Skip to main content

Self-Service::Decomposition application pattern::Runtime patterns

Overview

On this page, two categories of Runtime patterns are described:

The Decomposition runtime patterns illustrate the range of function provided by this pattern. We will look at the following Runtime patterns:

  • Decomposition: Integration Server runtime pattern
  • Decomposition: Process Manager runtime pattern

The Decomposition application pattern extends the Router application pattern by decomposing a single, compound request from a client into several, simpler requests and intelligently routes them to multiple back-end applications. In this Runtime pattern, the functions of the decomposition tier are performed by an integration server.

Generic runtime patterns

Decomposition application pattern::Integration Server runtime pattern

Decomposition application pattern::Integration Server runtime pattern Application ServerIntegration ServerWeb Server RedirectorLightweight Directory Access ProtocollUserDomain Name ServerExisiting ApplicationsDirectory and Security ServicesPublic Key InfrastructureProtocol FirewallDomain Firewall
Design Last Updated: 9-30-2004
(Click a node to get a detailed explanation.)

In the Decomposition application pattern, the decomposition tier serves as an integration point for delivery channels in the presentation tier, allowing access to individual back-end applications. In the Integration Server runtime pattern (Figure above), the functions of the decomposition tier are performed by an integration server node. The functions of the presentation tier are performed jointly by a Web server redirector node and the application server node. Placing a Web server redirector in the DMZ provides an extra layer of security by putting all application logic behind the firewall. Only a portion of the presentation function is left in the DMZ.

The protocol firewall prevents unauthorized access from the Internet to the demilitarized zone. The role of this node is to allow the Internet traffic access only on certain ports and to block other ports. The domain firewall prevents unauthorized access from the demilitarized zone to the internal network. The role of this firewall is to allow the network traffic that originated only from the demilitarized zone and not from the Internet.

A good security design does not permit any business logic or sensitive data in the DMZ. Using a Web server redirector helps to meet that goal. The Web server redirector serves static HTTP pages, while forwarding dynamic servlet and JSP requests to the application server. The presentation logic, therefore, spans both nodes. Together, these two provide the presentation tier, capable of handling multiple, diverse presentation styles. Using a redirector allows you to place the bulk of the business logic behind the protection of both the protocol and domain firewalls.

In addition to presentation logic (for example, JSPs), the application server contains some business logic. This is primarily in the form of the controlling servlets required to access the back-end applications. The application server builds a request based on user input and passes it to the integration server node. The primary business logic resides in the back-end applications.

The integration server examines messages and routes them to the appropriate back-end applications. It can go a step further by taking a single complex message, decomposing it into multiple messages, and routing those messages to the appropriate back-end applications. It is also capable of managing these messages such that it can wait for responses and recompose them into a single response to be sent back to the user. This effectively takes multiple, diverse back-end applications and unifies them into one interface for the user.

The integration server can use a local database as a work-in-progress database to store information required for message decomposition and recomposition.

Access to the application server resources is protected by the application server’s security features, while access to the integration server’s resources is protected by the integration server’s security features. User information that is needed for authentication and authorization by both servers is stored in the directory and security services node behind the domain firewall in the internal network. The information may contain user IDs, passwords, certificates, access groups, and so on.

Integration Server runtime pattern=Variation 1

Variation 1 is the same as Variation 1 in the Router pattern. In this variation, the presentation logic has been split from the application logic and place on a Web presentation server.

Decomposition application pattern::Integration Server runtime pattern=Variation 1

Decomposition::Runtime pattern=Integration Server Variation 1 Web Presentation ServerApplication ServerIntegration ServerWeb Server RedirectorLightweight Directory Access ProtocollUserDomain Name ServerExisiting ApplicationsDirectory and Security ServicesPublic Key InfrastructureProtocol FirewallDomain Firewall
Design Last Updated: 9-30-2004
(Click a node to get a detailed explanation.)

