Guideline
Operation names MUST start with a verb, followed by zero or more nouns and/or verbs.
The names MUST indicate the functionality from the viewpoint of the caller, i.e. what the caller expects to be done by the callee.
Operation Names and all other Identifiers MUST use UpperCamelCase.
Explanation
This guideline is common today in all modern programming environments and software platforms (J2EE, .NET). Since WSDL operations have the same intent, which is exemplified by the fact that code generation turns WSDL operations into programming language operations, it makes sense to adopt the same convention.
Some examples:
ReturnIncome(inss): callee, please give me (the caller) the Income data for the person with the given inss
UpdateIncome(inss, changes): callee, I ask you to update your records of person “inss” with these “changes”
SendIncomeUpdate(inss): send me, at some later time, the income update data on person “inss”
ProcessIncomeUpdate(inss, data): here are some income update “data” for person “inss”, please process them
Example
A request-reply operation:
Two related one-way operations. ProcessIncomeUpdate may occur out-of-bound:
Ask service provider, which is a SIF, to send Income Update to INSS
on some Person.
Ask service provider, which is INSS, to update some person's
Income information.
This operation can be the result of some earlier SendIncomeUpdate, or is sent
out-of-bound by SIF.
SOAPAction Guideline
In the WSDL SOAP binding, one MUST use the following pattern to construct the soapAction attribute:
[WSDL targetNamespace]/[port type]/[operation name]
Explanation
While WS-I Basic Profile does not require a soapAction in the SOAP binding, our tests have shown that defining a soapAction provides a better experience across vendors.
When a given SOAP implementation defaults to using the SOAPAction HTTP header for selecting the operation to invoke, then each operation must define a unique soapAction attribute in the SOAP binding.
Example
<wsdl:definitions targetNamespace=”.../schemas/WS/LegalInfo/V3”>
...
<wsdl:operation name="GetLegalInfoByInss">
<soap:operation soapAction=".../schemas/WS/LegalInfo/V3/LegalInfo/GetLegalInfoByInss"/>
...
wsdl:operation>
wsdl:definitions>
Note:
The targetNamespace has been abbreviated.
ApplHeader Guideline
A separate XML element MUST be present as the first child of the DLW wrapper element.
Explanation
The ApplHeader collects information about the message that is independent of the message type and must always be present. It must be an {XML Schema}element with name ApplHeader and type {MetaInfo}ApplHeaderStruct (>= V5) or reference {MetaInfo}ApplHeader (V4). It must be, in DLW parlance, the first parameter of the operation.
See MetaInfo_Vx.xsd for the definition of ApplHeader. Additional information can be found in the interface documentation that accompanies this XML Schema.
Example
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<Suspend xmlns="http://www.rsvz-inasti.fgov.be/schemas/WS/Affiliation/V3"
xmlns:aff="http://www.rsvz-inasti.fgov.be/schemas/WS/schema/Affiliation/V3">
<meta:ApplHeader xmlns:meta="http://www.rsvz-inasti.fgov.be/schemas/WS/schema/MetaInfo/V4">
<meta:TimestampSent>2007-11-29T17:16:16.245+01:00meta:TimestampSent>
<meta:Origin>
<meta:Organization>000meta:Organization>
<meta:Application>200meta:Application>
meta:Origin>
<meta:Destination>
<meta:Organization>003meta:Organization>
<meta:Application>SOCIASmeta:Application>
meta:Destination>
<meta:MessageID>000000000009902meta:MessageID>
meta:ApplHeader>
<aff:INSS>83022134803aff:INSS>
<aff:AffiliationNbr>A073331716004aff:AffiliationNbr>
Suspend>
soap:Body>
soap:Envelope>
Error Handling Guideline
In general, a distinction MUST be made between the following conceptual Error Types:
Business Errors indicate violation of some business rule
System Errors are infrastructure related errors
Business errors are identified as part of a business process. The guidelines do not define how these errors are reported to a consumer.
When applicable, the SOAP faults that are defined in Helper_Vx.wsdl MUST be used to report System Errors:
AuthenticationFault
AuthorizationFault
SystemFault
ValidationFault
FluxSyncFault
Depending on the operation type, whether or not a specific fault may appear, MUST adhere to the rules summarized in the table below. ‘Yes’ means the given fault may appear in the result, ‘No’ means the given fault must never appear in the result, ‘n/a’ indicates that there is no reply possible.
