The use of LDAP will be key to identity management efforts, and Turato plans to have all services include calls to LDAP lookup. But to prevent every service doing a direct lookup every time it runs, Avis Budget is planning to require lookup at specific stages in a business process and then propagate that validation to later services.
The risk to this approach is that someone could spoof the validation by simply passing along a “verified” attribute, so Turato expects to implement the validation attribute as a signature that traces where and when the verification happened in order to ensure the validation happened at the right stage and in the right process.
eBay uses a similar security approach for its customer-facing services, with a security service that other services call when needed. For internal services, eBay follows the enterprise security model, using existing services and applications for each application domain, rather than creating a parallel security service for SOA-based projects, Barrese notes.
Your architectural implementation should also permit security flexibility, ADP’s Bongiorno says. “We’re tying to standardize on a single security model, but we will grant exceptions when the requirements are too heavy,” he says.
Testing and debugging services
Another underappreciated aspect to SOA deployments involves testing and debugging. “In a lot of ways, SOA done properly gives you faster time to market,” ADP’s Bongiorno says. “But you give some of that back in the testing.”
Although the use of stringently defined service interfaces can ease integration testing across pairs of services, the many-to-many nature of service interaction and the variety of hardware and software systems that provision them make testing difficult. “You can’t get your whole enterprise into a QA lab,” says eBay’s Barrese, so you have to scale your test platform as much as the business case warrants.
eBay has built some of its own QA tools for automated regression testing to help test the many execution scenarios inherent to SOA but uses off-the-shelf tools such as the those produced by Mercury Interactive. (ADP also uses automated regression tools from Mercury.) In addition, eBay is evaluating the open source Apache Axis service-testing tools with its BEA and IBM platforms.
Financial transaction processor SunGard requires that test cases for all services be built up front, to ensure that all interactions and requirements are thought-out, says Nils Winkler, technical architect at SunGard. Unit tests are built from these test cases, so they’re available for use in automated regression testing by all service developers whose processes might use the specific service. “You can do the testing with the data you already have,” he says.
A related challenge is version control. As you have more and more services, you have to expect that you’ll have to support multiple versions because you can’t update all your services at once. A registry or repository can maintain version information as part of your services’ standard attributes. This safeguard is important, so other services can adjust their expectations accordingly, Bongiorno says.