The Web presentation server runs JSPs and servlets to provide the presentation logic for the application. The application server runs EJB logic and sends requests to the integration server. Requests are forwarded from the Web presentation server to the application server using IIOP.

Using a Web presentation server further delineates the line between presentation and application logic. It lends itself to scalability in by allowing system resources to be spread across multiple machines and although not shown, can be extended to implement load balancing among application servers.

Process Manager runtime pattern

Decomposition application pattern::Process Manager runtime pattern

Decomposition::Process Manager runtime pattern Application ServerProcess ManagerWeb Server RedirectorLightweight Directory Access ProtocollUserDomain Name ServerExisiting ApplicationsDirectory and Security ServicesPublic Key InfrastructureProtocol FirewallDomain Firewall
Design Last Updated: 9-30-2004
(Click a node to get a detailed explanation.)

The Process Manager runtime pattern (Figure above) is similar to the Integration Server runtime pattern with one significant difference. Where the functions of the decomposition tier in the base pattern are provided using an integration server node, the decomposition functionality in this pattern is provided by business processes executing in a process manager node.

A business process consists of a series of activities choreographed in such a way as to accomplish a specific business task. Input to the business process is provided by the user via a standard interface. The business services invoked from the process are usually provided by back-end legacy applications that have also been exposed using standard interfaces.

In addition to presentation logic (for example, JSPs), the application server contains limited business logic, primarily in the form of the controlling servlets required to access the business processes executing in the process manager node. The application server builds a request based on user input and passes it to the process manager node.

The process manager node provides the execution engine for the business processes. It has the capability of executing activities in serial or parallel mode. It can invoke back-end services synchronously or asynchronously. In the event that human interaction is required by the business process, this node creates a work item and identifies a particular person or a department responsible for executing that task and adds the work item to its worklist. Processes that are interrupted can roll back completed tasks, returning the back-end applications to their original state.

A database is used to provide a persistent data storage and retrieval service in support of the execution of the process flow. It holds the process execution rules and intermediate results from the execution of certain activities within the context of an end-to-end process flow. The implementation of this node may involve several persistent data technologies (such as DBMS and flat file) for the different data types.

The primary business logic resides in the back-end applications. These applications are exposed as enterprise or Web services for access by the process manager node.

SOA profile

Decomposition application pattern::[SOA]Runtime pattern

SOA Profile Public Key InfrastructureDomain Name ServerUserProtocol FirewallWeb Server RedirectorDomain FirewallApplication ServerDirectoryEnterprise Service BusExisiting ApplicationsService Registry
Design Last Updated: 12-16-2005
(Click a node to get a detailed explanation.)

The functionality related to handling messages including decomposition/recomposition, routing, transformation, logging, and protocol conversion moves to the ESB.

The ESB approach:

  • Minimizes the number of adapters required to link service consumers to service providers
  • Improves reuse
  • Addresses any technical and information model discrepancies amongst services
  • Provides a single configuration point for distributed deployment
  • Decouples service requesters from providers
  • Provides a common access point for service requesters
  • Provides centralized security for services

Next, review product mappings.

Close [x]

Process Manager Node

This node contains the process flow execution engine. It provides the capability for model-driven business process automation. It also enables tracking by leveraging the process execution rules stored in the associated database.

These processes can span multiple applications and organizational boundaries within an enterprise. The node maintains state tracks sequencing through the process flow. In doing so, it often leverages the associated repository to store intermediate results. Finally, it is responsible for invoking target applications as necessary through their associated connectors.

Close [x]

Application server node

The application server node provides the infrastructure for application logic and can be part of a Web application server. It is capable of running both presentation and business logic but generally does not serve HTTP requests. When used with a Web server redirector, the application server node can run both presentation and business logic. In other situations, it can be used for business logic only.

