. Are we blurring the lines here? Are we hiding too much the fact that our BookStore is a remote distributed service? I’ll leave that up to you to decide…

MVC plumbing sucks

January 9, 2008

billburke REST 3 Comments

I agree with new JBossian, Andy Rubinger. Plumbing sucks. Andy talks about how he hates Struts, et al. and wished he could rip it out for a more lightweight model where the client is Ajax/JavaScript talking directly to EJBs on the server side. Andy is a young guy (still in his 20’s I believe) so he possibly missed all the 3-tiered application development done in the mid-90’s with VB, VC++, and Power Builder. Personally, I miss those days because GUI development was fun and productive.

If Andy likes this idea so much, he should take a look at what Jeff, Nolan, and Ben are doing at Appcelerator. The Appcelerator approach is interesting in that it is very much like Andy wants. They turn HTML/Ajaxey based applications into an event/message based model. What I think is interesting about their approach is:

  • You can mock-up your server interactions directly within your web pages. This allows the client app developers to create a working application that doesn’t require a server to run and that can be developed independently of server side business logic
  • Your server can become stateless. Since AJAX applications can hold state, this means no more HTTP Session replication on the server side and that the server needs less memory.
  • Client architecture is decoupled from the server side architecture (but not completely, I’ll explain later). With JSF, Seam, Spring, or (insert your favorite Java webflow framework here), you’re basically married to Java. This means no experimenting with Ruby, Groovy, Rails, Grails (why you’d want to, I don’t really know 😉 but hey, you have the option). Appcelerator works with Java, Ruby, Python, and even .Net.
  • Things like validation are done on the client by marking up the validation logic directly on HTML elements. Other AJAX frameworks do validation on the server by sending tons of mini messages back and forth. What a silly idea guys. You wonder why you have to do unnecessary rearchitectures like Jetty’s continuations. Anybody who has ever written a distributed application realizes that to scale you must minimize message passing.
  • You don’t write much Javascript. You embed event modeling directly with HTML attributes.

There’s a billion AJAX frameworks out there. I couldn’t find any out there that had all these attributes. (If you know of one, I’d be happy to add and edit this blog). What I didn’t like about their project was:

  • You still have to edit HTML. Not sure how well app-dev lifecycle would work if you used a professional designer app with Appcelerator.
  • I’m not sure how they would handle localization/internationalization.
  • Their widget set is still relatively small
  • Appcelerator’s distributed messaging architecture is Appcelerator specific. Yeah, it works on Ruby, Java, et al. but you still have a coupling between your client and server architectures via Appcelerator’s messaging layer. Which brings me to my next point…

What if you replace EJB invocations in Andy’s utopia and appcelerator messages in Appceleratorland with a REST based approach? Bill Higgins wrote a great article about AJAX + REST awhile back. If this approach goes mainstream, we’re just turning the clocks back to a 3-tiered architecture. I dont’ think that’s a bad thing though!

There is at least one drawback I can thinking of. Hyperlinks. Hyperlinks are just so important in integration and propagation of information. In a pure AJAX+REST approach, you give up on hyperlinking and your app behaves really like a traditional Swing/VB/PB app.  Another thing is that sometimes it does make a lot of sense for the server to render content.  In these situations I still believe we can keep the server stateless and combine it somehow with teh AJAX+REST approach.  Whoever can pick out the valuable pieces of Struts-like apps and combine it with the AJAX+REST approach will truly have something compelling.

Do we need complex restful content negotiation?

November 30, 2007

billburke REST, Webservices 3 Comments

A couple of weeks ago I finally got down to implementing the JSR-311 Restful web services specification I talked about in a previous blog.  In reading the JSR mail list and looking into HTTP content negotiation, a few questions popped up in regards to the programmatic web.

  • Why would a client ever send more than one Accept header?
  • Why would a client or server ever produce or consume wildcard content types?  i.e. “text/*” or even “*/*”?

I know in theory that the idea is that an application can dynamically search for resources, on the web and just invoke on them.  But when does any real application not have complete determinism?  When you’re writing a distributed application, you research the services you are going to interact with.  What exact data formats do they product?  What exact formats do they consume?  Otherwise its nearly impossible to implement your application.  Coding isn’t guess work.  You’re not going to invoke a service and hope it gives you back something you understand and vice-versa.  So please, somebody, give me real live use cases for this type of complex content negotiation.

