In my recent developerWorks series Use SLAs in a Web services context, I talked about securing multiple Web services, firewalling Web services, and mitigating risk for vulnerability, all with an SLA guarantee. I focused on the importance of high availability of service by a producer for the consumers though various performance and standard criteria.
This article starts with a recap on Asynchronous JavaScript + XML (Ajax), gives some vulnerability issues, discusses SLA impacts, and then shows why bandwidth-efficient Ajax applications do not guarantee that risks to vulnerabilities will be mitigated or eliminated. It also covers ways of speeding up your Ajax applications while dodging Web services vulnerabilities.
Ajax enables responsive and interactive Web services by transforming a user's browser experience (for example, a business-to-business transaction) into an XML-based Web services portal (such as a business-to-consumer transaction). Ajax accomplishes this by building an extra layer of processing between the Web page and the server over the HTTP protocol. This layer intercepts requests from the user and in the background, communicates with the server quietly and asynchronously to get the desired content of an HTTP protocol. It is not necessary to have server requests and responses coincide with user actions, such as a request for an update to a database record and a response that the update was successful.
Let's address some concerns about an extra layer of processing. One concern is that because it relies on XML as the content type for requests and response payload, Ajax increases the amount of XML traffic being transmitted. When used in massive quantities, Ajax applications can clog up network traffic. A more important concern, in turn, is that the large amount of traffic exposes Ajax applications to Web services vulnerabilities. When these vulnerabilities are exploited, the system or applications will perform poorly.
Let's take a look at four vulnerability instances:
- Excessive bandwidth
- Corrupted data
- Frequent small HTTP requests
- Memory leaks
XML messages in text format could more than double the amount of bandwidth of binary data. The more bandwidth that is needed to transmit XML messages, the less resource there will be for the system or application to perform other tasks, such as performing complex algorithms to get the desired result. Excessive bandwidth could result in performance degradations caused by system overloads.
Excessive bandwidth could contribute to corrupted data outputs from Ajax applications because there are insufficient resources to produce clean data. This means that Web services portals, of which the Ajax applications are a part, could expose corrupted data to other parts of the portal, resulting in malformed messages and excessive parsing. This vulnerability, if exploited by a threat, could result in a browser crash.
One drawback of Ajax is that it allows you to make many small requests instead of one big post-back. Frequent, small HTTP requests can stress back-end servers, load balancers, and firewalls and result in excessive bandwidth, causing performance to degrade. They can bump up against browser limits or a sluggish network connection, causing network bottlenecks.
In a typical Web application, Web pages are frequently reloaded, wiping out the memory for that page and starting with a clean state. With Ajax, you can avoid page reloads while waiting for the next piece of content to be presented in the Web services portal. With Ajax, you can have a single-page application stay in the browser for days, magnifying any problems with memory or other resource leaks that may occur. Excessive memory leaks -- along with excessive bandwidth and small HTTP requests -- may contribute to corrupted data in the Web portal, increasing the opportunity for the hacker to exploit system vulnerabilities from the Internet.
For all instances, you need to determine how high or low the risks are that a threat agent could take advantage of system and server vulnerabilities and the resulting business impact. High risk necessitates that safeguards be in place to speed up Ajax applications. One safeguard instance is to increase service uptime availability with an SLA guarantee.
No matter how well you can change the codes in an Ajax application to make it more bandwidth efficient, there will be always risks and vulnerabilities you'll need to watch out for and mitigate. Deploying bandwidth-efficient applications does not guarantee that the service levels in an SLA will always stay high, at, or above the specified performance threshold point (for example, 99.9 or 99.999%). Applications become more vulnerable as they go from a browser application to a server portal in an Ajax application over the Internet, particularly the XML part used to build Web services to detect performance problems, such as packet losses.
You need to consider three things to improve service uptime availability. First, to speed up Ajax applications, you should address the means of improving performance other than bandwidth optimization (such as XML content filtering and XML acceleration capabilities). Second, to secure Ajax applications, you should consider Web security standards, such as WS-Security (WSS), Application Vulnerability Description Language (AVDL), and a host of others. Third, you should consider traffic monitoring of these applications as one of the tools for measuring performance.
