Tuesday, October 21, 2008

Web Services Testing of SAP NetWeaver Application Server, Java EE 5 Edition

Web Services Testing of SAP NetWeaver Application Server, Java EE 5 Edition

Web Services Testing Tools - such as SOAPSonar™ - enable users to easily test web services deployed by SAP NetWeaver Application Server, Java EE 5 Edition.

Introduction

With the introduction of NetWeaver Application Server Java EE 5 Edition, SAP has moved in the right direction by providing a platform for building enterprise-class, scalable, distributed and open standards-based Service Oriented Architecture (SOA). Java EE 5 primary focus has been to transition J2EE to a more developer friendly architecture. One of more exciting parts of Java EE 5 specification is a heavy support for annotations that enable developers to cleanly expose already developed Java code as web services through meta data without modifying code for classes or methods.

SAP NetWeaver Application Sever Java EE 5 Edition is one of the first application servers in the market to achieve Java EE 5 compatibility. With such leadership in adopting standards-based specifications, SAP's perception as a closed, monolithic and conservative behemoth unwilling to share its internal riches (APIs) with the common developers is shattered. The preview release of its new Java EE 5 based Application Server and its first to market strategy in adopting developer friendly specifications shows SAP's desire to appeal to a broader base of developers.

In this article, we share our experience in building a simple HelloWorld web service using NetWeaver and testing its characteristics using a simple web services testing tool - SOAPSonar Enterprise Edition. SOAPSonar™ is a web services testing product that provides comprehensive Web Services Testing across complex, dependent and distributed deployments.

Figure 1: Web Services Testing NetWeaver Java EE 5 Edition using SOAPSonar.

As you build a robust, secure, and interoperable web services-enabled Service Oriented Architecture (SOA) with NetWeaver as a core component, the need for using products like SOAPSonar for establishing quality and repeatability of your web services-based IT assets will become crucial.

Step 1: Download and Install NetWeaver Java EE 5 Edition

Download SAP NetWeaver Application Server, Java EE 5 Edition from the SAP Developer Networks (SDN). Registration is required but is simple and painless. Once you enter the credentials for SDN that were emailed to you as a part of the registration process, you may have to refresh your browser if you are using Firefox. The download is about 650MB and includes the NetWeaver Application Server, MaxDB 7.6 and the NetWeaver Developer Studio. System requirements for installation are as follows:

  1. 512 MB RAM, recommended 1 GB.
  2. Intel Pentium III/1.1GHz or higher.
  3. 2GB Hard disk space.

The downloaded file is in RAR format and can be unpacked using your favorite RAR tool. We used a trial edition of WinRAR 3.61 from RARLabs. Once all the files are unpacked, simply click on the setup executable to start the installation process. Before starting the installation process, it is highly recommended to shut down all applications, firewalls, VNC services, and any service that may be holding on to a port required by NetWeaver.

We struggled with the installer, but running it a couple of times seamed to cure our issue which primarily had to do with the embbed MaxDB database. If you come across any installation issues, use the SDN Web AS Preview Installation Forum - the participants are very helpful and responsive. For a good overview of pre-installation steps, see Oliver Schmidt's Blog entry: Installing and operating the SAP NetWeaver J2EE Preview.

Step 2: Download and Install SOAPSonar

SOAPSonar Enterprise Edition can be downloaded from here. Registration is required since this product is subject to US Export Laws. SOAPSonar can be installed on Windows XP/2K3 platforms. SOAPSonar can easily consume WSDLs generated by NetWeaver and enable SOAP messaging as shown in Figure 1 above.

You can load as many WSDLs in the web services testing tool as you wish and mix-&-match tests across different WSDL operations. All test projects can be saved to your Desktop. SOAPSonar also provides operation chaining so that you can take outputs for an operation and use them as inputs to another operation. Once you develop and deploy the web service as described in Step 3, you will be able to begin SOAP messaging between SOAPSonar and NetWeaver.

Step 3: Develop a simple Web Service using NetWeaver Developer Studio

Developer Studio is installed as a component of the NetWeaver Application Server Java EE 5 Edition install as performed in Step 1 above. Before starting Developer Studio, you can verify that NetWeaver Application server is up and running by going to http://localhost:50000. A Welcome Page will be served if your Application Server is up and running. If the application server is not up, the simplest way to start it up is by using executing Start > Programs > SAP NetWeaver > Application Server JP1 > Start Application Server. You can also use the SAP Management Console for starting and shutting down the Application Server.

We are now ready to start building a simple web services using NetWeaver Developer Studio as follows:

  1. Start Developer studio by going to Start > Programs > SAP NetWeaver > SAP NetWeaver Developer Studio > SAP NetWeaver Developer Studio. Minimize the Welcome Panel.
  2. From the top Menu, select, Windows > Show View > Other. Under the Server Folder, select Servers. This will bring up a Servers panel in the Developer Studio displaying the NetWeaver Server and its Status.
  3. Select File > New > Project > EJB > EJB Project 3.0. This will bring up a New EJB 3.0 Project Panel. Enter HelloWorldEJB for the Project Name. Leave default Workspace location radio button selection. And finally select the Add Project to EAR checkbox and enter HelloWorldEAR as your EAR Project Name. After you click Finish you should see HelloWorldEJB and HelloWorldEAR in the Navigation Panel on the right.
  4. Right click on HelloWorldEJB in the Navigation panel and select New > Other > EJB > EJB Session Bean 3.0. Enter the values on the New EJB Session Bean 3.0 Panel as shown in Figure 2. Note that the HelloWorldBean is Stateless, has no interfaces and is in the com.sap.tutorial.javaee package.

    b

    Figure 2: Creating a New Stateless EJB Session Bean - HelloWorldBean

  1. Right After you hit Finish in Figure 2, you will see the skeleton code in HelloWorldBean.java. You can now type a simple sayHello(String FirstName) method that returns a String as shown in Figure 3 below.