Close [x]

Integration Server Node

The purpose of this node is to interface between any front end access channel, such as the web, a call center, or a client/server ("fat client") PC, and whatever back-end application system is needed (including applications from other companies). It will perform the following kinds of services:

  • Convert protocols from the front end to match whatever the back-end systems understand
  • Decompose a single message from the front end (such as a web server) into several back-end messages (or transactions), and then re-compose the replies
  • Navigate from the front end to whatever back-end system needs to be accessed
  • In more complex cases, control the process or unit of work for a number of back-end interactions based on a request from the front end

The intent is to relieve each front end from having to handle the complexity of interfacing with potentially multiple back-end systems, which may be in different companies. The front end (such as the web server should just need to send a message to the integration server and have it look after the interface.

A second purpose for locating these interface services on the Integration server concerns security. There is a firewall between the web server and the integration server and the web server need have no knowledge of all the back-end addresses. Many location do not want a server located in the DMZ to have access directly to sensitive data and systems. In this case the web server can only send messages to the integration server, nowhere else.

Close [x]

Web Server Redirector Node

In order to separate the Web server from the application server, a so-called Web Server Redirector Node (or just redirector for short) is introduced. The Web server redirector is used in conjunction with a Web server. The Web server serves HTTP pages and the redirector forwards servlet and JSP requests to the application servers. The advantage of using a redirector is that you can move the application server behind the domain firewall into the secure network, where it is more protected than within the DMZ.

Close [x]

LDAP

Lightweight Directory Access Protocol (LDAP) refers to the protocol that is used to communicate from a calling program (running on a node such as a Commerce Server) and a Directory Node. Information is kept on the LDAP-based directory node about such topics as people and/or services.

For example, the directory could be used to store information needed to identify registered shoppers (referred to as authentication). It could also be used to store information about what functions those shoppers are allowed to perform after being identified (referred to as authorization).

Close [x]

User Node

The user node is most frequently a personal computing device (PC) supporting a commercial browser, for example, Netscape Navigator and Internet Explorer. The browser is expected to support SSL and some level of DHTML. Increasingly, designers need to also consider that this node might be a pervasive computing device, such as a Personal Digital Assistant (PDA).

Close [x]

Domain Name Server (DNS) Node

The DNS Node assists in determining the physical network address associated with the symbolic address (URL) of the requested information. The Domain Name Server Node provides the technology platform to provide host to IP address mapping, that is, to allow for the translation of names (referred to as URLs) into IP addresses and vice versa.

Additional Resources

  • (in English) ESS

Close [x]

Existing Applications and Data Node

Existing applications are run and maintained on nodes, which are installed in the internal network. These applications provide for business logic that uses data maintained in the internal network. The number and topology of these existing application and data nodes is dependent on the particular configuration used by these legacy systems.

Close [x]

Directory and security services node

The directory and security services node supplies information on the location, capabilities, and attributes (including user ID/password pairs and certificates) of resources and users known to this Web application system. This node can supply information for various security services (authentication and authorization) and can also perform the actual security processing, for example, to verify certificates. The authentication in most current designs validates the access to the Web application server part of the Web server, but this node also authenticates for access to the database server.

See Also

Additional Resources

  • (in English) ESS

Close [x]

Database server node

This Node's function is to provide persistent data storage and retrieval in support of the user to-online buying transactional interaction.

Customer related data that is stored is relevant to the specific business interaction, for example, the shopping cart and shipping address information. Some sites are registering users and storing customer profile data such as address, clothing sizes, preferences, and gift wish lists that others can access when buying presents. Most sites today do not store credit card information on this server for security reasons.

Also stored here is the product and catalog information used to dynamically build HTML pages for presentation during the shopping process.

The mode of DB access is perhaps the most important factor determining the performance of this Web application, in all but the simplest cases. The recommended approach is to collapse the DB accesses into a single or very few calls. This can be achieved using coding and invoking Stored Procedure Calls on the database. Typically many commerce servers share only one database server in a high volume site, so the technology to implement this node must be able to scale vertically.

