This paper introduces a single login web service integrator, named WebEntrance. It provides an aggregated web service on top of existing web service systems (as compomemts) with a centralized access control and content customization facility, though each service system may have its own access control facility and provide its own independent service. It implements a flexible and dynamic component bundling mechanism, and can provide personalized service with user selected component sets. WebEntrance provides a convenient way for new components to be plugged in and be played. The owner of the aggregated web service can decide to keep each component's original branding, add more information, filter out certain content, or customize the presentations. WebEntrance also provides a single user registration and authentication interface for all of its user-selectable service components. WebEntrance currently accommodates web service components invoked via HTTP protocol (i.e. under a web server) and service components invoked directly from local or remote APIs. Other component interfaces will be implemented later with consideration of CORBA compliance.

1. Introduction

The mechanism for invoking a service component via local or remote APIs is readily available in current software implementations. For this reason, this paper emphasizes the integration of web service components that can be reached via HTTP protocol. The web service components mentioned in this paper include both static HTML based service systems and web application systems that involve computation logic for dynamic web content generation based on web client requests.

The trend of web service commercialization and personalization usually involves user access control. That means user registration is required to obtain a service, and users need to be authenticated each time to access the services, e.g. by providing the user ID and password. Due to a growing number of web services and with each providing their own authentication facilities, it has been inadvertently inconvenience to the web users. For example, a user’s ID in one system can not be used in another system due to duplication, and the password validation policy (e.g. the lasting time period, character restrictions, etc.) in one system may be different from another. Consequently, a user has to have multiple user IDs and passwords, and must be authenticated many times to access different services. These multiple user IDs and passwords are inconvenient to use and difficult to manage. WebEntrance can solve this problem by providing one common entrance for a user to access all of the web service components. That means a user needs to register and be authenticated only once at the entrance. Then, the WebEntrance takes care of user registration and authentication to the other corresponding web service components. WebEntrance also provides the users with the convenience of finding all of the interested web services in one place thus saving the users exploration time.

In addition, WebEntrance empowers a web aggregation service provider by not only providing single login entrance for users, but also being able to change web service components’ original branding, customize the presentation, filter out certain content, and put in his own advertisements. Contents from different web service components are made accessible to the aggregation service provider via WebEntrance prior to sending them to the end users. This allows the aggregation service provider to customize the content. Through WebEntrance, the aggregation service provider can also provide personalized services. Customers can select what pre-bundled web service component groups they want via initial registration, and they can change their selections any time afterwards. With the use of the WebEntrance's GUI based administration sub-system, an aggregation service provider can add or remove a web service component easily to or from his service site. Also, he can dynamically bundle the service components into different groups, and manage user information and accessibilities to the different groups. Of course, the web service component's update and dynamic bundling will not interrupt customers services.

Two WebEntrance application scenarios are described as follows:

• A new era cool web publication service site: As an aggregated web publication service provider, you can offer all kinds of popular web applications and services that are located elsewhere from your service site, examples include interactive newspapers and magazines, games, interactive novels,etc.. If you are currently a publisher with a web site, WebEntrance can route other interesting web publications to your site, which broadens your content, colors your site, and adds to your attractiveness.
  

• A service site in a company's intranet: In your company, you may want to construct an web service site that aggregates a variety of web services from outside as well as inside your company. Your employees don't need to pay their registration or service fees for the services provided by each web service owner, because you handle them in one place and provide employees with accessing convenience. Also, you can customize and filter the web contents.
  

The WebEntrance adopts object oriented architecture and design. It is based on the object oriented java web servers and is implemented purely in Java language [1] [2], therefore, it is platform independent. Currently, it is implemented on Jeeves [4], and will be ported to other java web servers as well.

2. Architecture

As shown in Figure 2.1, the WebEntrance mainly consists of three sub-systems: a user registration sub-system, a service engine, and an administration sub-system. The User Registration Sub-system coordinates user registration information with the corresponding service components. The Service Engine accepts requests from web browsers and passes them to the corresponding service components, obtains responses from the components and sends them back to the web browsers. Also, it conveys user authentication information to the corresponding components, and provides various service options. The Administration Sub-system is implemented with a GUI, which provides a convenient mechanism for managing users and web service components, as well as for service and web content customization. There is also a Data Manager which maintains a repository for user, service component, user access group, and component bundling information. It also manages a set of persistent objects to accommodate repository accesses from different threads and processes. This data manager and relevant persistent objects are implemented on the top of JDBC[7], therefore can facilitate the plugging in to different database products.

