Question

We are creating a WCF infrastructure to allow other systems in the organization to consume our business logic. Some of this logic has to do with user authentication, so securing the services is of high concern. The transport layer is secured by certificates. I am more concerned with securing the business layer.

One of our clients calls these services in a certain sequence, in order to support a business process. What I would like to do is put in place some mechanism to verify that the sequence is indeed kept. The sequence can be disrupted by developer errors on the consuming side or by attackers trying to compromise the system. I do not want to put the logic of the process inside the services themselves, since this will couple them to this specific client`s process. I would like to put the logic for coordinating the different services in a separate layer, which will be client specific (or maybe something more generic to support any process?)

Can someone point me to specific patterns or resources which discuss this issue? I have been searching Google for half a day, and I can`t seem to find any resource discussing this specific issue.

Was it helpful?

Solution

Most web services should be designed to be called independently, since there's no guarantee what order the caller will compose them.

That having been said, one way to encourage them to be called in order is to use a design akin to a Fluent Interface, in which Service A returns an object that is an input parameter to Service B.

[DataContract]
public class ServiceAResult
{ 
  // ...
}

[DataContract]
public class ServiceBResult
{ 
  // ...
}

[ServiceContract]
public interface IServiceA {
   [OperationContract]
   public ServiceAResult OperationA() {
     // ...
   }
}   

[ServiceContract]
public interface IServiceB {
   [OperationContract]
   public ServiceBResult OperationB(ServiceAResult input) {
     // ...
   }
}

Here, the easiest way to create a ServiceAResult to pass to ServiceB.OperationB is to call ServiceA.OperationA.

OTHER TIPS

I recommend you separate your concerns.

Have a web service whose operations are called in order to perform your business processes.

Have a second service which orchestrates your business processes and which calls the operations of the first service in the required order.

Do not make it the responsibility of the first service to ensure that the second service calls things in the correct order. The responsibility of the order of calls should belong to a different service.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top