Client driven business activity

October 15, 2007

billburke REST, transactions, Webservices 3 Comments

In my previous blog, Distributed Compensation with REST and jBPM, I talked about removing complexity from both the distributed protocol and the server by forcing (or enabling, depending on your perspective) the client to handle things like business activity and compensating transactions. I asked the question, where does this leave WS-BA or more importantly, JBoss’s Business Activity Framework? It could easily still be used in a one process, web application. Many web applications are long running transactions that require compensation. But, I still think JBoss’s Business Activity Framework could be useful to help orchestrate distributed services, even restful ones, if we make compensation metadata available to the client so a local-only business activity coordinator could do its work locally. This would give us the decoupling benefit of BA, but would also allow us to keep our remote services stateless (and restful). The idea would be to move the BA annotations from the bean class, to the business interface:

public interface TravelAgent {
	@BACompensatedBy(value="cancel")
        @BAResult("reservationNumber")
        public int book(int room);

        public void cancel(@BAParam("reservationNumber") int reserverationNumber);
}

A client-side smart proxy could hide the interaction with the local activity coordinator. Another idea would be for the business process engine to introspect service references to see if they are annotated with compensation metadata, and interact with the coordinator themselves. A nice side effect of putting the metadata within the interface is that your service becomes self documenting. The user of this service knows exactly what’s going on by looking at the code.

You could combine this annotation-driven approach with the restful client-side framework I suggested in my comments on JSR-311.

public interface TravelAgent {
	@BACompensatedBy(value="cancel")
        @BAResult("$r.getId()")
        @UriTemplate("/hotel/reservations")
        @HttpMethod("POST")
        @Location("/hotel/reservations/$r.id")
        public Reservation book(@QueryParam("room") int room);

        @UriTemplate("/hotel/reservations/{reservationNumber}")
        @HttpMethod("DELETE")
        public void cancel(@BAParam("reservationNumber")  @UriParam("reservationNumber") int reserverationNumber);
}

This could make it fairly easy and metadata driven to have restful services interact with business activity.

In Java-to-Java calls, for example a remote or local EJB invocation, you wouldn’t necessarily need an interface-driven approach. The JBoss EJB 3.0 implementation, for instance, allows you to define both client-side and server side interceptors. At deployment time, the EJB container could scan the bean class for BA metadata, create a client interceptor initialized with this meta information, and attach the client interceptor to the proxy that is published to clients.

I think client driven conversations where the client holds all state makes for better written distributed services as they can be written in a more stateless, scalable manner. This doesn’t mean that you’d be able to apply this pattern to all scenarios. That’s why I think it might be interesting to make this approach configurable. The client must drive the compensation, the server must be allowed to participate in resource registration, or even a configuration of the client can decide whether it wants drive the coordination or not are all valid scenarios. Anyways, if you experiment with any of these patterns let me know. It would be cool to hear some real, live user experience instead of just guessing on whether or not this would be a good approach.

JSR 311, JAX-RS: Comment and suggestions

October 1, 2007

billburke JAX-RS, jboss, REST, Webservices 12 Comments

Since I’m so RESTless lately I started thinking about what JBoss could do to help with this effort. We’re involved with JSR-311, which is defining a server-side framework for REST web services, so I decided to contact Heiko Braun, our representative on this specification. I got a copy of the latest draft and dived in. Sometimes the rules of the JCP prevent you from talking about a specification publicly (please correct me if I’m wrong), so I wasn’t sure I could blog about this specification. But, since Brian Leonard has blogged about 311, then I guess I can too.

I don’t want to get into too much detail on 311. Instead please read Brian’s blog and follow the additional links he provides. 311 does seem like it is just standardizing the REST framework Sun has already written. I will though provide example code so that I can reference it later in this blog.

public class Shopping {
   @HttpMethod("GET")
   @UriTemplate("/shopping/orders")
   @ProduceMime("text/xml")
   public String getAllOrders(@QueryParam("expand") boolean expand) {...}

   @HttpMethod("POST")
   @UriTemplate("/shopping/orders")
   @ConsumeMime("text/xml")
   public String buy(Document order) {...}

   @HttpMethod("GET")
   @UriTemplate("/shopping/orders/{id}")
   @ProduceMime("text/xml")
   public String getOrder(@UriParam("id") int orderNum) {...}

   @HttpMethod("DELETE")
   @UriTemplate("/shopping/orders/{id}")
   public void deleteOrder(@UriParam("id") int orderNum) {...}
}

The spec allows you to map http header entries, query parameters, and individual elements within a URI to a method invocation and its parameters and return types. You can also specify what MIME types a method produces and consumes. The spec also provides you with the ability to define factories that can map representations to and from Java objects.

