Friday, April 30, 2010

WebService|Using implicit SOAP headers with JAX-WS web services

Using implicit SOAP headers with JAX-WS web services

StrikeIron offers two authentication methods for its for-pay web services, a "SOAP Header" authentication method and a "Non-SOAP Header" one (you can see examples of both in the WSDL section of their U.S. Census Information web service). The non-SOAP header validation method works normally with JAX-WS WSDL-to-Java tools (such as Metro's wsimport and CXF's wsdl2java) because the username and password information is provided as SOAP body request elements and hence parameters will be provided for them in the JAX-WS generated SEI's methods.

However, the SOAP header authentication method relies on implicit SOAP headers. These refer to SOAP headers for requests and responses that are defined in the WSDL binding section instead of the portType section. This is frequently done when the nature of the SOAP header information is metadata only indirectly related to the request and response; in such cases it would be desirable to keep this information separate from the business data referenced in the portType operation. However, implicit headers create a slight problem OOTB with JAX-WS tools, because per the JSR-224 specification WSDL-to-Java code generators only take parameters declared within the portType section into account when generating the SEI method signatures. As a result, necessary SOAP header parameters for making the SOAP request would not be available.

To illustrate this, let's choose one of the Census Information service's operations, say GetAllProfiles_ForZip. Its portType operation refers to two wsdl:messages, one each for request and response:

<wsdl:operation name="GetAllProfiles_ForZip">
<documentation xmlns="http://schemas.xmlsoap.org/wsdl/">
Returns all census information by zip</documentation>
<wsdl:input message="si:GetAllProfiles_ForZipSoapIn" />

<wsdl:output message="si:GetAllProfiles_ForZipSoapOut" />
</wsdl:operation>

<wsdl:message name="GetAllProfiles_ForZipSoapIn">
<wsdl:part name="parameters" element="si:GetAllProfiles_ForZip" />
</wsdl:message>
<wsdl:message name="GetAllProfiles_ForZipSoapOut">
<wsdl:part name="parameters" element="si:GetAllProfiles_ForZipResponse" />
</wsdl:message>

The elements in the request and response messages contain just the business data elements directly related to the operation. It is only within the binding section where the metadata SOAP header elements are defined:

<wsdl:operation name="GetAllProfiles_ForZip">
<soap:operation soapAction="http://www.strikeiron.com/GetAllProfiles_ForZip"
style="document"/>
<wsdl:input>
<soap:body use="literal"/>
...validation checks omitted...
<soap:header message="si:LicenseInfoMessage" part="LicenseInfo"
use="literal"/>

</wsdl:input>
<wsdl:output>
<soap:body use="literal" />
<soap:header message="si:GetAllProfiles_ForZipResponseInfo"
part="ResponseInfo" use="literal"/>
<soap:header message="si:SubscriptionInfoMessage" part="SubscriptionInfo" use="literal"/>

</wsdl:output>
</wsdl:operation>

Since these binding-defined SOAP header declarations are bypassed during wsimport/wsdl2java code generation, the SEI's generated do not supply parameters to allow the SOAP client to provide the authentication information on requests or receive other metadata information on the response:

public com.strikeiron.CensusProfile getAllProfilesForZip(
@WebParam(name = "zip", targetNamespace = "http://www.strikeiron.com")
java.lang.String zip
);

Possible solutions to this issue:

  • Use special wsimport/wsdl2java option settings to bring in implicit headers. Both CXF's wsdl2java and Metro's wsimport tools offer special flags for bringing in implicit SOAP headers when generating the Java artifacts. This is the easiest and probably most reliable solution.

    For Metro's wsimport, use -XadditionalHeaders at the command line or xadditionalHeaders="true" for the ant task or xAdditionalHeaders for Metro's jaxws-maven-plugin.

    For CXF's wsdl2java (command-line or Ant), use the -exsh true setting shown on the wsdl2java Wiki page or extendedSoapHeaders for the Maven cxf-codegen-plugin.

    Using this extension changes the operation signature to the following:

    public com.strikeiron.CensusProfile getAllProfilesForZip(
    @WebParam(name = "zip", targetNamespace = "http://www.strikeiron.com")
    java.lang.String zip,
    @WebParam(name = "LicenseInfo", targetNamespace = "http://ws.strikeiron.com", header = true)
    com.strikeiron.ws.LicenseInfo licenseInfo,
    @WebParam(mode = WebParam.Mode.OUT, name = "ResponseInfo", targetNamespace =
    "http://www.strikeiron.com", header = true)
    javax.xml.ws.Holder responseInfo,
    @WebParam(mode = WebParam.Mode.OUT, name = "SubscriptionInfo", targetNamespace =
    "http://ws.strikeiron.com", header = true)
    javax.xml.ws.Holder subscriptionInfo

    );
  • Modify the WSDL prior to calling the WSDL-to-Java tool, or subsequently alter the generated classes to make the SOAP Headers explicit. This forum topic has an example of the former and blog entry of the latter. This seems tricky and cumbersome to do, however, and unless the flag options above are not working properly for a certain WSDL I wouldn't see any benefit of this over the first option.

  • Create a JAX-WS Handler and use SAAJ to add the SOAP Headers. SAAJ is a DOM-like API used for creation and manipulation of SOAP messages. As shown in Ivasena's blog entry, a class implementing the SOAPHandler interface can be used to modify the outgoing SOAP request by adding the SOAP header information. This can be a nicely viable option if you do not wish to encumber each SEI method call with authentication information, and by placing this logic in a handler it can be shared across multiple web service calls that need the same headers added. See my JAX-WS handler tutorial for more information, and also the RPC/encoded article for examples of working with SAAJ. CXF provides interceptors as an additional option for adding SOAP headers.

  • (Metro only) Use the WSBindingProvider class to add the SOAP headers. As shown in the JAX-WS user's guide, Metro provides a WSBindingProvider that is implemented by proxy or dispatch objects. Methods on this interface allow for convenient adding of SOAP headers.