SOAP Fault
|
RR Reply
|
POW Reply
|
AuthenticationFault
|
Yes
|
Yes
|
AuthorizationFault
|
Yes
|
Yes
|
SystemFault
|
Yes
|
Yes
|
ValidationFault
|
Yes
|
Yes
|
FluxSyncFault
|
Yes
|
No
|
SOAP infrastructure generated fault5
|
Yes
|
Yes
|
In POW, FluxSyncFaults MUST be reported by invoking a HandleFluxSyncFault operation on the service interface provided by the consumer.
SOAP faults defined by the Guidelines have further restrictions:
{soap}faultcode: element MUST contain either {soap}Client or {soap}Server.
{soap}Client: this value MUST only be used for AuthenticationFault, AuthorizationFault, ValidationFault and FluxSyncFault, with the interpretation given by the SOAP 1.1 specification.
{soap}faultstring SHOULD contain a (high-level) human readable description of the fault.
{soap}faultactor SHOULD contain “{MetaInfo}ErrorBaseStruct.Origin.Organization + ‘.’ + {MetaInfo}ErrorBaseStruct.Origin.Application
Explanation
First, System Error and Business Error are concepts that are independent of web services, .NET, JAVA or mainframe development to name a few. All errors can be categorized as such:
A Business Error is a violation of some business rule.
It may be interpreted by the (human or machine) user, and resolved, e.g. by changing input data.
A System Error is purely software-technical, often infrastructure related.
A user is typically informed in a general way, saying that ‘a general system error occurred – please contact your system administrator at phone...”. Users will merely report it to the helpdesk, and technical personnel (system operators, developers…) take action to resolve it.
The table below shows how concrete errors map to these conceptual errors:
Conceptual Error Type
|
Concrete Error Type
|
System Error
|
AuthenticationFault
|
AuthorizationFault
|
SystemFault
|
ValidationFault
|
FluxSyncFault
|
SOAP infrastructure generated fault, not under our control
|
Other infrastructure generated errors: HTTP errors, TCP/IP errors, system crash.
|
Business Error
|
SOAP fault defined in service interface definition
|
|
An ordinary SOAP message (i.e. SOAP response, or separate WSDL operation) communicating a business outcome dat happens to be a business rule violation.
|
Business Errors may be reported as a specific fault – defined in a service interface definition - but they can also be an ordinary one-way message or an ordinary reply in a request-reply message. However, System Errors should never be communicated as an ordinary xml element in a reply or message.
Communicating System Errors in a Request, both in RR or POW, does not make sense. A System Error is always the consequence of sending a message. So it is logical that it only appears in a reply. For a POW however the set of System Errors is very limited, as it can only be a validation error or some error related to the Persistent Store6. And of course, SOAP faults can only be communicated in a reply, as defined in the SOAP and WSDL specifications.
Business Errors are the result of processing a request by business logic, so only in a RR it may appear in the reply. In a POW it cannot appear in a Reply: the reply of a POW is a technical/delivery ack, no business processing has taken place yet.
However, a Business Error can appear in the Request of a POW, typically when an earlier POW was received and processed which resulted in a business rule violation, of which the sender is notified. The figure below illustrates this.
There is one other possible set of SOAP faults, those that are generated by the SOAP infrastructure itself which is out of control of the application developer. Typically they are generated by ESB products, code generated from WSDL’s, or SOAP intermediaries if they exist. These can only exist as a reply, never as a request.
Note that besides SOAP faults there are other System Errors, like HTTP or TCP/IP related errors. These are described in the next guideline.
Handling of System Errors - Idempotence Guideline
System Errors include the following:
TCP/IP errors
HTTP errors
SOAP faults generated by SOAP infrastructure
AuthenticationFault, AuthorizationFault, SystemFault, ValidationFault and FluxSyncFault faults
Senders that detect a System Error, and that want to resend the same message, MUST use the same {MetaInfo}ApplHeader.MessageID, {MetaInfo}ApplHeader.Origin (MetaInfo < V6) and – when applicable - {MetaInfo}ApplHeader.FluxDescriptor.
Receivers MUST implement idempotence via the combination of Origin and MessageID:
If an incoming message has the same MessageID and sender - identified by {MetaInfo}OriginOrganization (MetaInfo < V6) or client certificate (MetaInfo >= V6)- as a previous message, and that message was already processed by business logic, then:
This message MUST NOT be processed again by the business logic.
The original response SHOULD be returned, or a new one MAY be generated giving the same result.
TODO: what happens if a duplicate message is received before the business logic has processed the original request.
TODO: explicictly state how long the receiver MUST be able to return the original response. We do not want to retain all messages indefinitely.
Explanation
This guideline is only for System Errors, and specifically how operations may be re-executed after detection of a System Error. Business Errors imply that the operation has been functionally processed, implying that the system level has functioned correctly.
We limit ourselves to HTTP transport, with request-reply operations or pseudo one-way operations as described earlier in this guideline.
