An announcement from the Web Services Interoperability Organization (WS-I) describes the final release of compliance testing tools for WS-I Basic Profile and outlines plans to tackle Web Services Security.

The WS-I Testing Tools Version 1.0 package approved by the WS-I membership contains the final release of the WS-I testing tools implementation for the Basic Profile V1.0. Prepared as C# and Java implementations, the tools are designed to help developers determine whether their Web services are conformant with Profile Guidelines and may be used to verify a Web service's compliance.

A Service Communication Monitor "captures messages exchanged with Web services, and stores these messages for analysis by the second tool, the Web Service Profile Analyzer. The Analyzer evaluates messages captured by the Monitor, and also validates the description and registration artifacts of the Web service. These artifacts include the WSDL document(s) that describes the Web service, the XML schema files that describe the data types used in the WSDL service definition, and the UDDI registration entries. More than 300 test cases have been written and automated for the Analyzer tool; each test case exercises between 50 and 90 test procedures. The output from the Analyzer is a report that indicates whether or not a Web service meets the interoperability guidelines of the WS-I Basic Profile. The report provides details on the specific deviations and failures, so that users know which requirements of the WS-I Basic Profile were not met."

With the completion of the Basic Profile 1.0 deliverables, WS-I is now turning its attention to the development of interoperability guidelines "to address attachments and Web services security. In December 2003 WS-I published drafts of the Basic Profile 1.1, Simple SOAP Binding Profile 1.0 and the Attachments Profile 1.0 for public review. In addition, the Basic Security Profile Working Group expects to publish a draft of the Basic Security Profile early next quarter. The Basic Security Profile will profile the OASIS WS-Security specification and its associated normatively referenced specifications. In February 2004 WS-I announced the availability of the first Security Scenarios Working Group Draft for public review. This document outlines security risks in building interoperable Web services and countermeasures for these risks."

Testing Tools Version 1.0 Overview

The WS-I tools test Web service implementations using a non-intrusive, black box approach. The tools' focus is on the interaction between a Web service and user applications...

The Monitor is both a message capture and logging tool. The interceptor captures the messages and the logger re-formats them and stores them for later analysis in the message log... The Monitor is implemented with a 'man in the middle' approach so that it can intercept all the SOAP messages between the requestor and the service. The monitor configuration file controls the operation of the monitor and defines the parameters to ensure the SOAP messages are properly routed.

The Analyzer is an analysis tool that verifies the conformance of Web Services artifacts to the Basic Profile. For example, it analyzes the messages sent to and from a Web service, after these have been stored in the message log by the Monitor... The analyzer configuration contains the list of options for this tool. This file may also contain implementation-specific configuration parameters...

The tools can only verify the conformance of Web Service artifacts that are produced during a testing session. Some artifacts belong to the definition of the Web Service (WSDL); some others result from the observable behavior of the Web Service at run-time. It is rather difficult to test all possible behaviors that a Web Service can exhibit, mostly because exercising these behaviors is application-dependent and requires an application-level understanding of the Web Service. For these reasons, the Testing WS-I working group has not attempted to provide certification criteria. Indeed, using certification criteria that are too general or incomplete will not guarantee interoperability for every use case, and therefore a certification stamp would have little meaning. Instead, the tools are intended to observe and verify the messages produced during an interaction, possibly in a real deployment environment (because the tools are nonintrusive). The tools can also be used at development time, to verify that Web Service definitions are profile-conforming. The testing tools are then an indicator of conformance of a Web Service to the Basic Profile, based on the artifacts produced. In turn, this is an indicator of interoperability with other business partners who also have tested as conforming to the Basic Profile."

The testing tools cannot verify all the requirements of the Basic Profile: "A few requirements of the WS-I basic profile cannot be easily tested, and have been left out for V1.0 of the tools. Such requirements fall into one of these categories:

• The profile requirement refers to an external specification document that is too complex to test, for an outcome that has been prioritized as low, given current resources. An example is the requirement on cookies which, when used, must conform to RFC2965.
• The requirement is not possible to test using the current test harness. For example, requirements about the HTTP code value when a request has been redirected.
• The requirement is about interpretative behavior of a Web Service consumer or provider, which exceeds the capability of the test harness, and would require more intrusive technology, or more knowledge of the WS application and semantics.

This is another reason why the tools should be defined more as an indicator of conformance, rather than as certification tools. However, by addressing requirements that concern the run-time interaction between a Web Service and another party, the tools provide a powerful indicator of the ability of this Web Service to interoperate with any external party known to also comply with the Basic Profile..." [excerpted from the User Guide]

From the WS-I Announcement

The Web Services Interoperability Organization ('WS-I') today announced the general availability of its testing tools for the assessment of Web services' interoperability with the WS-I Basic Profile. Final versions of the Web Service Communication Monitor and the Web Service Profile Analyzer are now available on the WS-I website. With C# and Java tools implementations available there is a version for every Web services platform. The news was announced at the WS-I Spring Community Meeting taking place this week in Vancouver.

"We are excited to deliver the final component of the WS-I Basic Profile 1.0 deliverables package to the marketplace," said Tom Glover, president and chairman of WS-I. "The testing tools, along with the recently released Basic Profile 1.0 and Sample Applications 1.0, will help developers ensure that their Web services meet the WS-I interoperability guidelines and will provide customers with the confidence they need to successfully deploy Web services."

While Basic Profile 1.0 compliance is self-validated (i.e. WS-I is not a certifying authority), WS-I recommends the use of the testing tools before making claims of compliance. For more information about the proper language and requirements for all compliance claims, please refer to the WS-I Trademark and Compliance Claim Requirements document at http://www.ws-i.org/docs/20031021_trademark.pdf.

WS-I is an open industry organization committed to promoting consistent and reliable interoperability among Web services across platforms, applications and programming languages. The organization unites a diverse community of Web services companies to provide guidance, recommended practices, and supporting resources for developing interoperable Web services. Since its formation in February 2002, more than 170 companies have joined WS-I.