Wednesday, April 28, 2010

Web Service|Tip: Implement implicit and explicit SOAP headers

Tip: Implement implicit and explicit SOAP headers

Tip: Implement implicit and explicit SOAP headers

Learn the differences and how to create your own SOAP headers

Andre Tost, Senior Technical Staff Member, IBM 
Andre Tost works as a Senior Technical Staff Member in the Software Group's Enterprise Integration Solutions organization, where he helps IBM's customers establishing Service-Oriented Architectures. His special focus is on Web services technology. Before his current assignment, he spent ten years in various partner enablement, development and architecture roles in IBM software development, most recently for the WebSphere Business Development group. Originally from Germany, he now lives and works in Rochester, Minnesota. In his spare time, he likes to spend time with his family and play and watch soccer whenever possible.

Summary:  You can define SOAP headers in a WSDL definition using what are commonly called explicit and implicit headers. Learn the difference between these two styles and how these differences might impact you when developing with JAX-RPC.

Date:  15 Feb 2005
Level:  Advanced
Also available in:   Japanese

Activity:  13195 views
Comments:   1 (View or add comments)

1 star2 stars3 stars4 stars5 stars Average rating (based on 28 votes)

The SOAP specification describes that a SOAP envelope can contain an optional header part. This header is meant to carry data that is not part of the payload of the actual message. The WSDL specification defines how to declare SOAP header data as part of a Web services definition. There are two ways to define SOAP headers in a WSDL definition: explicit and implicit headers.

SOAP header styles

One typical use for SOAP headers is to transfer contextual data. For example, if a message includes a digital signature, this signature will most likely be transferred in the SOAP header. Another example is for Web services that support some form of session with a client. Once such a session is established, they require that a specific identifier be sent along with every request. The WS-AtomicTransaction specification (see Resources) also describes a very similar mechanism for running a coordinated sequence of interactions among several Web services.

The WSDL specification provides you with two different ways of specifying the use of SOAP header fields. In explicit headers, you add all of the header information to the portType of the service. It becomes exposed to the client as additional parameters. The advantage of this style is that the client can pass all of the information directly to the service. The downside of this style is that it often clutters the external interface of a service with information that is not related to its business purpose at all.

This is exactly where using implicit headers can help: header information is not part of the portType, and thus does not impact the functional interface of the service. On the other hand, implicit headers are harder to deal with programmatically.

Before diving into more detail on the programming side of things, let's look at how these different styles are defined.


Back to top

SOAP header binding types in WSDL

The easiest way to describe the different styles of SOAP headers is to begin with an example. The following WSDL extract in Listing 1 is taken from a previous article that explained the use of SOAP headers:


Listing 1. SOAP header bindings in WSDL
 <wsdl:definitions targetNamespace="http://soapheader.ibm.com" ...>  <wsdl:types ...>   <schema elementFormDefault="qualified" ...> 	...       <element name="quote_timestamp" type="xsd:dateTime" />   </schema>  </wsdl:types> <wsdl:binding name="StockServiceSoapBinding" type="intf:StockService">       <wsdlsoap:binding style="document" transport=       "http://schemas.xmlsoap.org/soap/http"/>       <wsdl:operation name="getLastSellPrice">          <wsdlsoap:operation soapAction=""/>          <wsdl:input name="getLastSellPriceRequest">             <wsdlsoap:header message="intf:getLastSellPriceRequest" part=             "request_header" use="literal"/>             <wsdlsoap:body parts="parameters" use="literal"/>          </wsdl:input>          <wsdl:output name="getLastSellPriceResponse">             <wsdlsoap:body use="literal"/>          </wsdl:output>       </wsdl:operation>    </wsdl:binding> ... </wsdl:definitions>

You can see that at a particular place within the binding section of the WSDL file an element called <wsdlsoap:header> is used. It is contained in the <wsdl:input> element, which tells you that there is a SOAP header section as part of the request message for an operation. The content of the <wsdlsoap:header> element identifies the message part that is to be transferred in the header.

That's pretty straightforward, but is this an explicit or implicit header? Well, from the extract above, you can't exactly tell. It could be either way. And this is why: the header binding defines that the part named request_header of the message intf:getLastSellPriceRequest goes into the header part of the SOAP envelope. The header style depends on whether this message part is used in the portType of the Web service or not. Let's look at both cases in detail.


Back to top

Explicit headers

You can call a header definition explicit if it is part of the service <portType>. In other words, the message part named request_header must be used somewhere in the portType, as shown in Listing 2:


Listing 2. Explicit SOAP header in WSDL
 <wsdl:message name="getLastSellPriceRequest">       <wsdl:part element="intf:getLastSellPrice" name="parameters"/>       <wsdl:part name="request_header" element="intf:quote_timestamp"/>    </wsdl:message>     <wsdl:message name="getLastSellPriceResponse">       <wsdl:part element="intf:getLastSellPriceResponse" name="parameters"/>    </wsdl:message>     <wsdl:portType name="StockService">       <wsdl:operation name="getLastSellPrice">          <wsdl:input message="intf:getLastSellPriceRequest" name=          "getLastSellPriceRequest"/>          <wsdl:output message="intf:getLastSellPriceResponse" name=          "getLastSellPriceResponse"/>       </wsdl:operation>    </wsdl:portType> 

Note that the message named getLastSellPriceRequest has two parts in it. One part is going into the body part of the SOAP request message, the other one into the header. Listing 3 shows the relevant part of the WSDL file that shows the two parts:


Listing 3. Explicit SOAP header in WSDL - SOAP bindings
 <wsdl:input name="getLastSellPriceRequest">       <wsdlsoap:header message="intf:getLastSellPriceRequest" part=       "request_header" use="literal"/>       <wsdlsoap:body parts="parameters" use="literal"/> </wsdl:input> 

The <portType> element defines the external interface of a Web service. It defines which data is sent as part of a request message. If some of the request data is transferred in the SOAP header part of the request message, you can call this an explicit header. The same holds true for the case where part (or all) of the response message is defined as a header element, respectively.