System Errors are not merely SystemFault SOAP faults, but also HTTP or TCP/IP errors and crashes. This is described in detail in the box “System Error Analysis” below. That analysis shows that a sender that receives a System Error is unsure whether the message has actually been functionally processed by the receiver or not.
Therefore the sender must be able to resend the message, and the receiver must be able to handle the same message being received twice or more, so that no inconsistencies are created. This implies a well known property of idempotency: doing the operation or redoing the operation multiple times has the same overall effect7.
Idempotence is not a problem for queries: the state at the receiver is not changed in that case.
For updates, deletes or creations, if the sender receives a System Error he re-sends exactly the same message, including the same MessageID and ApplHeader.Origin (MetaInfo < V6). The receiver uses the MessageID and identity of the sender of the operation to detect and prevent re-execution. Receivers must be able to give the same answer in case of a re-execution.
The figure below illustrates one of the possible error cases, and how it should be handled.
Note that we do not make any assumption on where (in an ESB, or directly in the application) or how you implement this solution.
Example
None.
System Error Analysis
The figure below shows a sender and receiving application, SOAP service endpoints and a HTTP transport. The arrows show the message exchange. The red crosses show possible locations of infrastructure-related errors.
Component
|
Contains...
|
Error examples
|
Send – Service Endpoint
|
Generated code from WSDL or Service Bus
HTTP client software
TCP/IP client software
|
|
HTTP Transport
|
tcp/ip network, routers, gateways, firewalls...
|
Any failure in any network component
|
Recv – Service Endpoint
|
Generated code from WSDL or Service Bus
HTTP server software
TCP/IP server software
| |
Receiver Application
|
Business logic interpreting request.
For request-reply only generates a response (no response for pseudo one-way).
|
Crash
System error
Business error
|
Remember that for pseudo one-way the reply message contains a fixed ‘delivery ack’ message or a fault. Also for request-reply the reply message contains a business result or a fault.
Assuming the errors occur where red crosses appear, the following table describes in detail what the error is, and what the possible consequences are. They are grouped by Request-Reply and Pseudo One Way.
Error in...
|
Processed by Receiver App?
|
Comment
|
Request-Reply
|
1
|
No
|
The sender application immediately detects an error, typically as a SOAP fault or another means determined by the tools used.
The sender MUST redo the operation.
|
2
|
No
|
The sender application immediately detects an error, a TCP/IP error like ‘connection lost’.
The sender MUST redo the operation.
|
3
|
No
|
The sender application immediately detects an error:
Crash, System malfunction: TCP/IP error
General system or software error:: HTTP error, SOAP fault
Validation Error: SOAP fault of type SystemError.
The sender MUST redo the operation.
|
4a
|
Unsure
|
The sender application immediately detects an error.
Crash, System malfunction: TCP/IP error or SOAP fault
General system or software error: HTTP error or SOAP fault
The sender MUST redo the operation.
If the transport between the endpoint at the receiver and the receiver itself is not reliable, and the recSince it is unsure whether the operation has already been processed by business logic, the operation must be resent, using the same MessageID/Origin. The receiver must reject an already processed message, based on this MessageID/Origin.
Note: alternatively the operation itself can be idempotent, by including the old and new values. This is out of scope of this specification, since it involves the applications themselves.
|
5
|
Yes (but not always known to sender)
|
The sender application immediately detects an error:
Crash, System malfunction: TCP/IP error
The sender MUST redo the operation, since request may not be processed.
General system or software error:: HTTP error, SOAP fault
The sender MUST redo the operation, since request may not be processed.
Validation Error in reply: SOAP fault of type SystemError
The sender MUST redo the operation after receiver has fixed the problem.
|
6
|
Yes, but not known to Sender
|
Idem to 2.
|
7
|
Yes
|
The sender application immediately detects an error, typically as a SOAP fault or another means determined by the tools used.
Typically the sender side must correct the problem and redo the operation.
|
Pseudo One-Way
Note that the reply message is either a ‘delivery ack’ or SOAP fault.
Also, there is no processing in the Receiver Application for what error handling is concerned.
|
1
|
No
|
Idem request-reply.
|
2
|
No
|
Idem request-reply.
|
3
|
No
|
Idem request-reply.
|
4b
|
Unsure
|
Problems at this stage are where the Receiver Application cannot be reached by the Receiver Service Endpoint. In this case a SOAP fault with a specific SystemError is returned.
