Title:
Web services gateway
Document Type and Number:
Kind Code:
A1

Abstract:
A gateway module for managing functionality for one or more web services is provided. The web services gateway module comprises a client application interface unit for receiving communication from a client application over a standard protocol, a communication processor for processing the communication for a web service, and a web services interface unit for delegating the processed communication to the web service.

Representative Image:
Web services gateway
Inventors:
Atwal, Amar (Ottawa, CA)
Chiu, Joseph (Ottawa, CA)
Lebel, Frederic (Ottawa, CA)
Mereu, Stephen (Ottawa, CA)
Mutzke, Rick (Ottawa, CA)
Rupsingh, Raul (Brampton, CA)
Schnarr, Matt (Ottawa, CA)
Slaunwhite, Don (Ottawa, CA)
Subramanian, Ramesh (Gloucester, CA)
      Plaque It!

Sponsored by:
Flash of Genius
Application Number:
10/252871
Publication Date:
03/27/2003
Filing Date:
09/23/2002
View Patent Images:
Images are available in PDF form when logged in. To view PDFs, Login  or  Create Account (Free!)
Referenced by:
View patents that cite this patent
Export Citation:
Click for automatic bibliography generation
Assignee:
Corel Corporation
Primary Class:
719/328
International Classes:
(IPC1-7): G06F009/00
Attorney, Agent or Firm:
Hayes Soloway, Norman Soloway P. C. P. (130 W. Cushing Street, Tucson, AZ, 85701, US)
Claims:

What is claimed is:



1. A gateway module for managing functionality for one or more web services, the web services gateway module comprising: a client application interface unit for receiving communication from a client application over a standard protocol; a communication processor for processing the communication for a web service; and a web services interface unit for delegating the processed communication to the web service.

2. The gateway module as claimed in claim 1, further comprising a centralized repository for storing information relating to the client application and the web service.

3. The gateway module as claimed in claim 1, wherein the communication processor has a method call processor for modifying a method call received from a client application.

4. The gateway module as claimed in claim 3, wherein the method call processor is a simple object access protocol processor for modifying a simple object access protocol method call received by the client application interface unit.

5. The gateway module as claimed in claim 3, wherein the method call processor is an application programming interface request processor for modifying an application programming interface contract request method call received by the client application interface unit.

6. The gateway module as claimed in claim 1, wherein the client application interface unit sends communication to the client application; and the web services interface unit receives communication from the web service.

7. The gateway module as claimed in claim 6, further comprising a response processor for modifying a web services response to a method call received by the web services interface unit.

8. The gateway module as claimed in claim 7, wherein the response processor is a simple object access protocol response processor for modifying responses to simple object access protocol method calls.

9. The gateway module as claimed in claim 7, wherein the response processor is a web service description language processor for modifying a web service description language contract.

10. The gateway module as claimed in claim 1, further comprising an authentication module for checking the authenticity of the client application.

11. The gateway module as claimed in claim 1, further comprising an authorization module for checking the authorization of the client application to access the web service.

12. The gateway module as claimed in claim 1, further comprising a login services module having an authentication module for checking the authenticity of the client application; and an authorization module for checking the authorization of the client application to access the web service.

13. The gateway module as claimed in claim 12, wherein the login services module further comprises: an authentication identifier provider for providing the client application a pool of authentication identifiers for use in subsequent communication with the web service; and an authentication identifier validator for checking the validity of an authentication identifier from a pool of authentication identifiers sent with the subsequent communication.

14. The gateway module as claimed in claim 13, wherein each authentication identifier is limited to be used in one communication.

15. The gateway module as claimed in claim 13, wherein the pool of authentication identifiers are provided to the client application through a secured channel.

16. The gateway module as claimed in claim 13, wherein each communication from the client application to the web service containing one of the authentication identifiers is made through an unsecured channel.

17. The gateway module as claimed in claim 1, further comprising a metering module for metering web service usage of the client application.

18. The gateway module as claimed in claim 1, wherein the standard protocol for messaging between the client application and the web service is simple object access protocol.