Change suggestions

After reading the specification and browing the Sun REST framework documentation, I have a few suggestions I’d like to make to JSR 311.

Remove magic methods

It seems like @HttpMethod can be placed without a http method identifier on a Java method and the HTTP method type inferred through the Java method name.

@HttpMethod String getOrders()

In this example, HTTP GET would be used because getOrders() begins with the string ‘get’. I never liked the idea of magic method names. They are too fragile and IMO, just bad programming practice. Instead let’s……..

Annotation refactoring of @HttpMethod

Annotation frameworks should be as tiny and concise as possible. Avoid verbosity at all costs. I’d like to see @HttpMethod replace with a more concrete set of http annotations with the additional ability of being able to define a uri template embedded within these applications. So, instead of @javax.ws.rest.HttpMethod (or whatever the package name will be), let’s instead have individual Get, Put, Post, Delete, and Options annotations under the package @javax.ws.rest.httpmethod:

public @interface Get {

   String value() default "";

}

The value() of Get, Post, Delete, etc. would be an optional uri template. So, instead of the verbose:

   @HttpMethod("GET")
   @UriTemplate("/shopping/orders/{id}")
   @ProduceMime("text/xml")
   public String getOrder(@UriParam("id") int orderNum) {...}

We would get:

   @Get("/shopping/orders/{id}")
   @ProduceMime("text/xml")
   public String getOrder(@UriParam("id") int orderNum) {...}

Reduces one line of typing and also, IMO, makes things easier to read.

Allow annotations on an interface instead

RESTful classes should be allowed to declare their REST annotations on the methods of an interface instead of on the class methods. IMO, this is a better way of isolating the published interface of a service. Doing so would also allow the EJB specification to adopt REST and be able to publish remote, local, and restful interfaces to the outside world. Another interesting side affect of this is….

How about a client side framework?

Another interesting side affect of being able to apply REST annotations to an interface is that this interface could be re-used by a client-side framework to generate a proxy that could invoke on REST web services. The client-side programmer could use the same annotations to describe many REST web services that may or may not be using the server-side implementation of 311 or even Java at all! Doesn’t seem like much more effort to define this client-side API.

@Location annotation?

One common pattern I’ve seen in the REST articles and books I have read is that when you have a service method that creates a new object or queries for an existing object, and Location header should be sent back to the client containing the URI the resource is locatable. The 311 spec seems to support this by allowing the user to return a spec-define Response class. What if instead, we provided the ability to map a return value to a Location header?

@Post("/shopping/orders")
@Location("/shopping/orders/{$r}")
public int buy(Document order) {...}

The $r would represent the string representation of the returned value of the buy() method. The client would receive an empty response with a Location header pointing to the new resource created by the buy() method. We could get even funkier in the @Location annotation and allow Unified EL expressions.

@Post("/shopping/orders")
@Location("/shopping/orders/{$r.getId()}")
public Order buy(Document order) {...}

This kind of flexibility could allow one object to be used both RESTfully and locally.

Security?

Another thing I see missing is security hooks. For instance, how about an annotation specifiying whether the resource should be accessed over HTTPS or not? How about an annotation that allows you to plug in an authentication mechanism? IMO, 311 shouldn’t be diving into defining security protocols, but should at least think about providing metadata that allows you to plug in your own implementation. Then again, maybe authentication is best left to being implemented in servlet filters. I don’t know…

XML Descriptor?

There are some bigots out there that despise annotations. An XML descriptor should be created that can define this type of metadata. It should follow the style of other EE components so that we can do things like integrating JAX-RS with EJB.

EJB bridge

The 311 specification does talk about how JAX-RS interacts in a servlet environment. I’d also like to see some work done so that EJBs can become restful as well. This will probably require some work around define lifecycle and creating an annotation like @Restful to ping the container that it needs to perform restful bindings. This would also require work with the EJB 3.1 JSR to expose JAX-RS XML descriptors within EJB 3.1. Red hat would be happy to drive this in the EJB 3.1 expert group.

