WSE 2.0 at the DC .NET UG

Todd Barr presented on Web Service Architecture and WSE 2.0 at the DC .NET UG tonight.  The session was very interesting especially seeing the new features involving security and policy.

We have just completed the web service phase of a project at my current client.  It involved a challenging problem that was happily solved using an old MSDN article by Aaron Skonnard.

The problem:

Our web service takes in a large complex data structure which has various business rules regarding the validity of the data.  If we begin using our business layer objects to create the corresponding data and child objects then we run the risk of violating a business rule which would throw an exception and then leave parent objects lying around in the database.  Yuck! 

The solution:

We first developed a schema which expressed all the data limitations but we needed this to fire before we attempted the business layer logic.  We could have simply accepted a string of XML as input to our WebMethod and then validated it against the schema but that seems so archaic in a world of generated web references which rich client proxy objects representing web service input and output. Aaron's article (link above) describes using a SoapExtensionAttribute and SoapExtension to enable schema validation of WebMethod input parameters.  This allows us to ensure that the input data meets the schema before even attempting processing by the business layer.  

Note that this validation against schema incurs a performance penalty which could be problematic for web services experiencing very heavy load.  There are “XML firewall” hardware appliances that can be used to validate XML web service input against schema in such extreme circumstances.  Mark O'Neill's book Web Service Security mentions such hardware solutions and also gives a good discussion on security best practices for web services.

It appears that policy may be an alternate solution provided by WSE 2.0 for the above problem although I have yet to dabble with it. :-D