[out of date post... this deals with MS Atlas CTP... which has been change drastically and is now MS Ajax Extensions]
In case you missed it, I’ve had a pretty cool conversation with Steve Maine in the comments portion of my Atlas Thoughts post.
Steve, when I last checked, is a Program Manager on the Indigo WCF team. Steve thought he heard me say Web Services are insecure. Something that, honestly, I probably said, but didn’t quite mean. Which in turn ended with a nice little conversation….
Bottom line is that I have a particular view of Web Services and when they should be used. Steve and I are almost in agreement on our approach (almost). I thought that this might make a nice blog post… so here you go…
First you have to understand that I just came from a large Fortune 500 company where use of Web Services was highly discouraged. We also had rules against putting passwords in config files. It seems that noone trusts the admins there (see Jesper’s post here for his take on this). So we custom built a number of frameworks (like authentication/security) because everything wants to read from the config file these days. [I’m glad I have moved on, and embraced the config file, BTW].
There are some valid points in this. One of the things that security training has done to me is to cause me to think about the implications of my design and define what I mean to do. So often times this mindset for me gets globally tagged as “security.”
So when I use Web Services, I mean that I am building a re-usable service that can be consumed by clients all over the network (or Internet!!); it is my intention that others will want to consume this service and use it. Security will not be apart of any other system, but will be linked to the service since it can be consumed by others (it can’t really inherit security from someone else… it has to provide it’s own). I know this is not necessarily the case for the tools that we have, but it is the way I think of it.
Look back to to the first sentence in the last paragraph… if some programmer in some other department wants to use my service should he force his users to first login to my web site. Obviously not. But the two could share the same authentication storage and passwords could be the same for the 2 systems. The point is that the Web Service should have it’s own mechanism’s for authentication/authorization.
When I use a PageMethod (or Ajax Callback), I mean that this particular function is something I’m exporting for remote use with my web application. I will share the same authentication with my web site (which allows me to have a custom mechanism that doesn’t use forms authentication or any other authentication model at all… maybe it’s all tied into a base page class). If a user can access this page they can make the remote call.
Practicals
So let me get a little practical. I just enabled AutoComplete on an Extranet site I’m working on. The AutoComplete callbacks return a list of values from a lookup table (there are multiple tables here). The lookup table is actually filled by user’s entering values (I’m lazily filling the table using user entry… yep, you can get garbage data that way, but the client wants/needs something like this).
So now I had to ask myself 2 questions:
- Do I want anyone scanning through these tables remotely? Well, I’m not opposed to it… but it’s not really data that I intend anyone/everyone to use. You need to have an account on the site to use it.
- Will this data be useful to anyone else? The short answer is that apart from the site’s context this data is absolutely meaningless. If I showed it to you, you would more than likely have no idea what it is. I would say that neither of the other programmers who worked on the site with me would know what the data is.
Seeing these 2 points (especially the latter), why would I build a service to access the data. Yes, I know that if you know how to talk to the page you can get it to cough up the data, but if the page is secured (and this one is) why would I want create a full blown web service for a function on the page?
It seems silly to me. Maybe I’m wrong and I’ll end up eating my words, but this is how I see things.
Now, I’m also not beating up Microsoft over this. They appear to be enabling both functionalities (which is what I want… choice). They are really only giving us a framework that does what other frameworks do (a number of the major Ajax frameworks use Web Services or Web Service-like components for communicating with the page).
Technorati Tags: Atlas, Ajax, ASP.Net