Back to top

Implicit headers

This case will be simple, right? If the message part that is transferred in the header does not show up anywhere in the <portType> element, you have an implicit header. Listing 4 shows what this might look like:


Listing 4. Implicit SOAP header in WSDL
 <wsdl:message name="getLastSellPriceRequest">       <wsdl:part element="intf:getLastSellPrice" name="parameters"/>    </wsdl:message>        <wsdl:message name="getLastSellPriceResponse">       <wsdl:part element="intf:getLastSellPriceResponse" name="parameters"/>    </wsdl:message>     <wsdl:message name="getLastSellPriceRequestHeader">       <wsdl:part name="request_header" element="intf:quote_timestamp"/>    </wsdl:message>     <wsdl:portType name="StockService">       <wsdl:operation name="getLastSellPrice">          <wsdl:input message="intf:getLastSellPriceRequest" name=          "getLastSellPriceRequest"/>          <wsdl:output message="intf:getLastSellPriceResponse" name=          "getLastSellPriceResponse"/>       </wsdl:operation>    </wsdl:portType> 

The listing shows three messages defined, and only two of them are used in the <portType>. The third one, called getLastSellPriceRequestHeader, is not used at all. Now assume that the SOAP binding looks what Listing 5 shows:


Listing 5. Implicit SOAP header in WSDL - SOAP Bindings
 <wsdl:input name="getLastSellPriceRequest">       <wsdlsoap:header message="intf:getLastSellPriceRequestHeader" part=       "request_header" use="literal"/>       <wsdlsoap:body parts="parameters" use="literal"/> </wsdl:input> 

There might be cases where a SOAP header is sent as part of a message, even though the header is not declared in the WSDL definition at all. You could consider this another form of an implicit header. Generally, however, it is considered a bad style to add parts to a SOAP message that are not contained in its WSDL definition, so I won't cover this case in this paper.

Again, the <wsdlsoap:header> element refers to a message part that is not used in the <portType>. Hence, you have an implicit header.


Back to top

SOAP message represention

Note that the wire format of each type of SOAP header is the same: information is carried in the SOAP header part of the message. In other words, you can't tell when looking at a SOAP message whether it was defined as an implicit or explicit header in the associated WSDL definition. Listing 6 shows the SOAP message for a sample Web service:


Listing 6. SOAP message with header
 <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" ...> 	<soapenv:Header> 	     <p677:quote_timestamp xmlns:p677= 	     "http://soapheader.ibm.com">2005-01-03T06:00:00.000Z</p677:quote_timestamp> 	</soapenv:Header> 	<soapenv:Body> 		<p677:getLastSellPrice xmlns:p677="http://soapheader.ibm.com"> 			<p677:ticker>IBM</p677:ticker> 		</p677:getLastSellPrice> 	</soapenv:Body> </soapenv:Envelope> 


Back to top

JAX-RPC mapping of explicit and implicit headers

Now that you have a definition of both styles of headers, what does this mean if you're developing Web services with JAX-RPC? The JAX-RPC specification talks about something called implicit and explicit service context. Even though a service context might or might not be mapped into SOAP header definitions, you can safely assume here that they mean the same thing. The specification then describes how explicit service contexts are mapped into the remote interface of a service, whereas implicit contexts are typically not.

Practically speaking, this means that explicit headers (or service contexts) are relatively easy to handle because they are mapped to the Service Endpoint Interface (SEI) of the Web service. The message part that is transferred in the SOAP header becomes an additional parameter of the SEI. For example, the SEI for the WSDL with the explicit definition above looks like what Listing 7 shows:


Listing 7. Service Endpoint Interface for explicit header type
 public interface StockServiceExplicit_PortType extends java.rmi.Remote {     public com.ibm.soapheader.GetLastSellPriceResponse        getLastSellPrice(com.ibm.soapheader.GetLastSellPrice parameters,            java.util.Calendar request_header)                throws java.rmi.RemoteException; } 

At run-time, the value passed in as the request_header parameter is put into the SOAP header of the request message.

You can probably guess by now what the interface will look like in the implicit header case. There is no reference to the header message part at all! The tooling simply ignores it and generates the SEI shown in Listing 8:


Listing 8. Service Endpoint Interface for implicit header type
 public interface StockServiceImplicit_PortType extends java.rmi.Remote {  public float getLastSellPrice(java.lang.String ticker) throws java.rmi.RemoteException; } 

While I won't go further into this in this paper, it's interesting to note that, in this case, the input and output parameters are not wrapped into a new class as before.

Implicit header handling in Java programming

So how do you deal with a Web service that defines an implicit header in JAX-RPC? The specification does not help you there, because only those elements that are included in the portType are generated into the Service Endpoint Interface.

Beyond that, different JAX-RPC vendors might offer different levels of support. One way of dealing with implicit headers is to use JAX-RPC handlers to manage the content of the header. Handlers have full access to the SOAP message on both the client and server side, including the header. But how can you pass the right content from the client application into the handler? You can use the _setProperty() on the javax.xml.rpc.Stub interface to pass information to the client proxy object. From there, the handler can retrieve it using the javax.xml.rpc.handler.SOAPMessageContext.getProperty() method. The sample that comes with this paper shows you this mechanism (click the code icon at the top or bottom of this paper to download the EAR file).

On the server side, you can also use a JAX-RPC handler to deal with implicit headers. Moreover, you can pass SOAP header information into a service implementation through the javax.xml.rpc.server.ServiceLifecycle interface. I explained how to use this interface in a previous tip in this series. And again, refer to the sample code for a complete example.


Back to top

Summary

There are two different ways to define the use of SOAP header fields in a Web service, namely implicit and explicit headers. The difference between the two is easily detectable in the WSDL definition. While it might seem to be a minor design detail, it has a significant impact on the generated JAX-RPC Java code. Especially in the case of implicit headers, extra code must be written (or generated) to deal with the header information that is not part of the portType.

Tuesday, April 27, 2010

Security|How SSL Server Certificates Work

How SSL Server Certificates Work

SSL certificates take advantage of SSL to work seamlessly between Web sites and visitors' Web browsers. The SSL protocol uses a combination of asymmetric public key encryption and faster symmetric encryption.

The Netscape Navigator and Microsoft Internet Explorer browsers have built-in security mechanisms to prevent users from unwittingly submitting their personal information over insecure channels. If a user tries to submit information to an unsecured site (a site without an SSL server certificate), the browsers will, by default, show a warning.

In contrast, if a user submits credit card or other information to a site with a valid server certificate and an SSL connection, the warning does not appear. The secure connection is seamless, but visitors can be sure that transactions with a site are secured by looking for the following cues:

  • The URL in the browser window displays "https" at the beginning, instead of http.

  • In Netscape Communicator, the padlock in the lower-left corner of the Navigator window will be closed instead of open.