The sender MUST retry the operation.
|
5
|
Unsure
|
The Sender Application immediately detects an error:
Crash, System malfunction: TCP/IP error
The sender MUST retry the operation, since request may not be processed
General system or software error: HTTP error, SOAP fault
The sender MUST retry the operation, since request may not be processed
|
6
|
Yes, but not known to Sender
|
Idem request-reply.
|
7
|
Yes
|
Idem request-reply.
|
This shows that multiple types of errors can be detected: TCP/IP errors, HTTP errors, SOAP faults. It also shows that in general a sender cannot know whether a message has been functionally processed or not when receiving a system error.
If the transport between the Receiver Service Endpoint and the Receiver Application is not reliable, then the Receiver Application MUST ensure the operation is idempotent.
Idempotency Choices
For idempotency there are two options:
The operation is made idempotent, e.g. by adding the old and new state in the message.
The receiver uses the MessageID/Origin of the operation to detect and prevent re-execution.
The first solution is visible at the functional application level, so functional analysis is necessary. Also the size of messages is doubled. Therefore the second solution is the one chosen.
| Support for Fluxes Guideline
When a Flux is used it MUST be documented in an Interface document using a Flux Chart.
If an operation (i.e. message) is part of a Flux, a FluxDescriptor element of type FluxDescriptorStruct MUST be provided as first parameter after the ApplHeader by the sending party that starts the flux, and it must be preserved in all further operations that are part of that flux.
[Applies only to web services that use MetaInfo >= V6]
NISSE MUST check that all operations that participate in a Flux are consistent with that Flux.
SIFs MAY check that all operations that participate in a Flux are consistent with that Flux.
Explanation
When a Flux is involved, a FluxDescriptor element must be present. It must be defined and provided by the sending party that initiates the Flux, and must be copied in each subsequent request that is part of that flux.
Fluxes are really explicit protocol descriptions, where it is clearly defined which messages (operations) may follow one another, or in parallel, to achieve a certain goal. All these messages (operations) have their own unique message id but have the same FluxDescriptor.
See MetaInfo_Vx.xsd for the definition of FluxDescriptorType (< V6) and FluxDescriptorStruct (>= V6). Additional information can be found in the interface documentation that accompanies this XML Schema.
Binary content Guideline
Binary data MUST be defined as an element of type xs:base64Binary in XML Schemas.
A web service MUST use MTOM for transferring binary content.
Policy assertions MUST NOT be used to indicate the use of MTOM.
Explanation
Various specifications exist for attaching binary content to SOAP requests, such as SOAP Messages with Attachments, DIME and MTOM.
MTOM is a W3C Recommendation and an interoperable standard supported by all major web service frameworks (JAX-WS, WCF, Axis). Although the SOAP 1.1 Binding for MTOM 1.0 is only a W3C Member Submission, it is equally well supported by vendors.
An advantage of using MTOM – when compared with Base64 - is that binary data can be sent and received without incurring the cost of data encoding. This is accomplished by externalizing data elements that are contained in a message using XOP and carrying them with the message as binary data.
MTOM messages are packaged as multipart/related MIME sequences with the root part being the actual SOAP message. Due to the MIME format, MTOM-encoded messages that are less than 1 KB might still be larger than message that use the Base64 encoding for binary data.
To reduce the overhead encurred by MTOM for small binary data, most web service frameworks allow binary content to be sent inline when the size of a message is below a threshold.
When compared to DIME, a major benefit of MTOM is that the binary data can be protected using WS-Security. Currently, very little vendors actually support this, but at least the MTOM specification allows this.
Web services that need to transfer binary content MUST NOT use policy assertions. There are multiple specifications that define policy assertions for MTOM, and there’s no broad vendor support for either of them. As a result, MTOM must be explicitly enabled in both client –and server implementations when applicable.
Example
The extract below shows an MTOM-encoded HTTP response where the binary content has been XOP optimized in a separate MIME part.
HTTP/1.1 200 OK
Date: Wed, 02 Jun 2010 08:33:16 GMT
Transfer-Encoding: chunked
Content-Type: multipart/related;start="";type="application/xop+xml";boundary="uuid:6a38ae26-b022-40d6-944c-f79d4c7a7df3";start-info="text/xml"
--uuid:6a38ae26-b022-40d6-944c-f79d4c7a7df3
Content-Id:
Content-Type: application/xop+xml;charset=utf-8;type="text/xml"
Content-Transfer-Encoding: binary
5
--uuid:6a38ae26-b022-40d6-944c-f79d4c7a7df3
Content-Id: <95ddae49-0d13-4619-8c05-257bca13204b@example.jaxws.sun.com>
Content-Type: application/octet-stream
Content-Transfer-Encoding: binary
--uuid:6a38ae26-b022-40d6-944c-f79d4c7a7df3—
Share with your friends: |