More to come

I’m seriously thinking about implementing 311 with the changes I’ve suggested here and integrating it with our EJB3 implementation. Hopefully I have the time. Maybe somebody in the community would be interested? I’d be happy to help as long as the individual showed initiative and ability to work on their own. I’ll also talk to Heiko more on what he thinks should be massaged in the specification and blog about them here.

Mark’s rebuttal on compensations with REST and JBPM

September 18, 2007

billburke jbpm, REST, transactions, Webservices 3 Comments

I got what I hoped for. Mark Little responded to my previous blog. Cool, now I’ll really start to learn something…. Let me respond to some of his comments:

Bill: “One of my concerns is the complexity of the WS-* layer and how it affects maintainability and evolvability of a distributed system. WS-* requires both the client and server to have the necessary middleware components and libraries installed to work.”

Mark: Yes, but that’s the case for any distributed system: the endpoints have got to be able to understand each other or go through some intermediary that can do the protocol/data translation. The same is true for HTTP though.
Mark’s right, I said something obvious, but I think the layers you have to have in sync are very different in size and complexity. While a REST over HTTP web service only really requires an HTTP client, HTTP web service, and maybe an XML parser, WS-* requires those plus all the WS-* libraries, plus any generated stubs. What I like about REST over HTTP you can actually tell the server what data format you’re sending (content-type) and what format you want back (accept). Maybe there is something equivalent in the WS soup of specifications, but it doesn’t seem like that is what the industry is pushing as its default framework.

Bill: “What I continually like about REST over HTTP is that there is little to no requirement on either the client or server side for additional libraries or generated stubs other than a http client library and a http server.

Mark: So let’s assume we can get everyone to agree to use HTTP (not a big assumption, so I’m happy with this). Then we have to get them to agree to the protocol data, the format, representation, etc. that actually flows between the endpoints. It’s no good someone saying “because we agree on PUT or GET that’s the end of the story.” That’s a bit like saying that because we agree on using letters and envelopes to send mail around the world the recipients will be able to understand what’s being sent!

Its eerie. I gave the same argument to Vinoski over private email months ago, but then I thought about it a bit more. Don’t you have to do the same thing with WS? You still have to agree on the message you are sending. What is the name of the remote method call you are invoking. What are its parameters. What is the data format of its parameters, and so on. What allowed me to break the internal conflict I had was when I came to this realization: What if you think of PUT, GET, POST, DELETE, and OPTIONS as a set of metadata?

@Put void createOrder(Document theOrder);
@Delete void deleteOrder(int orderNum);
@Get Document getOrder();

Maybe I’m crazy, but these HTTP operations are really nothing more than annotations on a method. In using REST over HTTP, yes, you still have to agree on the data format exchange, but you are providing clearly defined, distinct, exact, metadata on the behavior of your endpoint. Behavior that can be generically communicated to mature tools and services that have been around forever that your operations department knows how to operate and fine tune your application with.

Mark: The Web works because the standards/specifications on which it is based were laid down back in the early 1990’s and haven’t really changed. The W3C manages them and everyone agreed to abide by them very early on; there’s strong commercial incentive not to change things. That has nothing to do with REST and everything to do with protocol agreement: same thing has happened with WS-*.

I am officially in my late 30s. I did work through both the short-lived DCE and long-lived CORBA eras that touted the same story of interoperability. Sorry if I am skeptical and worried that the industry will yet again re-invent itself in another 5-10 years.

Mark: Yes, we have interoperability on the WWW (ignoring the differences in HTML syntax and browsers). But we do not have interoperabilty for transactions, reliable messaging, workflow etc.

A wise man once told me if you run into a wall, redefine the problem. To me, that’s what the whole REST exercise is, redefining the problem in distributed computing. The whole underlying point of my previous blog was that maybe you don’t need interoperability for transactions, reliable messaging, and workflow in a distributed environment, if you let the client drive the application. Yes, you need transactions, reliable messaging and workflow at the client. The idioms I described with jBPM use all three of these subsystems, but they do not require a remote protocol definition. As responsible engineers, we should be questioning the need for WS-*. The amount of investment is just too huge for any organization. There’s too much money and time to be lost.