  • In Internet Explorer, a padlock icon appears in the bar at the bottom of the IE window

SSL Strengths: 40-Bit and 128-Bit SSL

SSL comes in two strengths, 40-bit and 128-bit, which refer to the length of the session key generated by every encrypted transaction. The longer the key, the more difficult it is to break the encryption code. 128-bit SSL encryption is the world's strongest; according to RSA Labs, it would take a trillion years to crack using today's technology. 128-bit encryption is approximately 3 X 1026 stronger than 40-bit encryption.

Microsoft and Netscape offer two versions of their Web browsers, export and domestic, that enable different levels of encryption depending on the type of SSL server certificate with which the browser is communicating. First, 40-bit SSL server certificates (such as VeriSign's SSL Certificates) enable 40-bit SSL when communicating with export-version Netscape and Microsoft Internet Explorer (IE) browsers (used by most people in the U.S. and worldwide) and 128-bit SSL encryption when communicating with domestic-version Microsoft and Netscape browsers. Second, 128-bit SSL server certificates (such as VeriSign's Global Server IDs) enable 128-bit SSL encryption (the world's strongest) with both domestic and export versions of Microsoft and Netscape browsers.

INFO: SSL Server Certificates Steps

The process begins by establishing an SSL "handshake"—allowing the server to authenticate itself to the browser user, and then permitting the server and browser to cooperate in the creation of the symmetric keys used for encryption, decryption, and tamper detection:

  1. A customer contacts a site and accesses a secured URL—a page secured by an SSL certificate (indicated by a URL that begins with "https:" instead of just "http:" or by a message from the browser). This might typically be an online order form collecting private information from the customer, such as address, phone number, and credit card number or other payment information.

  2. The customer's browser automatically sends the server the browser's SSL version number, cipher settings, randomly generated data, and other information the server needs to communicate with the client using SSL.

  3. The server responds, automatically sending the customer's browser the site's digital certificate, along with the server's SSL version number, cipher settings, and so on.

  4. The customer's browser examines the information contained in the server's certificate, and verifies that:

    1. The server certificate is valid and has a valid date.

    2. The CA that issued the server has been signed by a trusted CA whose certificate is built into the browser.

    3. The issuing CA's public key, built into the browser, validates the issuer's digital signature.

    4. The domain name specified by the server certificate matches the server's actual domain name.

    If the server cannot be authenticated, the user is warned that an encrypted, authenticated connection cannot be established.

  5. If the server can be successfully authenticated, the customer's Web browser generates a unique "session key" to encrypt all communications with the site using asymmetric encryption.

  6. The user's browser encrypts the session key itself with the site's public key so that only the site can read the session key, and sends it to the server.

  7. The server decrypts the session key using its own private key.

  8. The browser sends a message to the server informing it that future messages from the client will be encrypted with the session key.

  9. The server then sends a message to the client informing it that future messages from the server will be encrypted with the session key.

  10. An SSL-secured session is now established. SSL then uses symmetric encryption (which is much faster than asymmetric PKI encryption) to encrypt and decrypt messages within the SSL-secured "pipeline."

  11. After the session is complete, the session key is eliminated.

It all takes only seconds and requires no action by the user

In order to fully enable 128-bit encryption with a Global Server ID, it's important to generate the right kind of private key during the process of obtaining an SSL certificate. An important step in the process is generating a Certificate Signing Request (CSR) within the Web server software. In generating a CSR, Web server administrators should be careful to select a 1024-bit private key, which enables the Global Server ID to establish 128-bit SSL encryption, rather than a 512-bit private key, which enables only 40-bit encryption.

Netscape users can follow these steps to see what level of encryption is protecting their transactions:

  • Go to the secure Web page you want to check.

  • Click the Security button in Navigator's toolbar. The Security Info dialog box indicates whether the Web site uses encryption.

  • If it does, click the Open Page Info button to display more information about the site's security features, including the type of encryption used.

You can also check to see which level of SSL is activated on your Web server by following these steps:

  • Using a 128-bit client, such as the domestic version of Netscape Navigator, click Options/Security Preferences.

  • Under the Enable SSL options, click Configure for both SSL 2 and SSL 3. Make sure acceptance for the 40- and 56-bit encryption ciphers are turned off.

  • Try to access the site. If it using less than 128 bit security, then you will receive an error in your browser window: "Netscape and this server cannot communicate securely because they have no common encryption methods"

IE users can find out a Web site's encryption level by following these steps:

  • Go to the Web site you want to check.

  • Right-click on the Web site's page and select Properties.

  • Click the Certificates button.

  • In the Fields box, select Encryption type. The Details box shows you the level of encryption, 40-bit or 128-bit. (See the following section for more information about SSL encryption levels.)

E-businesses may choose to simplify the process of certificate checking for site visitors by describing the security measures they have implemented in a Security and Privacy statement on their sites. For example, sites that use VeriSign SSL Certificates can also post the Secure Site Seal on their home page, security statement page, and purchase pages. The Seal is a widely recognized symbol of trust that enables site visitors to check certificates in real time from VeriSign with one click.

SGC and 128-Bit Step-Up

To ensure that strong, 128-bit encryption protects e-commerce transactions for all users, businesses should install 128-bit IDs, such as VeriSign's Global Server IDs, on their servers. However, the export browsers that permit only 40-bit encryption with 40-bit SSL server certificates will allow strong, 128-bit encryption when interacting with 128-bit server certificates because these certificates are equipped with a special extension that enables Server Gated Cryptography (SGC) for Microsoft browsers and "International Step-Up" for Netscape browsers.

The extension enables 128-bit encryption with export-version browsers by prompting two "handshakes" when a user's browser accesses a page protected by a Global Server ID. When an export-version Netscape or Microsoft browser connects to the Web server, the browser initiates a connection with only a 40-bit cipher. When the server certificate is transferred, the browser verifies the certificate against its built-in list of approved CAs. Here, it recognizes that the server certificate includes the SGC or International Step-Up extension, and then immediately renegotiates the SSL parameters for the connection to initiate an SSL session with a 128-bit cipher. In subsequent connections, the browser immediately uses the 128-bit cipher for full-strength encryption.

Wednesday, April 7, 2010

WebService|Soap Fight: RPC vs Document


Soap Fight: RPC vs. Document

By Charles Skinner

Bixby Consulting Inc.

http://www.eherenow.com

 

The line has been drawn and both camps are playing for keeps.  This is sure to be a good fight with one winner becoming the VHS of our time and other suffering the fate of BETAMAX.  Who it will be?  Let's have a little ring side analysis.