Improvement #1. Speeding up applications
Let's take a look at the following options for speeding up Ajax applications:
- Specialized hardware accelerators
- Optimized software
- Code redundancy elimination
- XML acceleration capabilities
- Interoperability issues resolution
Specialized hardware accelerators
Hardware accelerators are used to speed up XML traffic. Without the accelerator, encryption, complex graphics, and speech recognition algorithms can tie up applications and associated resources because it must perform complex calculations to get the desired result. The accelerator is generally not for server-side scripting. The alternative is to combine hardware accelerators with optimized software.
Optimized software is used to modify and compress a system so that an application can execute more rapidly or operate with a reduced amount of memory storage and other resources. Optimized software draws less battery power in a portable computer. Reducing size and time of downloads from servers is a two-step process:
- Use ASP.Net or JavaScript technology to analyze Ajax application payloads.
- Develop optimized software based on the payload analysis.
One example of eliminating code redundancy is to reduce the number of Ajax callbacks and the payload for each callback. If there is a complex interaction between callbacks, look for redundant codes and simplify them. Another example is to divide Ajax applications into modules and combine those with similar functions to reduce redundancy.
Depending on the complexity of the application, high overhead costs of processing parsing large files of text-based XML offset the benefits of hardware accelerators and optimized software eliminating code redundancy. Text-based XML Web services applications are large and tend to get bloated and therefore are not bandwidth efficient from a network, processor, and storage performance perspective. When large files are used in massive quantities, these Web services can clog up network traffic, resulting in system overloads.
One of the major hindrances to Web services performance is the network and processing overhead associated with XML. As a result, there has been a push in the industry toward standardizing on a binary encoding scheme for XML, such as the XML-binary Optimized Packaging Specification (XOL) Package. As discussed in Part 7 of my series on working with Web services in enterprise-wide Service-Oriented Architectures (SOAs), I discussed how this package is more effective in the processing of large files in binary than the XML parsers for text-based files.
Interoperability issues resolution
No matter how well Ajax applications are optimized, what hardware accelerators have been used, or how code redundancy has been reduced or eliminated, you need to resolve interoperability issues. For instance, when Ajax applications are transformed into Web services that are outside the control of the organization, you need to ensure that they can interoperate externally with one another with respect to shared semantics and contractual obligations. Semantic misunderstandings (such as proprietary semantics) and contractual loopholes (such as multiplatform differences) contribute to interoperability problems, such as integrating Ajax applications into legacy systems.
Improvement #2. Web services standards
Let's take a look at several OASIS Web services standards for Ajax applications. (OASIS stands for Organization for the Advancement of Structured Information Standards, directed by the International Open Standards Consortium. See Resources for a link to the site.)
- WS-Security Extensions (WS-SX)
- Security Access Markup Language (SAML)
- Service Provisioning Markup Language (SPML)
- Digital Signature Services (DSS)
- Application Vulnerability Description Language (AVDL)
All of these standards are aimed at reducing the risks for vulnerabilities that have increased as a result of Ajax moving from browser applications to server portals over the Internet. They can work more effectively only if the XOL package or other binary XML schema is applied.
This standard delivers a technical foundation for implementing security functions, such as integrity and confidentiality in messages implementing higher-level Ajax Web services applications. Because WSS focuses on a single message exchange, it has been extended as WS-SX to enable trusted SOAP message exchanges involving multiple message exchanges and define security policies that govern the formats and tokens of such messages. Contributing to the development of WS-SX were the Web Services SecureConversation, SecurityPolicy and Trust specifications.
This markup language defines and maintains a standard XML-based framework for creating and exchanging security information between online partners. SAML is being used as a Web single sign-on, an Attribute-based Authorization, and in securing Web services.
This standard provides an XML framework for managing the provisioning and allocation of identity information and system resources within and between organizations. Additionally, the SPML 1.0 specification has been designed to accommodate the use of WSS, XML Digital Signatures, and XML Encryption.
This standard defines an XML interface to process digital signatures for Web services and other applications. DSS plays an important role in the security of electronic commerce and other Web applications by assuring the authenticity of Web data when applications are exchanged and retrieved from storage. The DSS specifications include services for signature creation, signature verification, time-stamping, and a combination of the aforementioned capabilities.
The goal of the AVDL is to define a language for describing information that can be used to protect such an application. This information may include -- but is not limited to -- vulnerability information as well as known legitimate usage information. In Part 7 of my series on using SLAs in a Web services context, I went beyond the AVDL by addressing the issues of interruption thresholds for a Web service that, for example, has not completed the task of responding to a request for vulnerability information over HTTP.
