EAI Guy.net

Enterprise Applicaiton Integration and SOA 2.0

Category Archives: SOA 2.0

Securing ServicePulse

We are using NServiceBus and the awesome new suite of monitoring tools, and go-live is just around the corner. We are hosting our audit and error queues on a dedicated audit server, as recommended, along with ServiceControl and ServicePulse. How do we configure authorization for the ServicePulse website to allow a select group of IT Ops users to access the site without opening up access to the whole company?

Self-Hosted Default

By default, ServicePulse runs as a self hosted web server with no option to add authentication or authorization:

ServicePulseHosted

Hosting ServicePulse in IIS

However, ServicePulse also has a feature for extracting website files to a folder, like this:

C:\Program Files (x86)\Particular Software\ServicePulse>ServicePulse.Host.exe --extract --serviceControlUrl="http://localhost:33333/api" --outPath="C:\temp\SpWeb"

This enables you to create your own IIS website with a few clicks:

IIS-CreateWebsite

And now you have an IIS-hosted ServicePulse website to which you can add Windows auth or another authentication and authorization mechanism:

ServicePulseHostedByIIS

So What About ServiceInsight?

Unfortunately, Particular Software does not yet provide a means for enabling user-level authorization on the ServiceControl REST API, so the options for accessing ServiceInsight are:

  1. Leave the SC REST API as only accessible on the server (default behavior), which requires users to remote into the server to use ServiceInsight
  2. Set a custom host name for the SC REST API and expose it to everyone on the network

Neither of these options feel very satisfying to me. Please add any thoughts  and suggestions here: https://github.com/Particular/ServiceControl/issues/400

Summary

If you are setting up a new NServiceBus installation or are upgrading to the Particular Platform from an older version of NServiceBus, I hope this post helps you secure your ServicePulse dashboard.

Are you publishing IMyObjectUpdated messages?

If you find yourself publishing a message called IMyObjectUpdated, you are likely violating service boundaries.

Why? Because publishing a message every time your object changes is a sure sign that your other services are saving representations of your object. In other words, you have duplicated data between services, and to stay in sync, you have to publish DTO-style messages every time your object changes. Data duplication indicates that your services are not fulfilling their role of being fully responsible for the business capability they implement.

Instead of publishing an IEmployeeUpdated message containing every field on the Employee entity, you should be publishing events like IEmployeeCreated, IEmployeeFired, and IEmployeePromoted. Each of these event messages should only contain the employee id and one or two other fields.

Pay close attention to how much data is contained in messages that get shared between services. If your services are publishing messages with more data than IDs and dates, then it is high time to re-evaluate your service design.

Distributed-Design Yahoo Group

Here is a link to the Yahoo group for alumni of Udi’s course. Peruse this group for practical SOA discussion material:

http://tech.groups.yahoo.com/group/AdvancedDistributedSystemsDesign/

SOA – What is a Service?

Webservices often come to mind when we hear Service-Oriented Architecture: webservices implementing interfaces connecting a web tier, an application tier, and a data tier, or some variation. In the SOA world, the concept of a service is an entirely different animal.

An SOA “system” is composed of multiple autonomous “services” that communicate asynchronously. Each service has UI logic, business logic, and some means of storing data. Yes, you heard that right – services to not share a common data store; they are each responsible for their own data. Udi Dahan defines a service as, “the technical authority for a specific business capability”, and specifies that “all data and business rules reside within the service” (Advanced Distributed Systems Design course-slides).

Asynchronous communication in SOA consists of services publishing events to which other services subscribe. If  it appears that service A needs to synchronously access service B’s data as part of its business logic, then the service boundaries should be re-evaluated. It is probable that A and B are either  managing the same business capability and should be combined, or that we technologists have synchronously chained steps of a business process into a transaction, and we need to split up the steps add re-evaluate the role of time in the business process.

Attributes of a service

  • Business-centric
  • Technical authority a business capability
  • Stores all data needed for the business capability it owns
  • Communicates asynchronously with other services
  • Contains UI logic, business logic, and a datastore

Examples of services

System: Online book-sales website
Possible service breakdown:

  • Sales
  • Marketing
  • Customer Care

System: Hotel reservation system
Possible service breakdown:

  • Billing
  • Guest Services
  • Marketing
  • IT/Infrastructure

Summary

Disclaimer: I do not claim to be an expert in the subject of SOA, so these are just thoughts based on my experiences with building my first SOA system over the past year plus some theory assimilated from attending Udi Dahan’s Advanced Distributed Systems Design course.

More to come if I have time!