 

Most people are lead to believe that there are only two implementations, Document or RPC.  As in everything, there are more choices that need to be made.  In reality, the choices are between what combo of Style and Use to implement: RPC/ENCODING. RPC/LITERAL and DOCUMENT/LITERAL.  When people refer to RPC this usually indicates style: RPC and use: ENCODE. On the other hand Document usually refers to style: Document and use: Literal.

The fighters have STYLE:

 

  • RPC Style
    • The RPC style specifies that the <soap:body> contains an element with the name of the Web method being invoked. This element in turn contains an entry for each parameter and the return value of this method.

 

  • Document Style
    • The message parts appear directly under the <soap:body> element. There are no SOAP formatting rules for what the <soap:body> contains.  The server application is responsible for mapping the server objects (parameters, method calls, and so forth) and the values of the XML documents.

What they are USEing:

  • Encoding
    • Each message part references an abstract type using the type attribute instead of a schema. Applications using SOAP encoding are focused on remote procedure calls and will likely use the RPC message style.
  • Literal

o         Each part references a concrete schema definition using either the element or type attribute; in other words, data is serialized according to a given schema.

 

Contender 1: RPC/Encoded

 

In RPC style Web Services, the complete method is specified in the WSDL file and in the SOAP body.  This includes the sent parameters and the return values. So, you have a rather tight coupling with this style.  The Encoded- USE indicates that the SOAP message will contain the encoded type information such as xsi:type="xsd:int", xsi:type="xsd:string", xsi:type="xsd:double".

Strengths:

·        The definition of the WSDL file formatted in a well-known remote-procedure-call style.

·        The operation name appears in the message, so that the receiver has an easy time dispatching the message to its implementation.

·        If you are using data graphs or polymorphism in your service, this is the only possible style that can be used for the types described in this article.

·        Most early Java implementations only use this method.

Weaknesses:

  • The SOAP message includes the type encoding information such as xsi:type="xsd:int", xsi:type="xsd:string", xsi:type="xsd:double", which is an overhead.
  • You will not be able to validate using a schema because the type information is I stored in the message not a schema.  This will make validation more difficult.
  • Any changes to the interface would break the contract between the service and the client since there is a tight coupling between service provider and client.
  • Is not supported by the WSI conformance standard.

 

Sample Soap Message

========================Request Sample ===========================
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:tns="http://eherenow.com/RPC" xmlns:types="http://eherenow.com/RPC/encodedTypes" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Body soap:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
    <q1:GetUserName xmlns:q1="http://www.eherenow.com">
      <Where xsi:type="xsd:string">string</Where>
    </q1:GetUserName>
  </soap:Body>
</soap:Envelope>
 
========================Response Sample ===========================
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:tns="http://eherenow.com/RPC" xmlns:types="http://eherenow.com/RPC/encodedTypes" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Body soap:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
    <q2:GetUserNameResponse xmlns:q2="http://www.eherenow.com">
      <GetUserNameResult href="#id1" />
    </q2:GetUserNameResponse>
    <types:UserName id="id1" xsi:type="types:UserName">
      <Name xsi:type="xsd:string">string</Name>
      <Domain xsi:type="xsd:string">string</Domain>
    </types:UserName>
  </soap:Body>
</soap:Envelope>

 

Contender 2: RPC/Literal Style

The style will remain RPC but the WSDL will now have the 'use' setting changed from 'encoded' to 'literal' in the soap:body.  Which means the data is serialized according to the given schema.

 

Strengths:

 

  • The WSDL is still about as straightforward as with the RPC/Encoded style
  • The operation name still appears in the SOAP message
  • Higher throughput performance since the type encoding is removed from the message.

 

Weaknesses:

·        Any changes to the interface would break the contract between the service and the client because there is a tight coupling between the service provider and the client.

  • The schema describing an RPC/Literal message is not sufficient to validate that message.
  • Is not supported by the WSI conformance standard.

Contender 3: Document/Literal

In Document style Web Services, the client sends standard XML document to the server.  The server application is responsible for mapping the server objects (parameters, method calls, and so forth) and the values in XML documents. The protocol places no constraint on how the document needs to be structured.

 

As described before the 'use' setting is set to 'literal' in the soap:body.  Which means the data is serialized according to the given schema.

 

Strengths:

 

  • No type encoding information in the SOAP message. (Smaller footprint)
  • You can always validate the message with a XML Schema.  Since everything within the SOAP body is defined in the schema.
  • The rules are less rigid and many enhancements and changes can be made to the XML schema without breaking the interface.

 

Weaknesses:

 

  • The operation name in the SOAP message is lost. Without the name, dispatching can be difficult.

 

Sample Soap Message

========================Request Sample ===========================
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Body>
    <Where xmlns="http://www.eherenow.com">string</Where>
  </soap:Body>
</soap:Envelope>
 
========================Response Sample ==========================
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Body>
    <GetUserNameResult xmlns="http://www.eherenow.com">
      <Name>string</Name>
      <Domain>string</Domain>
    </GetUserNameResult>
  </soap:Body>
</soap:Envelope>

 

Contender 4: Document/Literal MICROSOFT PROPOSAL

How many Microsoft programmers does it take to change a light bulb . . . NONE – they will make darkness a standard. 

 

I thought I should mention this new contender because when an elephant walks the ground moves.  Microsoft suggested this style to fix the "drawbacks" from the standard Document/Literal style.  It is exactly the same as Contender 3 except for one difference; the message is wrapped by an element that describes the method name.

 

Even though there is no specification in the WSDL 1.1 standard for this style, many current SOAP toolkits support it.

 

Strengths:

 

  • Contains all the strengths of Document/Literal style.
  • The method name appears in the SOAP message.

 

Weaknesses:

 

  • If you have overloaded operations in your Web Service, you cannot use this style because WSDL requires an element to have the same name as the operation.

 

Sample Soap Message

=========================Request Sample =======================
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Body>
    <GetUserName xmlns="http://www.eherenow.com">
      <Where>string</Where>
    </GetUserName>
  </soap:Body>
</soap:Envelope>
======================= Response Sample ========================
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Body>
    <GetUserNameResponse xmlns="http://www.eherenow.com">
      <GetUserNameResult>
        <Name>string</Name>
        <Domain>string</Domain>
      </GetUserNameResult>
    </GetUserNameResponse>
  </soap:Body>
</soap:Envelope>

 

Conclusion

Well sport fans, we have sized up the contenders for you and it appears that in a toe to toe match document style usually wins.  In fact, the WS-I Basic profile 1.1 discourages the use of RPC/Encoded approach and motivates Document/Literal and RPC/Literal as the only allowed style/use combination. Rumor has it that RPC/Literal would go away with a future version of the WSI profile.  So it appears, unless you are interfacing to a legacy RPC style, Document/Literal will be a sure bet every time. 