Figure 2.1. The architecture of WebEntrance

A user needs to be registered to get services from WebEntrance. The user registration information is propagated to the user selected web service components or applications by the registration sub-system. Initial groups of service components can be selected during registration. After registration, a user is granted a user ID, a password and a certificate if there is a SSL (Secure Socket Layer) authentication involved in a selected web service component. Then, the user can login to the member service provided by WebEntrance. After user login, the service engine will authenticate the user and provide a personalized home page to the user which includes all service components the user has selected. When the user clicks a component's hyper-link, the request is sent to the service engine. The service engine first compares the user's access to the accessibility requirements possessed by the requested service component. If the user has the correct accessibility, the service engine will get the web content according to the requested URL, and send it back to the user. Also, users may select to post content to the system of a web service component. Optionally, the service engine can also support usage logs and reporting, and an interface to a billing/payment sub-system.

The WebEntrance administration sub-system is implemented in two versions, a server based java application version and a web browser viewable java applets version. The user interface is basically the same in these two versions.

3. User Registration Sub-system

The user registration sub-system allows users to register themselves. Also, it provides to a user with an initial list of selectable service groups. Each group has a list of service components, and each component can reside in multiple groups. Also, a user can access multiple groups. The user registration information is stored in a persistent repository (i.e. a database) via the data manager. This registration information is propagated to the access control systems of user selected service components. Therefore, only one registration is necessary to access all service components that are routed to the WebEntrance. It also enables a single user authentication interface, i.e. a user needs only to login once to access all of the services provided by selected service components. A sample user registration form is shown in Figure 3.1.

3.1. Registration Mechanisms

WebEntrance provides two types of user registration mechanisms, automatic registration and administrator assisted registration via Email. In the automatic registration mechanism, a user fills in a registration form like the one shown in Figure 3.1. Then, the registration form is sent to the registration sub-system via a URL. The registration sub-system parses the users information, and saves it directly to the persistent data repository through the data manager.

If a proofing procedure needs to be performed before a user can be registered, the administrator assisted registration mechanism can be applied. In this registration mechanism, user's registration forms are routed to a system administrator via Email.

3.2. Registration Synchronization

Basically, the registration synchronization between WebEntrance and other web service components is achieved by propagating user registration information in WebEntrance to other user selected service components via the regular registration channel of these components, usually via HTML forms. This means, after a user registered to the WebEntrance, a number of registration forms are dynamically generated which correspond to the web service components that the user has selected. Each registration form is generated from a pre-defined template that is derived from the registration form of the corresponding web service component.

Each time a user updates his/her service component group selection list, his/her registration information will be sent to the newly selected components, and de- registration information will be sent to the components that the user de-selected.

Some web service components may require more specific information than the general registration information that WebEntrance provides. In this case, an additional request form will prompt to a user by WebEntrance after the user selects these specific service components.

4. WebEntrance Service Engine

The architecture of the WebEntrance Service Engine is shown in Figure 4.1. The Service Engine provides a gateway entrance for all of the web service requests. It accepts requests from web browsers, parses the requests and dispatches them to the corresponding service components. Then, it obtains responses from the components, processes the contents, transforms the URLs by redirecting them to the service engine, and sends the processed contents back to the web browsers. A dispatcher and a transformer are involved for URL redirection computing during the service. This enables all web service requests and the fed back contents go through the service engine, more exactly, the web service coordinator in Figure 4.1.

Figure 4.1. The service engine of WebEntrance

The web service coordinator manages the workflow among the different components inside the service engine. The access authenticator checks a user's credentials (e.g. user ID and password) and his/her service request. If the accessibility matches, the access authenticator send a “true” to the web service coordinator, if not match a "false" is sent. Based on the authentication information sent from the access authenticator, the web service coordinator either sends the web client request to the dispatcher, or sends back alert information to the user to inform them of the access violation. A cache manager is implemented to enhance the performance. It caches the persistent data for the web service components and the recently visited users.

For maximum performance, the WebEntrance service engine is implemented using a client/server approach. The web service client is very thin and resides under the HTTP server. It is invoked by requests from web clients. One web service client instance is created by the HTTP server to handle a single user request. The WebEntrance service engine is operated using multiple threads and the threads can run in separate physical machines for scaleability. The connection between a web service client and a WebEntrance service engine instance is established by the connection manager . Both the connection manager and the WebEntrance service engine run continuously. After receiving a request from a web browser, the web service client sends a request to the connection manager to ask for connection to a WebEntrance service engine instance. The connection manager tries to find an available engine instance and make the connection. If no engine instance is available, the connection manager will put the web service client process to sleep. The connection manager knows how many engine instances exist and which ones are available. When an engine instance is available, the connection manager will wake up a sleeping web service client and establish the connection. After the client/server connection is established, the web service client sends the web browser request to the WebEntrance service engine, and the engine returns a data stream to the application client in web browser viewable syntax. Then, the web service client sends this data stream back to the web browser.

