Jeff has posted 11 posts at DZone. View Full User Profile

Getting Started with "Software as a Service"

  • submit to reddit

"Software as a Service" (SaaS) is an increasingly popular model for providing software functionality, as it is economical in terms of both cost and customer hardware resources. The NetBeans team created a Web Services Manager in NetBeans IDE 6.1 in order to support SaaS applications, making it easy for Java developers to access all the popular SaaS services on the web.

Author's Note: This article is based on work done by Peter Liu of Sun Microsystems.


What is SaaS?

"Software as a Service" refers to a software application delivery model where a software vendor develops a web-native software application and hosts and operates the application for use by its customers over the Internet. Customers do not pay for owning the software itself but rather for using it. They use it through an API accessible over the Web, usually via SOAP or RESTful web services.

What is the NetBeans Web Services Manager?

The NetBeans Web Services Manager is a vastly expanded set of functionality added to the familiar Web Services node in the IDE's Services tab. It supersedes the Palette for RESTful web services but this is only a subset of the Web Service Manager's functionality. You can drag-and-drop operations into code, view APIs, and view WADL files. The Web Services Manager contains a large number of 3rd party SaaS services, including Amazon, Delicious, Flickr, Google, and Yahoo.

Web Service Manager Functionality

The Web Services Manager provides the following functionality:

  • Can display both WSDL-based services (StrikeIron, GoogleAdSense) and WADL-based RESTful services (Amazon S3, Flickr, etc).

  • Lets you drag-and-drop (DnD) operations from services into code. The IDE generates all the plumbing code for accessing the service when you drop in the operation.

  • Provides a link to the service's API documentation. Select View API Document in the service node's context menu and the API opens in a browser window.

  • Opens the service's WADL, when one exists. Click View WADL in the service node's context menu and the WADL opens in the IDE's editor. WADL is a simple alternative to WSDL for use with XML/HTTP Web applications. See for more information about the Java net WADL project.

  • Supports POJO, servlet, JSP, and RESTful resource code generation. PHP, Ruby, JavaScript and other languages will be supported in the future.

  • Automatically creates URLs for user-created items. For the Amazon S3 Bucket Service, the URL for getBucket is {bucket}, where {bucket} is the name that the user gives the bucket. For example, if the user names the bucket myphotobucket, the generated getBucket URL is Similarly, the URL for getObject is {bucket}{object}, where {object} is the name the user specifies in the code for the object, and is concatenated with the URL for getBucket.To continue with the previous example, if that user names an object mypicture.jpg, the URL for the relevant getObject is

  • Supports the following security mechanisms:

    • API Key

    • HTTP Basic

    • Header Signing

    • User Login

Authentication Mechanisms

API Key (Google, Zillow, Yahoo, etc)
The API key is passed as a query parameter on every API call. The purpose of this scheme is to track the usage of the API, and not for securing communication. This is suitable for services whose data is public to everyone.

From the developers perspective, this is the simplest scheme to support since all you need to do is append the key as a query parameter.

HTTP Basic Authentication (Delicious, Twitter)
This scheme allows a web browser or a client program to provide credentials in the form of a user name and password. The advantage of this scheme is that it is support by all browsers. The disadvantage is that the password is transmitted in plain text.

From the developers perspective, this is also a very simple scheme to implement. Your application can either prompt the user for the password or use a default password for application-based security.

Header Signing (Amazon S3)
This scheme requires a public key and a secret key. Here is how it works:

First, create a string in base64 encoding by concatenating the public key with information in the HTTP request header, e.g. request method, request URL, date, etc. You then create a signature of the string using the SHA1-HMAC algorithm and the secret key. The signature is then added to the request header.
This scheme is mainly used for application-based security. The application is still responsible for authenticating the users of the application using other schemes.

From the developer's perspective, this scheme is very complicated to implement. You need to write specialized code to perform the authentication.

User Login (Facebook, Flickr)
The scheme requires the application to redirect the user to a login page on the Facebook or Flickr website. This is how this scheme works for Facebook:
First, the application developer needs to register the application with Facebook to get an API key and a secret key. Every method call to Facebook needs to be signed using the secret key.

During the login process, the application first calls Facebook to request a token using the API key. Next, the user is redirected to a login URL constructed from the API key and the token. This URL takes the user to a login page on Facebook. After the user logs into Facebook and authorizes the application to call Facebook on his/her behalf, the application sends back a session key and a session secret key. From them on, all API calls must pass the session key and be signed using the session secret key.

The authentication scheme is very secure and allows the user to grant and revoke access to the application. The disadvantage is that it is very complicated and is not suitable for machine-to-machine communication.


jeff2.png6.23 KB
jeff4.jpg100 KB
jeff5.png15.82 KB
jeff7.png10.76 KB
jeff1.png6.64 KB
jeff3.png6.36 KB
jeff6.png13.44 KB
Published at DZone with permission of its author, Jeff Rubinoff.

(Note: Opinions expressed in this article and its replies are the opinions of their respective authors and not those of DZone, Inc.)