Monday, August 13, 2007

SOAP and SSL using ZSI and SOAPpy

I've been attempting to get web services (SOAP) to work using SSL with mutual authentication via X.509 certs. a Python, M2Crypto and OpenSSL environment. The two most obvious choices are ZSI and SOAPpy.  See Python Web Services.

Short version:  I'm disappointed.

More testing is needed but I did get M2Crypto's SSL to do a full handshake complete with arbitration and mutual authentication.  Fine, but I cannot find a way to inject *that* connection into either SOAPpy or ZSI.  They only accept a URL and want to do their own SSL thingy, and if you look at their libs, they do not seem to be equipped to do much more than establish a basic tunnel on their own.

Standing back, may I suggest ZSI leaves a lot to be desired?  It doesn't seem intuitive and is not well documented.  ...perhaps incomplete?  The doc seems extensive, but stops short of a full explanation in a number of places, and sadly, only covers 2/3 of the questions I have.  The code's comments didn't help.  Google only turned up a few articles that are several years old and not much help.  Some of their examples needed fixing and one was missing critical material.  ...and none explained SOAP with SSL, let alone with mutual authentication, which at some level is imperative.

SOAPpy has a *much* cleaner interface but is incomplete. For example, it has client-side SSL but only supports GET, not POST.  ...and while SOAPpy is cleaner, it is slated to be folded into ZSI and discontinued.  A mistake in the making?

One's choices of SOAP with SSL and Python are small. After ZSI and SOAPpy there is OSE.  OSE is written in C++ and has a Python wrapper.  For certain functions, OSE requires ZSI be installed, and some environment variables must be properly set before running.  ...and the install dependencies are growing (fpconst, SOAPpy, ZSI, OSE).  Nevertheless, it seems worth a look.

Another option is cSOAP.  cSOAP is written in C and needs a wrapper.  If OSE fails I will consider writing a wrapper.  Heck, I just might do that anyway.

Frustrated?  Yes.  Am I an experienced SOAP developer?  No, but doing simple things should not be this hard. 

Update:  With some help I was able to get a simple example working, but I'm still not happy with the architecture.  It seems a lot more complex than what should be necessary for simple situations.  ...cSOAP beckons. ;-)

Update2:  I have a ctypes wrapper for cSOAP that implements some simple client functionality.  Time (lack thereof) is my enemy so progress is slow. To be continued.

Update3:  I've taken another look at just what it is I'm trying to accomplish.  XML provides a lot of standards-based flexibility and interoperability, but admittedly, mine is a closed system of perhaps a dozen primary systems.  With the issues surrounding SSL XML, I've decided to use RPyC and feel a little embarrassed for having taken the time consuming side trip.  I've also implemented, in parallel, a pure socket protocol and can switch from one to the other as appropriate.  (This is somewhat an experimental project so I can afford such luxuries.) ...and the socket "protocol" is dirt simple so I don't believe I've compromised much on interoperability.


Labels: , ,