Close [x]

Public Key Infrastructure (PKI)

PKI is a system for verifying the authenticity of each party involved in an Internet transaction, protecting against fraud or sabotage, and for nonrepudiation purposes to help consumers and retailers protect themselves against denial of transactions. Trusted third-party organizations called certificate authorities issue digital certificates -- attachments to electronic messages -- that specify key components of the user's identity. During an Internet transaction, signed, encrypted messages are automatically routed to the certificate authority, where the certificates are verified before the transaction can proceed. PKI can be embedded in software applications, or offered as a service or a product. e-business leaders agree that PKIs are critical for transaction security and integrity, and the software industry is moving to adopt open standards for their use.

Close [x]

Protocol Firewall Node

A firewall is a hardware/software system that manages the flow of information between the Internet and an organization's private network. Firewalls can prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets, and can block some virus attacks -- as long as those viruses are coming from the Internet. A firewall can separate two or more parts of a local network to control data exchange between departments. Components of firewalls include filters or screens, each of which controls transmission of certain classes of traffic. Firewalls provide the first line of defense for protecting private information, but comprehensive security systems combine firewalls with encryption and other complementary services, such as content filtering and intrusion detection.

Firewalls control access from a less trusted network to a more trusted network. Traditional implementations of firewall services include:

  • Screening routers, (the Protocol Firewall)
  • Application gateways (The Domain Firewall)

A pair of Firewall Nodes provides increasing levels of protection at the expense of increasing computing resource requirements. The Protocol Firewall is typically implemented as an IP Router.

See Also

Additional Resources

  • (in English) ESS

Close [x]

Domain firewall node

A firewall is a hardware/software system that manages the flow of information between the Internet and an organization's private network. Firewalls can prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets, and can block some virus attacks -- as long as those viruses are coming from the Internet. A firewall can separate two or more parts of a local network to control data exchange between departments. Components of firewalls include filters or screens, each of which controls transmission of certain classes of traffic. Firewalls provide the first line of defense for protecting private information, but comprehensive security systems combine firewalls with encryption and other complementary services, such as content filtering and intrusion detection.

Firewalls control access from a less trusted network to a more trusted network. Traditional implementations of firewall services include:

  • Screening routers (the Protocol Firewall)
  • application gateways (The Domain Firewall)

A pair of Firewall Nodes provides increasing levels of protection at the expense of increasing computing resource requirements. The Domain Firewall is typically implemented as a dedicated server Node.

See Also

Additional Resources

  • (in English) ESS

Close [x]

Web Presentation Server

The Web presentation server node provides services to enable a unified user interface. It is responsible for all presentation-related activity. In its simplest form, it serves HTML pages and runs servlets and JSPs. For more advanced patterns, it acts as a portal and provides the access integration services (single sign-on, for example). It interacts with the personalization server node to customize the presentation based on the individual user preferences or on the user role. The Web presentation server allows organizations and their users to standardize and configure the presentation of applications and data in the most efficient way, while enabling fine-grained access control.

Close [x]

Directory Node

Directory Services provides an integrated LDAP server that easily integrates with other LDAP servers to provide for the directory needs of an e-business solution.

Close [x]

ESB

The ESB is a key enabler for a SOA as it provides the capability to route and transport service requests from the service requester to the correct service provider. The true value of the ESB concept, however, is to enable the infrastructure for SOA in a way that reflects the needs of today’s enterprise: to provide suitable service levels and manageability, and to operate and integrate in a heterogeneous environment.

Furthermore the ESB needs to be centrally managed and administered and have the ability to be physically distributed.

Close [x]

Service Registry

The role of the Service Registry is to provide details of services that are available to perform business functions identified within a taxonomy. The Service Registry can be implemented as an open-standard UDDI registry. Catalogs, such as a UDDI registry, can achieve one of the primary goals of a Service Registry: to publish the availability of services and encourage their reuse across the development activity of an enterprise.

The vision of Web services defines an open-standard UDDI registry that enables the dynamic discovery and invocation of business services. However, although technologies mature toward that vision, more basic solutions are likely to be implemented in the near term.

This node is also known as a Business Service Directory.