Figure 3: HelloWorldBean Java file with a simple sayHello method.

  1. Now that we have a simple HelloWorldBean ready, NetWeaver can easily convert it into a web services. Right click on the HelloWorldBean.java file highlighted in Figure 2. Select Web Services > Create Web service. The Web Service panel displayed in Figure 3 will appear. Move the left hand slider to change the state to Develop service. Hit Next and ensure that sayHello method is selected for availability at the endpoint. Once you hit Finish, you will see @WebService(...) and @WebMethods(...) annotations injected in the HelloWorldBean.java file. Viola! Your web services are developed and ready for deployment.

Figure 4: NetWeaver DeveloperStudio Panel for Web Services enabling HelloWorldBean.

  1. The last task is to deploy the web service. Go to the Servers panel that shows available NetWeaver Application Servers. Task 2 above shows how we enable the Servers panel view. Right click on the selected server, select Add and Remove Projects and move HelloWorldEAR from Available projects to Configured projects.

At this point, the HelloWorldBean is deployed and available for any Web Services client by consuming the service WSDL available at the following endpoint:

http://hostname:50000/HelloWorldBeanService/HelloWorldBean?wsdl

We will now proceed to comprehensively test this web service by loading it into SOAPSonar.

Step 4: Load and Test Web Service

As shown in Figure 5, the WSDL loaded is loaded into SOAPSonar and the single operation is automatically parsed and displayed in the navigation panel. The user can then select the operation and populate the input field values for arg0 and hit the arrow key in the Request panel to submit the SOAP request. The response from NetWeaver Application Server is presented in the lower panel and appends Hello Mr. to the input value. Also notice that NetWeaver adds tags with a timestamp in the SOAP Header.

Figure 5: SOAPSonar Web Services Testing Platform for testing NetWeaver web services.

With SOAPSonar, one can test a published web service across four areas of testing: Functional Regression, Performance, Interoperability, and Vulnerability Assessment.

Functional Regression Testing ensures that the web service operations function as advertised over time and that if the underlying code has changed in NetWeaver than such changes are identified and addressed. In our simple web services, the operation sayHello() behaved as expected and return a string value. SOAPSonar provides the ability to set base-line tests for sayHello() and schedule regression test to ensure that all desired pass/fail test conditions are met.

Performance Testing ensures that the web service operations perform as expected once latency and scalability characteristics are identified. Since the NetWeaver Application Server is a trial version, we did not expect it to perform under any significant load. After 10 concurrent connections, we started to see transfer errors indicating that the trial version is restricted for non commercial use and limited traffic. Even with 10 concurrent virtual clients, NetWeaver Application Server performed respectably well with greater than 170 Transactions per Second (TPS) with average of 47 ms response time.

Disclaimer: Our intention in sharing this information is not to provide real life production performance benchmarks of NetWeaver Application Server. Our intent is to share methods and techniques available to you in testing target servers using SOAPSonar as a comprehensive web services testing tool. Your performance mileage may vary based on a variety of factors such as network topology, host hardware and optimization effort!

Interoperability Evaluation ensures that the published web service operations interoperate across various platforms. The WSDL endpoint published by NetWeaver Application Server, Java EE 5 Edition is readily consumed by SOAPSonar a .Net-based web services client. SOAPSonar provides additional WS-I Basic Profile 1.1 design-time and run-time test to check for interoperability issues. The design-time interoperability tests passed with flying colors with No Failed Assertions Detected. This means that the WSDL generated by NetWeaver can be readily consumed by any WS-I Basic Profile compliant client regardless of application platform such as .NET, Java or LAMP.

SOAPSonar also provides the ability to execute stringent run-time test by sending auto generate edge case tests. The mutated tests are generated to check whether the endpoint is indeed honoring WS-I Basic Profiles even though the WSDL itself is WS-I compliant. SOAPSonar detected a number of violations where NetWeaver Application Server was accepting non-compliant SOAP requested generated by SOAPSonar.

Vulnerability Assessment ensures that the web service published operations are tested for edge cases and are not vulnerable to information leaks, Denial of Service, or other web services attacks. With such assessments, vulnerabilities introduced by poor application coding practices, such as lack of exception handling are quickly determined and remediation actions can be taken. The simple HelloWorldBean described in this article is poorly coded and lacks exception handling try-catch type constructs. This resulted in a overall Risk Score of 26 with a few Medium Severity issues identified because of stack traces-based information leaks in the response messages.

Conclusions

Developing web services in NetWeaver DeveloperStudio is straight forward and intuitive. The biggest challenge that we faced was overcoming installation hurdles - SDN Forums came to the rescue. The WSDL generated by NetWeaver was interoperable with .NET-based SOAPSonar and we were sending SOAP messages between SOAPSonar and NetWeaver Application Sever seamlessly.

The overall Functional, Performance, Interoperability and Vulnerability profiles for our HelloWorld web service were positive with the not-so-stellar run time interoperability results being the only surprise. We recommend that SAP tighten up its SOAP handling stack in NetWeaver to actively enforce WS-I Basic Profile 1.1 compliance. Also, we expect that edge case or boundary-breaking "Mutant" SOAP messages should be handled elegantly to prevent information probing or inadvertent information leak holes left behind by sloppy developers.

We think SAP NetWeaver Application Server, Java EE 5 Edition is a step in the right direction and provides competitive web services functionality for sophisticated SOA deployments. Give it a try.

No comments:

Archive