Bill’s next point was around flexibility. He mentions the ordering of compensations can sometimes (often?) be important and that you can’t rely on ordering within WS-BA. Unfortunately that’s not correct, as was pointed out several years ago.
Apologies. I didn’t make this mistake intentionally. The article Mark points out was one of the things I read before writing my previous blog. The talk of scopes was a little confusing there. Seemed more of talk of nested transactions than the control of ordering. But, even so, I still don’t get the need for it. Why the need for BA if it is not going to do things automatically for you? If the line between your business process and your compensation engine is starting to blur, why not have your bpm and compensation engine be the same thing? Cuts out one less piece of infrastructure you have to install and manage.

So just because I decide to use REST and HTTP doesn’t mean I get instant portability and interoperability. Yes, I get interoperability at the low level, but it says nothing about interoperability at the payload. That’s damn hard to achieve, as we’ve seen over the past 7+ years.

Not so sure this is true. If your content type is text/xml, you’ll probably have an XSD associated with it. If you use the design by contract to implement your web services that people like the Spring guys are pushing, you really have the same thing.

Bill: You still have strong decoupling in a bpm driven activity. The difference is that instead of compensation being hidden by the server, it is visible, and in your face, embedded directly in the business process. With jBPM, you can look at the process diagram and know exactly the flow of success and failure conditions of your distributed application. With BA, you would have to dive into the documentation and code to determine how your application functions.”

Mark: Yes, that’s right, but no different to what you’d find with a good WS-BPEL implementation.

See? I knew I’d learn something. But when I said “a bpm engine like jBPM might be a better solution to manage compensations.” I meant any bpm engine. What I really want here is to have the client drive the application and simplify the complexity of the distributed protocol. This is why I said I really liked the idea of using BA with a web application. It would all be local and controllable. After reading up on BPEL compensation handlers, I also like the idea of using them with RESTful web services. Again, put all the responsibility on the client for managing the coordination.  Then we don’t have a dual dependency on an in-sync client and server.

Distributed Compensation with REST and jBPM

September 18, 2007

billburke jbpm, REST, transactions, Webservices 9 Comments

Over the past few months I’ve been leading up to something. Although I was researching and diving into specifics of compensations, jbpm, and REST, I had a much grander purpose in writing these specific blogs:

These blogs were specifically written as a thought exercise in what it would take to write a coordinated distributed application. What pieces would we really need? Where does WS-* fit in? How about REST and BPM? Do we really need a business activity framework? How can we write scalable and maintainable distributed systems? I want to pull together my thoughts on the answers to these questions in this blog entry as well as ask a few more.

Maintainability: REST over WS

One of my concerns is the complexity of the WS-* layer and how it affects maintainability and evolvability of a distributed system. WS-* requires both the client and server to have the necessary middleware components and libraries installed to work. A distributed application usually means that it is an integration project. You are probably integrating with systems you do not control. There is probably a good chance you would not be able to bring down these systems to install or upgrade their middleware architecture. They may be poorly maintained or even not maintained at all. This is where the idea of REST comes in to simplify things and make things more usable over time. Since it has constrained, well defined interfaces over a mature and stable protocol, it has a higher chance of letting your distributed applications evolve as the WWW has evolved.

What I continually like about REST over HTTP is that there is little to no requirement on either the client or server side for additional libraries or generated stubs other than a http client library and a http server. This doesn’t mean that you cannot use a client and/or server side framework to implement your RESTful services or connect to an existing service. You are free to use whatever you want to make yourself productive, but not at the expense of requiring the client or server to have anything installed other than HTTP support.

Flexibility: BPM vs. WS-Business Activity

Earlier this year Mark Little introduced me to the idea of compensating transactions and a framework that could manage such an application. My first thought was that this stuff was interesting, but my intuition was telling me that compensations were something that might have to be modeled rather than managed. That compensations were more of a business process than something that could be coordinated automatically. My feeling is that compensation could easily become too complex for a transaction manager to handle generically. That if you modified a transaction manager to handle these more complex scenarios it would quickly start to look like a bpm framework.