--


Thanks and best regards,

Stephen Cheng

Sunday, April 4, 2010

XML|XML Schema: Understanding Namespaces


XML Schema: Understanding Namespaces
by Rahul Srivastava

Moving to XML Schema? This introduction to namespaces will help you understand one of its more important components.

Other articles in this series:
XML Schema: Understanding Datatypes
XML Schema: Understanding Structures


As defined by the W3C Namespaces in XML Recommendation, an XML namespace is a collection of XML elements and attributes identified by an Internationalized Resource Identifier (IRI); this collection is often referred to as an XML "vocabulary."

One of the primary motivations for defining an XML namespace is to avoid naming conflicts when using and re-using multiple vocabularies. XML Schema is used to create a vocabulary for an XML instance, and uses namespaces heavily. Thus, having a sound grasp of the namespace concept is essential for understanding XML Schema and instance validation overall.

Namespaces are similar to packages in Java in several ways:

  • A package in Java can have many reusable classes and interfaces. Similarly, a namespace in XML can have many reusable elements and attributes.
  • To use a class or interface in a package, you must fully qualify that class or interface with the package name. Similarly, to use an element or attribute in a namespace, you must fully qualify that element or attribute with the namespace.
  • A Java package may have an inner class that is not directly inside the package, but rather "belongs" to it by the virtue of its enclosing class. The same is true for namespaces: there could be elements or attributes that are not directly in a namespace, but belongs to the namespace by virtue of its parent or enclosing element. This is a transitive relationship. If a book is on the table, and the table is on the floor, then transitively, the book is on the floor; albeit the book is not directly on the floor.

Thus, we see that the namespaces in XML concept is not very different from packages in Java. This correlation is intended to simplify the understanding of namespaces in XML and to help you visualize the namespaces concept.

In this article, you will learn:

  • The role of namespaces in XML
  • How to declare and use namespaces
  • The difference between default-namespace and no-namespace
  • How to create namespaces using XML Schema, and
  • The difference between qualified and unqualified elements/attributes in a namespace.

Declaring and Applying Namespaces

Namespaces are declared as an attribute of an element. It is not mandatory to declare namespaces only at the root element; rather it could be declared at any element in the XML document. The scope of a declared namespace begins at the element where it is declared and applies to the entire content of that element, unless overridden by another namespace declaration with the same prefix name—where, the content of an element is the content between the <opening-tag> and </closing-tag> of that element. A namespace is declared as follows:

<someElement xmlns:pfx="http://www.foo.com" />

In the attribute xmlns:pfx, xmlns is like a reserved word, which is used only to declare a namespace. In other words, xmlns is used for binding namespaces, and is not itself bound to any namespace. Therefore, the above example is read as binding the prefix "pfx" with the namespace "http://www.foo.com."

It is a convention to use XSD or XS as a prefix for the XML Schema namespace, but that decision is purely personal. One can choose to use a prefix ABC for the XML Schema namespace, which is legal, but doesn't make much sense. Using meaningful namespace prefixes add clarity to the XML document. Note that the prefixes are used only as a placeholder and must be expanded by the namespace-aware XML parser to use the actual namespace bound to the prefix. In Java analogy, a namespace binding can be correlated to declaring a variable, and wherever the variable is referenced, it is replaced by the value it was assigned.

In our previous namespace declaration example, wherever the prefix "pfx" is referenced within the namespace declaration scope, it is expanded to the actual namespace (http://www.foo.com) to which it was bound:

In Java: String pfx = "http://www.library.com"

In XML: <someElement xmlns:pfx="http://www.foo.com" />

Although a namespace usually looks like a URL, that doesn't mean that one must be connected to the Internet to actually declare and use namespaces. Rather, the namespace is intended to serve as a virtual "container" for vocabulary and un-displayed content that can be shared in the Internet space. In the Internet space URLs are unique—hence you would usually choose to use URLs to uniquely identify namespaces. Typing the namespace URL in a browser doesn't mean it would show all the elements and attributes in that namespace; it's just a concept.

But here's a twist: although the W3C Namespaces in XML Recommendation declares that the namespace name should be an IRI, it enforces no such constraint. Therefore, I could also use something like:

<someElement xmlns:pfx="foo" />

which is perfectly legal.

By now it should be clear that to use a namespace, we first bind it with a prefix and then use that prefix wherever required. But why can't we use the namespaces to qualify the elements or attributes from the start? First, because namespaces—being IRIs—are quite long and thus would hopelessly clutter the XML document. Second and most important, because it might have a severe impact on the syntax, or to be specific, on the production rules of XML—the reason being that an IRI might have characters that are not allowed in XML tags per the W3C XML 1.0 Recommendation.

Invalid) <http://www.library.com:Book />
Valid) <lib:Book xmlns:lib="http://www.library.com" />

Below the elements Title and Author are associated with the Namespace http://www.library.com:

<?xml version="1.0"?>
<Book xmlns:lib="http://www.library.com">
<lib:Title>Sherlock Holmes</lib:Title>
<lib:Author>Arthur Conan Doyle</lib:Author>
</Book>

In the example below, the elements Title and Author of Sherlock Holmes - IIIand Sherlock Holmes - I are associated with the namespace http://www.library.com and the elements Title and Author of Sherlock Holmes - II are associated with the namespace http://www.otherlibrary.com.

<?xml version="1.0"?>
<Book xmlns:lib="http://www.library.com">
<lib:Title>Sherlock Holmes - I</lib:Title>
<lib:Author>Arthur Conan Doyle</lib:Author>
<purchase xmlns:lib="http://www.otherlibrary.com">
<lib:Title>Sherlock Holmes - II</lib:Title>
<lib:Author>Arthur Conan Doyle</lib:Author>
</purchase>
<lib:Title>Sherlock Holmes - III</lib:Title>
<lib:Author>Arthur Conan Doyle</lib:Author>
</Book>

The W3C Namespaces in XML Recommendation enforces some namespace constraints:

  1. Prefixes beginning with the three-letter sequence x, m, and l, in any case combination, are reserved for use by XML and XML-related specifications. Although not a fatal error, it is inadvisable to bind such prefixes. The prefix xml is by definition bound to the namespace name http://www.w3.org/XML/1998/namespace.
  2. A prefix cannot be used unless it is declared and bound to a namespace. (Ever tried to use a variable in Java without declaring it?)