An instance of the WebEntrance service engine can be added or removed by an administrator based on the user volume of requests. This service scale adjustment operation will not interrupt the services. A similar client/server implementation can be found in both IBM Digital Library Internet Connection [3] and Sun's Java Web Server - Jeeves [4] [5].

4.1. Access Authenticator

There are several different types of user authentication mechanisms, e.g. basic authentication, digest authentication, SSL authentication, HTML form based authentication, etc.. A service component's authentication type is stored in the repository as one of its attributes. After a user is authenticated by the WebEntrance, his/her credential is sent to the requested service component based on the component's authentication type. For example, for a basic or a digest authentication, the user's ID and password obtained from the header of his/her request will be passed to the requested service component; for a SSL authentication, instead of sending a password to the requested service component, a certificate will be sent out; for a HTML form based authentication, an appropriate query string will be sent. For the SSL authentication, a user only needs one certificate for the WebEntrance service engine. The WebEntrance service engine has all certificates to the different web service components that use SSL authentication.

4.2. Web Request Dispatcher

After conducting an authentication, the web service coordinator sends the user request to the web request dispatcher. The dispatcher constructs a URL based on a parameter string passed by the user requested URL and the server map information stored in the repository. Then, the dispatcher sends the constructed URL to a corresponding web service component, gets response content back and sends it to the web service coordinator.

4.3. Web Content Transformer

After the web service coordinator obtained the returned content from the corresponding web service component via dispatcher, it checks through the content and performs the follow operations:

• Converts URLs to point to the WebEntrance service engine.
  
• Filters out certain content according to the pre-defined service requests, e.g. the content owners' original branding.
  
• Adds some generic information to the content according to the pre-defined service request, e.g. the aggregation service owner's branding.
  
• Adds some specific information to the content according to user information. Customizes the presentation of the content basing on the pre-defined service requests.
  

5. Administration Sub-system

The GUI based administration sub-system provides system administrators with a convenient tool for the management of end users and web service components, as well as for the web aggregation service customizations. It is implemented in two versions, java application that is based on the WebEntrance server, and java applets that can be accessed from any java enabled web browser. Its major functions are:

• User information view: It provides views of a selected user's profile, the web service component groups that the user has access to, and a complete list of web service components which are accessible by the user. A user can be selected by user ID, by user name, or by group.
  

• User update: It provides an interface for administrators to add and to remove a user, to update a user's profile and access group information, and to change a user's password.
  

• Web service component information view: It provides information views for a selected component. That includes the component's name, its unique ID in the system, the service it provides, the server it is located in, its invocation URL, the authentication type it uses, the groups it belongs to, etc.
  

• Web service component update: It provides an interface for administrators to add and remove a selected web service component, to update a component's information, and to assign or de-assign the component to some groups. A component can be assigned to multiple groups.
  

• Group information view: The web service components are bundled into groups. For a selected group, this view shows which web service components are inside the group, and which users have accessibilities to the components in this group.
  

• Group update: Administrators can add or remove a group, can change a group's name, can re-bundle a group by adding or removing the web service components in this group, and can add or remove users from a selected group.
  

• Server information view: It shows which web service components are in each server, and which port a component is using. The server information is used for web request dispatching and web content transformation.
  

• Server update: A server can be added or be removed. Also, the server information can be updated.
  

• Service selection and specification: It provides a selection list for various aggregation service customization. It provides an interface for content filter specification, for adding additional content, and for content presentation customization.
  

6. Conclusion

We have described a web service integration system in this paper, the WebEntrance. It is to provide an aggregated web service by bringing other web service systems, we call them the web service components, into the service site. Although each web service component may have its own user registration and authentication facilities, the integrated service system performs user information and credential coordination activities and provides a single registration and login capability to its users. The aggregated web service provides convenience to users by providing all their interested services in one place, and accessing all the services by a single login. For a web service provider, the aggregation of web service components from other web sites can broaden his content, enrich his portfolio, and add attractiveness to his web site.

The system is implemented purely in java with java servlets [4] [5] [6] under a HTTP server, JDBC for repository or database access, and java applets for the administration sub-system.

The project will continue to add new features, e.g. an advertisement system, usage logs and reporting, billing/payment sub-system, etc..

Acknowledgments

This work was supported by the Telecommunications and Media Solutions Unit of IBM. I would like to thank my colleague Khalid Asad for his contribution to the conceptual architecture and implementation tools during his initial involvement to this project. I would like to thank Denny Zhang, Chris Demas and others for their implementation work. Also, I would like to thank Paul Grandin, Chris Demas, and Andrea Macaluso for proof reading of this paper. I especially would like to thank Frank Stein, my manager, for giving me the opportunity to lead this project.

References