Take an abort event for example. The coordinator in a compensating framework like WS-Business Activity has to make decisions on what order to perform a compensatory action on the resources participating in the activity. A default LIFO ordering seems very appropriate on the surface, but it falls apart in even the simplest of examples. For instance, let’s revisit the example I gave in my previous blog of the ordering of a computer at an online retailer. The business process might look like this:

  1. Bill credit card
  2. Pull parts from inventory
  3. Assemble computer
  4. Install software
  5. QA
  6. Ship

Let’s say the customer canceled the order after it had reached the QA state, #5. Having the customer wait for a LIFO compensation to receive refund on their credit card is just not acceptable. They will not want to wait for installed software to be wiped, the computer disassembled and parts sent back to inventory before they receive their refund. Therefore a 1-4-3-2 ordering of compensations might be more appropriate. Let’s expand this scenario even further. What if the customer paid in cash? The cash refund process might take just as long as disassembling the computer would. Maybe it would make more sense to do the refund in parallel with the other compensations? So, state #1 could be done in parallel with 4, 3, and 2, but, 4-3-2 still has ordering dependencies. You can’t disassemble the computer before you’ve wiped the hardrive. You can’t send parts back to inventory before you’ve disassembled the computer. So, you see, in even the simplest of business activities, you can have variable and complex compensation ordering. This is why I think a bpm engine like jBPM might be a better solution to manage compensations.

When I had discussed this with Mark, he made a good point that you are just replacing one coordinator(BA) with another (jBPM). You still need a coordination engine. Although he is semantically correct, I think the solutions are very different. With BA you have something generic and decoupled from the business process. In a distributed system, it is also a defined contract that both the client and server must obey. Which brings me to my favorite quote in the O’Reilly RESTful Web Services book:

The client should be in charge of managing its own path through the application

While WS-BA puts the onus on both the client and server to have WS libraries that are of the same version and can interact with one another. This all works beautifully in controlled environments. You have a very nice decoupling between compensations and business logic in both client and server side code. But…. What happens when BA versions are out of sync, there’s interoperability problems, or even worse, one or more of the services you have to coordinate does not support WS-BA? With jBPM, success and failure paths are a part of the business process. There isn’t necessarily a contract between the client and server as the client is responsible for knowing how to compensate and to perform the compensation. You still have strong decoupling in a bpm driven activity. The difference is that instead of compensation being hidden by the server, it is visible, and in your face, embedded directly in the business process. With jBPM, you can look at the process diagram and know exactly the flow of success and failure conditions of your distributed application. With BA, you would have to dive into the documentation and code to determine how your application functions.

In his blog in late August, Heuristics, one-phase commit and compensations, Mark Little talks about his early compensation framework and its interaction with heuristics:

In both of these problem scenarios what typically happens is that someone (e.g., a system administrator) has to get to grips with the inconsistent data and figure out what was going on in the rest of the application in order to try to impose consistency. One of the important reasons this can’t really happen automatically (at the TM level) is because it required semantic information about the application, that simply isn’t available to the transaction system. They compensate manually.

Until then. What we were proposing was allowing developers to register compensation transactions with the coordinator that would be triggered upon certain events, such as heuristic outcomes or one-phase errors. And to do it opaquely as far as the application developer was concerned. Because these compensations are part of the transaction, they’d get logged so that they would be available during recovery. Plus, a developer could also define whether presumed abort, presumed commit or presumed nothing were the best approaches for the individual transaction to use (it has an affect on recovery and failure scenarios).

Reading this fed more fuel to my idea that compensations really belonged as part of a process model. Transactions that have heuristic outcomes many times require human intervention as well as action by the framework itself. Yes, there’s a lot a transaction manager could do to make it easier to record business activities, but you’re still going to have interact with a real person to resolve many issues. jBPM is great at modeling work that requires a human.

But what about reliability?

Great, so we’re going to use something like jBPM as both our coordination and compensation engine and REST to expose our services on the network. Can we trust these things to provide us with the reliability and consistency that we expect out of something like WS and WS-BA? If you’re modelling compensations in jBPM, you’re gonna need the ability to reliably perform these compensations. Luckily, I’ve already answered how you can guarantee execution and failure handling in jBPM. But what about REST, what does it add? If you have truly written RESTful services, you have a lot of reliability and consistency built into your application. HTTP GET, PUT, and DELETE are supposed to be idempotent, meaning that it doesn’t matter how many times you’ve invoked them, the result is the same. While jBPM can guarantee you execution and failure handling, it can’t guarantee that these events won’t be duplicated. Since your RESTful services should be idempotent, you won’t have to worry about it! (I know, easier said then done.)

Where does that leave WS-BA?