The following violates both these constraints:

<?xml version="1.0"?>
<Book xmlns:XmlLibrary="http://www.library.com">
<lib:Title>Sherlock Holmes - I</lib:Title>
<lib:Author>Arthur Conan Doyle</lib:Author>
</Book>

[Error]: prefix lib not bound to a namespace.
[Inadvisable]: prefix XmlLibrary begins with 'Xml.'

Default Namespace (Not Default Namespaces)

It would be painful to repeatedly qualify an element or attribute you wish to use from a namespace. In such cases, you can declare a {default namespace} instead. Remember, at any point in time, there can be only one {default namespace} in existence. Therefore, the term "Default Namespaces" is inherently incorrect.

Declaring a {default namespace} means that any element within the scope of the {default namespace} declaration will be qualified implicitly, if it is not already qualified explicitly using a prefix. As with prefixed namespaces, a {default namespace} can be overridden too. A {default namespace} is declared as follows:

<someElement xmlns="http://www.foo.com" />

<?xml version="1.0"?>
<Book xmlns="http://www.library.com">
<Title>Sherlock Holmes</Title>
<Author>Arthur Conan Doyle</Author>
</Book>

In this case the elements Book, Title, and Author are associated with the Namespace http://www.library.com.

Remember, the scope of a namespace begins at the element where it is declared. Therefore, the element Book is also associated with the {default namespace}, as it has no prefix.

<?xml version="1.0"?>
<Book xmlns="http://www.library.com">
<Title>Sherlock Holmes - I</Title>
<Author>Arthur Conan Doyle</Author>
<purchase xmlns="http://www.otherlibrary.com">
<Title>Sherlock Holmes - II</Title>
<Author>Arthur Conan Doyle</Author>
</purchase>
<Title>Sherlock Holmes - III</Title>
<Author>Arthur Conan Doyle</Author>
</Book>

In the above, the elements Book, and Title, and Author of Sherlock Holmes - III and Sherlock Holmes - I are associated with the namespace http://www.library.com and the elements purchase, Title, and Author of Sherlock Holmes - II are associated with the namespace http://www.otherlibrary.com.

Default Namespace and Attributes

Default namespaces do not apply to attributes; therefore, to apply a namespace to an attribute the attribute must be explicitly qualified. Here the attribute isbn has {no namespace} whereas the attribute cover is associated with the namespace http://www.library.com.

<?xml version="1.0"?>
<Book isbn="1234"
pfx:cover="hard"
xmlns="http://www.library.com"
xmlns:pfx="http://www.library.com">
<Title>Sherlock Holmes</Title>
<Author>Arthur Conan Doyle</Author>
</Book>

Undeclaring Namespace

Unbinding an already-bound prefix is not allowed per the W3C Namespaces in XML 1.0 Recommendation, but is allowed per W3C Namespaces in XML 1.1 Recommendation. There was no reason why this should not have been allowed in 1.0, but the mistake has been rectified in 1.1. It is necessary to know this difference because not many XML parsers yet support Namespaces in XML 1.1.

Although there were some differences in unbinding prefixed namespaces, both versions allow you to unbind or remove the already declared {default namespace} by overriding it with another {default namespace} declaration, where the namespace in the overriding declaration is empty. Unbinding a namespace is as good as the namespace not being declared at all. Here the elements Book, Title, and Author of Sherlock Holmes - III and Sherlock Holmes - I are associated with the namespace http://www.library.com and the elements purchase, Title, and Author of Sherlock Holmes - II have {no namespace}:

<someElement xmlns="" />

<?xml version="1.0"?>
<Book xmlns="http://www.library.com">
<Title>Sherlock Holmes - I</Title>
<Author>Arthur Conan Doyle</Author>
<purchase xmlns="">
<Title>Sherlock Holmes - II</Title>
<Author>Arthur Conan Doyle</Author>
</purchase>
<Title>Sherlock Holmes - III</Title>
<Author>Arthur Conan Doyle</Author>
</Book>

Here's an invalid example of unbinding a prefix per Namespaces in XML 1.0 spec, but a valid example per Namespaces in XML 1.1:

<purchase xmlns:lib="">

From this point on, the prefix lib cannot be used in the XML document because it is now undeclared as long as you are in the scope of element purchase. Of course, you can definitely re-declare it.

No Namespace

No namespace exists when there is no default namespace in scope. A {default namespace} is one that is declared explicitly using xmlns. When a {default namespace} has not been declared at all using xmlns, it is incorrect to say that the elements are in {default namespace}. In such cases, we say that the elements are in {no namespace}. {no namespace} also applies when an already declared {default namespace} is undeclared.

In summary:

  • The scope of a declared namespace begins at the element where it is declared and applies to all the elements within the content of that element, unless overridden by another namespace declaration with the same prefix name.
  • Both prefixed and {default namespace} can be overridden.
  • Both prefixed and {default namespace} can be undeclared.
  • {default namespace} does not apply to attributes directly.
  • A {default namespace} exists only when you have declared it explicitly. It is incorrect to use the term {default namespace} when you have not declared it.
  • No namespace exists when there is no default namespace in scope.

Namespaces and XML Schema

Thus far we have seen how to declare and use an existing namespace. Now let's examine how to create a new namespace and add elements and attributes to it using XML Schema.

XML Schema is an XML before it's anything else. In other words, like any other XML document, XML Schema is built with elements and attributes. This "building material" must come from the namespace http://www.w3.org/2001/XMLSchema, which is a declared and reserved namespace that contains elements and attributes as defined in W3C XML Schema Structures Specification and W3C XML Schema Datatypes Specification. You should not add elements or attributes to this namespace.

Using these building blocks we can create new elements and attributes as required and enforce the required constraints on these elements and attributes and keep them in some namespace. (See Figure 1.) XML Schema calls this particular namespace as the {target namespace}, or the namespace where the newly created elements and attributes will reside.

figure 1
Figure 1: Elements and attributes in XML Schema namespace are used to write an XML Schema document, which generates elements and attributes as defined by user and puts them in {target namespace}. This {target namespace} is then used to validate the XML instance.