If the time gap is large between a request and a response to the request, interruption thresholds can reach the level at which they can cause an adverse impact on the SLA guarantee for uptime availability. To reduce the chances of this adverse impact, the article discussed mitigating the risk of exposing Web services vulnerabilities in a heterogeneous Service-Oriented Architecture (SOA). The impacts of interruption thresholds can be further reduced with the XOL package. This does not imply that the reduction will result in achieving an SLA guarantee.
Improvement #3. Traffic monitoring
Active traffic monitoring is one tool to measure performance of the network traffic of Ajax applications continuously. It can simulate network data and IP services and collect network performance information on Ajax applications in real time. This collection includes data on response time, bandwidth amount, one-way latency, jitter, packet loss, and server response time.
Performance can be monitored for different classes of traffic (such as high, medium, and low priority) over the same connection. By putting the data into a real-time log, you can see where and when excessive packet losses and jitters occur, why slow responses happen, and how changing the priority of applications can improve traffic performance.
You'll need a team of developers, testers, system administrators, and potential users to speed up Ajax applications while dodging Web services vulnerabilities. To eliminate redundancy and memory leaks and reduce the amount of bandwidth and the number of small HTTP requests, you must plan ahead on creating, testing, and deploying Ajax performance improvement projects. Resolving these issues makes your job of speeding up Ajax applications easier.
Learn
- Explore the
OASIS Consortium.
- The
Work
with Web services in enterprise-wide SOA
series by Judith M. Myerson offers information on how to work with Web services in enterprise-wide SOAs.
- Judith M. Myerson's series,
Use SLAs in a Web services context,
has details on service-level agreements.
- Want more information on Ajax tools? Read about them
in "Survey
of Ajax tools and techniques" (Gal Shachor, Yoav Rubin, Shmulik London, Shmuel Kallner, developerWorks, July 2007).
- Read Judith M. Myerson's
The Complete Book of Middleware,
which focuses on the essential principles and priorities of system design and emphasizes the new requirements brought forward by the rise of e-commerce and distributed integrated systems.
- Get the business insight and the technical know-how to ensure successful systems integration by reading
Enterprise Systems Integration, Second Edition.
- Bring your organization into the future with
RFID
in the Supply Chain,
which explains business processes, operational and implementation problems, risks, vulnerabilities, and security and privacy.
- Go into the nuts and bolts of developing a service-level agreement in this IBM Redbook for Domino administrators.
- Visit the technology bookstore for books on these and other technical topics.
- Want more on Web services? The developerWorks SOA and Web services zone hosts hundreds of informative articles and introductory, intermediate, and advanced tutorials on how to develop Web services applications.
- Check out the Ajax Resource Center, your one-stop shop for information on the Ajax programming model, including articles and tutorials, discussion forums, blogs, wikis, events, and news. If it's happening, it's covered here.
Get products and technologies
- See how IBM®
Rational® ClearQuest and IBM Rational Functional Tester Plus can help when developing Ajax and other applications. These tools from IBM help increase your productivity by reducing testing time and the costs of test labs in your enterprise.
-
IBM trial products for
download: Build your next development project with IBM trial software,
available for download directly from developerWorks.
Discuss
- Participate in the discussion forum.
-
developerWorks blogs: Get involved in
the developerWorks community.
Comments (Undergoing maintenance)
Table of contents
Next steps from IBM
Create rich Internet applications using WebSphere Portal Express Web 2.0 technologies.
- Try: WebSphere Portal Express
- Article: Get started using Ajax and WebSphere Portal Express
- Tutorial: Quickly build a an Ajax-enabled WebSphere Portal Express Web application
- Demo: Architecture, design, and construction using the IBM Rational Software Delivery Platform: AJAX
- Webcast: Rational software process automation: Real value delivered, real customer stories
- Buy: WebSphere Portal Express
My developerWorks community
Tags
Use the slider bar to see more or fewer tags.
Popular tags shows the top tags for this particular content zone (for example, Java technology, Linux, WebSphere).
My tags shows your tags for this particular content zone (for example, Java technology, Linux, WebSphere).
Popular article tags |
My article tagsSkip to tags list
Popular article tags |
My article tags