I did discuss my ideas a bit with Mark. One of his comments that struck home was “Imagine if you had to explicitly tell all of your XA resource managers to prepare and commit?” I’ll admit that in a WS-BA world, writing a client that integrates a bunch of distributed services into one business activity would be uber simple and clean. The work being done with the JBoss Business Activity Framework simplifies the server side greatly as well. A compensation framework like JBoss Business Activity, might work really really well in the controlled environment of a web application. Until I actually write one of these applications or talk to a bunch of users and customers that have used WS-BA to model their integration project, I will remain skeptical. I just hope that I can get the feedback I need to further formulate my thoughts on this subject. Your thoughts and experiences??????

REST vs. SOAP: Ops vs. Dev?

August 22, 2007

billburke REST, Webservices 5 Comments

I’ve been reading a lot about REST, REST vs. SOAP, and security lately and came across this email thread post about how SOAP is so unsecure:

REST is not a security panacea. There is no silver bullet. All we can do is evaluate each layer’s *contribution* to security. SOAP’s is negative.It detracts from the security of the protocols that it runs on top of. If that were not the case then you would not be defensive about the idea that SOAP is designed to bypass firewalls.

I think I agree. SOAP does detract from the security of the protocols it runs on top of. Its trying to tunnel through port 80 and sneak past operations aversions to things like CORBA traffic. But is this such a bad thing? As far as this particular aspect of the SOAP vs. REST debate goes, what is the real underlying issue here? What I think it is is a matter of control. Ops doesn’t want CORBA/SOAP like requests because they can’t control what’s going back and forth over the wire. Control of the application has passed from operations to engineering.

From a developer point of view, we usually hate operations. You know the people I’m talking about. The control-freak paranoid dweebs that take at least a day to respond to any of our requests? They are the ones enforcing 10 character passwords that must be both alpha numeric, contain punctuation, upper and lower case, and that change once a month. They are the ones we have to sit in 3 hour meetings on whether to upgrade a certain library. It is like pulling teeth to get an operations guy to do anything beyond what they are trained to do. They are change resistant. They usually end up being blockers to our productivity. So its only natural that us developers would want to tunnel over HTTP to bypass these clowns. We have problems to solve, deadlines to meet, management breathing down our backs. They are the bureaucracy. Nobody is gonna come down on them when we can’t meet our deadlines.

On the flip side, operations is used to handling security issues. They have pre-existing tools and experience to deal with securing HTTP resources. Plus, managing the security aspect of an application is a tedious task. As developers, don’t we want ops handling this? Also, do we really want to waste the time training these idiots to a new technology? I guess it really depends how tech savvy and un-unionlike your ops guys are.

Side note:

Man, seems like I’m falling more and more into the REST camp. Its simpler. I want it to succeed. I’ve always disliked WS-*. But really, its probably because I’ve been focusing on pro-REST propaganda lately. I need to read some pro-SOAP articles.

RESTless, RESTFul, or RESTlike?

August 20, 2007

billburke REST, Webservices 8 Comments

A couple of weeks ago I ran into my old mentor from my Iona days, Steve Vinoski. I was in shock. The guy I looked up to (and still do) for years, the guy who used to have sideburns the size of Elvis’s turned all “queer” on me. How could the guy who taught me everything I know about distributed systems go all RESTful on me? Telling me basically that he’s hooked and will never go back. I had read a little bit about REST earlier and was a little skeptical, but now I really had to take a closer second look.

Its funny, REST seems to be a bit like learning AOP. With AOP, one or two sentences just doesn’t articulate exactly what it is, or how you are supposed to use it. REST seems very similar in this regard. I’m almost getting it, but am still a bit fuzzy on how to do certain things. Since REST is more of an architectural style rather than a concrete API, I guess my slowness and confusion is a little justified. Or maybe its because RESTful articles and blogs seem to spend so much time trashing SOAP and saying how wa-wa-wa, “the Web is proof of why REST is so great”, in other words, “REST is great because of REST”, and very little time on actual examples is why it takes so much reading to get to the heart of it. I don’t know…. Maybe its all my CORBA baggage? All my Java EE baggage? Anyways, I don’t want to go into yet another, what is REST blog. If you want information on the definition of REST, the REST Wiki is a better source, found this link too. No, what I want to do is go through my own thought process to see if the REST way of things is the golden path. To do that I want to walk through some of the basic cornerstones of REST.