This {target namespace} is referred from the XML instance for ensuring validity of the instance document. (See Figure 2.) During validation, the Validator verifies that the elements/attributes used in the instance exist in the declared namespace, and also checks for any other constraint on their structure and datatype.

figure 2
Figure 2: From XML Schema to XML Schema instance

Qualified or Unqualified

In XML Schema we can choose to specify whether the instance document must qualify all the elements and attributes, or must qualify only the globally declared elements and attributes. Regardless of what we choose, the entire instance would be validated. So why do we have two choices?

The answer is "manageability." When we choose qualified, we are specifying that all the elements and attributes in the instance must have a namespace, which in turn adds namespace complexity to instance. If say that the schema is modified by making some local declarations global and/or making some global declarations local, then the instance documents are not affected at all. In contrast, when we choose unqualified, we are specifying that only the globally declared elements and attributes in the instance must have a namespace, which in turn hides the namespace complexity from the instance. But in this case, if say, the schema is modified by making some local declarations global and/or making some global declarations local, then all instance documents are affected—and the instance is no longer valid. The XML Schema Validator would report validation errors if we try to validate this instance against the modified XML Schema. Therefore, the namespaces must be fixed in the instance per the modification done in XML Schema to make the instance valid again.

<?xml version="1.0" encoding="US-ASCII"?>
<schema xmlns="http://www.w3.org/2001/XMLSchema"
xmlns:tns="http://www.library.com"
targetNamespace="http://www.library.com"
elementFormDefault="qualified"
attributeFormDefault="unqualified">

<element name="Book" type="tns:BookType" />

<complexType name="BookType">
<sequence>
<element name="Title" type="string" />
<element name="Author" type="string" />
</sequence>
</complexType>

</schema>

The declarations that are the immediate children of the element <schema> are the global declarations, and the rest are local declarations. In the above example, Book and BookType are declared globally whereas Title and Author are local declarations.

We can express the choice between qualified and unqualified by setting the schema element attributes elementFormDefault and attributeFormDefault to either qualified or unqualified.

elementFormDefault   = (qualified | unqualified) : unqualified
attributeFormDefault = (qualified | unqualified) : unqualified

When elementFormDefault is set to qualified, it implies that in the instance of this grammar all the elements must be explicitly qualified, either by using a prefix or setting a {default namespace}. An unqualified setting means that only the globally declared elements must be explicitly qualified, and the locally declared elements must not be qualified. Qualifying a local declaration in this case is an error. Similarly, when attributeFormDefault is set to qualified, all attributes in the instance document must be explicitly qualified using a prefix.

Remember, {default namespace} doesn't apply to attributes; hence, we can't use a {default namespace} declaration to qualify attributes. Unqualified seems to imply being in the namespace by virtue of the containing element. This is interesting, isn't it?

In the following diagrams, the concept symbol space is similar to the non-normative concept of namespace partition. For example, if a namespace is like a refrigerator, then the symbol spaces are the shelves in the refrigerator. Just as shelves partition the entire space in a refrigerator, the symbol spaces partition the namespace.

There are three primary partitions in a namespace: one for global element declarations, one for global attribute declarations, and one for global type declarations (complexType/simpleType). This arrangement implies we can have a global element, a global attribute, and a global type all have the same name, and still co-exist in a {target namespace} without any name collisions. Further, every global element and a global complexType have their own symbol space to contain the local declarations.

Let's examine the four possible combinations of values for the pair of attributes elementFormDefault and attributeFormDefault.

Case 1: elementFormDefault=qualified, attributeFormDefault=qualified
figure 3
Here the {target namespace} directly contains all the elements and attributes; therefore, in the instance, all the elements and attributes must be qualified.

Case 2: elementFormDefault=qualified, attributeFormDefault=unqualified
figure 4
Here the {target namespace} directly contains all the elements and the corresponding attributes for these elements are contained in the symbol space of the respective elements. Therefore, in the instance, only the elements must be qualified and the attributes must not be qualified, unless the attribute is declared globally.

Case 3: elementFormDefault=unqualified, attributeFormDefault=qualified
figure 5
Here the {target namespace} directly contains all the attributes and only the globally declared elements, which in turn contains its child elements in its symbol space. Therefore, in the instance, only the globally declared elements and all the attributes must be qualified.

Case 4: elementFormDefault=unqualified, attributeFormDefault=unqualified
figure 6
Here the {target namespace} directly contains only the globally declared elements, which in turn contains its child elements in its symbol space. Every element contains the corresponding attributes in its symbol space; therefore, in the instance, only the globally declared elements and attributes must be qualified.

The above diagrams are intended as a visual representation of what is directly contained in a namespace and what is transitively contained in a namespace, depending on the value of elementFormDefault/attributeFormDefault. The implication of this setting is that the elements/attributes directly in the {target namespace} must have a namespace associated with them in the corresponding XML instance, and the elements/attributes that are not directly (transitively) in the {target namespace} must not have a namespace associated with them in the corresponding XML instance.

Target Namespace and No Target Namespace

Now we know that XML Schema creates the new elements and attributes and puts it in a namespace called {target namespace}. But what if we don't specify a {target namespace} in the schema? When we don't specify the attribute targetNamespace at all, no {target namespace} exists—which is legal—but specifying an empty URI in the targetNamespace attribute is "illegal."

For example, the following is invalid. We can't specify an empty URI for the {target namespace}:

<schema targetNamespace="" . . .>

In this case, when no {target namespace} exists, we say, as described earlier, that the newly created elements and attributes are kept in {no namespace}. (It would have been incorrect to use the term {default namespace}.) To validate the corresponding XML instance, the corresponding XML instance must use the noNamespaceSchemaLocation attribute from the http://www.w3.org/2001/XMLSchema-instance namespace to refer to the XML Schema with no target namespace.

Conclusion

Hopefully, this overview of namespaces should help you move to XML Schema more easily. The Oracle XML Developer Kit (XDK) supports the W3C Namespaces in the XML 1.0 Recommendation; you can turn on/off the namespace check using the JAXP APIs in the Oracle XDK by using the setNamespaceAware(boolean) method in the SAXParserFactory and the DocumentBuilderFactory classes.