Use of URIs

One of the cornerstones of REST is to have resource location modeled as a URI. This seems like a no brainer. When we modeled our EJB 3.0 container on top of JBoss Remoting, which is URL based, our design became much simpler and things like request failover were much easier to write. Yeah, yeah, not every EJB has its own URI, but moving to URI based endpoints made implementation easier. So +1 for REST here. Its interesting though. How many times do we run into issues in Java EE land because it does not define unified addressing of its services? Its been a big roadblock in writing portable frameworks. WS-* has to have a whole spec on the subject, funny eh?

Uniform Interface

RESTful articles make a good analogy between SQL and the RESTFul architecture. I won’t paraphrase, but instead, directly quote:

It is nevertheless imperative to question our basic assumptions. Consider a similar debate taking place in the 1960s. A radical researcher within IBM states that it is incredibly inefficient for each application to determine for itself how to store, index and search its data. He proposes the concept of a “generalized database”. Clearly this “database” would not be as optimized for a particular problem domain as a specialized data store. But then imagine the interoperability benefits if many applications could access the same data in a uniform fashion. Then, later, another IBM researcher makes an even more ridiculous claim. He states that the vast majority of the structured information in the world can be manipulated with only four operations: SELECT/INSERT/UPDATE/DELETE. Ludicrous! What about AddCustomerRecord, DeleteCustomerRecord, InsertCustomerRecord, UpdateCustomerRecord?

The idea is, that in a RESTful architecture, everything is modeled in terms of resources accessed through a URI, and only 4 CRUD HTTP operations of GET, POST, PUT, and DELETE. From my perspective it is very counter-intuitive to express object interfaces in terms of 4 methods. Doesn’t make much sense as an object designer of local models, but for distributed systems, it does make a lot of sense I think. The CORBA in me balked at this idea, but then I thought about it a little more. How many of us had interoperability problems between different vendors or even different versions? Not only that, but in WS-* land most of the time you need to generate and compile stubs so that you can actually invoke on a web service. With REST, all you need is a HTTP client library. With WS-* you need the HTTP client library plus all the other junk. While HTTP is a mature, well-known, agreed-upon protocol, WS-* is such a moving target.

The question is, with the uniform interface of GET, PUT, POST, and DELETE, aren’t we just pushing the complexity to the content type? To the data that is being transferred and received? I had this very same argument with Vinoski. After thinking about it for awhile, i’ll say, that SOAP has the exact same problem. With SOAP, you still have to define and agree upon the API. The REST approach seems simpler because the protocol is set and simple, it doesn’t have the baggage of SOAP which is a protocol tunneled over another protocol (HTTP).

With the uniform interface approach, it does seem like it would be a lot easier to model security roles. It would just be assigning CRUD permissions really instead of assigning individual permissions to each method like you do in Java EE land. Caching is obvious because GET should mean the operation is idempotent. I don’t know…uniform interface and protocol seems pretty compelling.
Content-type

Don’t have a lot to say here other than, doesn’t XML schema sort of make SOAP obsolete?

Statelessness

I remember one of the students in the JBoss advanced training a few years ago talking about holding the state of a SFSB in the client proxy and transferring it to the server with every request. This would make sessions really failure proof and make the server fully scalable. An interesting idea. I was thinking that this could be done with Seam conversations as well, i’ll get into that in another blog in a few weeks or so. This idea of the client maintaining conversational state and passing it to the server is compelling, at least in theory. My last blog I talked the JBoss Business Activity service. What if the client was the coordinator for business activities and managed all compensations? The idea focuses around a quote I read in O’Reilly’s RESTful Web Services book:

The client should be in charge of managing its own path through the application

I’d like to dive into this more in future blogs on both Seam and BA. But all these ideas sound pretty RESTlike to me, at least in terms of statelessness.

That’s all for now

Well, I pretty much asked more questions than I answered here. Probably didn’t enlighten you, dear reader, at all about REST. Maybe confused you a little more? Or maybe I just showed how much I am confused? 🙂 Like AOP, I think I have to actually implement something RESTful before I actually understand if it is the right approach. Right now I’ll say my leaning are neither RESTless nor RESTFul, but rather RESTlike. Who knows, I’ll probably end up getting angry at both approaches(SOAP and REST) and design my own BURKEful way of doing things. Such a burkeful architecture would definately only work on JBoss though 😉 Let’s see what happens….

P.S.

It is fate. A day after I wrote this blog (I write a few days or weeks before I publish), this TSS article came out. I’m also taking a look at O’Reilly’s Restful Web Services book. I’ll let you know sometime how it goes.

Newer Entries