19. The gateway module as claimed in claim 1, wherein the client application is another web service.

20. The gateway module as claimed in claim 1, further comprising a billing unit for billing the client application.

21. The gateway module as claimed in claim 20, wherein the billing unit bills a client application for the use of a package of bundles assigned to the client application, the bundles comprising one or more methods from a plurality of web services.

22. The gateway module as claimed in claim 1, further comprising a logging and metering module for logging and metering the usage of the gateway module by the client application.

23. The gateway module as claimed in claim 1, further comprising a reporting module for reporting the usage of the gateway module by the client application.

24. The gateway module as claimed in claim 1, further comprising an administration module for administering the gateway module.

25. The gateway module as claimed in claim 1, further comprising: a repository for storing information relating to methods of a plurality of web services organized into bundles, each bundle having one or more methods from one or more web services; and an authorization module for authorizing a client application to access methods in one of the bundles.

26. The gateway module as claimed in claim 25, wherein at least one bundle has one or more methods from at least two web services.

27. The gateway module as claimed in claim 25, wherein the bundles are organized into packages.

28. A method for managing functionality for one or more web services, the method comprising steps of: receiving communication from a client application over a standard protocol; processing the communication for a web service; and delegating the processed communication to the web service.

29. The method as claimed in claim 28, further comprising the step of storing information relating to the client application and the web service.

30. The method as claimed in claim 28, wherein processing step includes the step of modifying a method call received from a client application.

31. The method as claimed in claim 30, wherein the step of modifying comprises the step of modifying a simple object access protocol method call received by the client application interface unit.

32. The method as claimed in claim 30, wherein the step of modifying comprises the step of modifying an application programming interface contract request method call received by the client application interface unit.

33. The method as claimed in claim 28, further comprising steps of: receiving communication from the web service; and sending communication to the client application.

34. The method as claimed in claim 33, further comprising a step of modifying a web services response to a method call received by the web services interface unit.

35. The method as claimed in claim 34, wherein the step of modifying includes the step of modifying responses to simple object access protocol method calls.

36. The method as claimed in claim 34, wherein the step of modifying includes the step of modifying a web service description language contract.

37. The method as claimed in claim 28, wherein the processing step comprises the step of checking the authenticity of the client application.

38. The method as claimed in claim 28, wherein the processing step comprises the step of checking the authorization of the client application to access a web service.

39. The method as claimed in claim 28, further comprising the login steps of: checking the authenticity of the client application; and checking the authorization of the client application to access the web service.

40. The method claimed in claim 39, further comprising the steps of: providing the client application a pool of authentication identifiers for use in subsequent communication with the web service; and checking the validity of an authentication identifier from a pool of authentication identifiers sent with the subsequent communication.

41. The method as claimed in claim 40, further comprising the step of limiting each authentication identifier to be used in only one communication.

42. The method as claimed in claim 40, wherein the step of providing comprises the step of providing the pool of authentication identifiers to the client application through a secured channel.

43. The method as claimed in claim 40, wherein the step of receiving comprises receiving subsequent communication from the client application to the web service containing one of the authentication identifiers through an unsecured channel.

44. The method as claimed in claim 28, further comprising the step of metering web service usage of the client application.

45. The method as claimed in claim 28, wherein the standard protocol for messaging between the client application and the web service is simple object access protocol.

46. The method as claimed in claim 28, wherein the client application is another web service.

47. The method as claimed in claim 28, further comprising the step of billing the client application.

48. The method as claimed in claim 47, wherein the step of billing comprises the step of billing a client application for the use of a package of bundles assigned to the client application, the bundles comprising one or more methods from a plurality of web services.

49. The method as claimed in claim 28, further comprising the step of logging and metering the usage of the gateway module by the client application.

50. The method as claimed in claim 28, further comprising the step of reporting the usage of the gateway module by the client application.

51. The method as claimed in claim 28, further comprising the step of administering the gateway module.

52. The method as claimed in claim 28, further comprising the steps of: storing information relating to methods of a plurality of web services organized into bundles, each bundle having one or more methods from one or more web services; and authorizing a client application to access methods in one of the bundles.

53. The method as claimed in claim 52, wherein the step of storing comprises storing at least one bundle having one or more methods from at least two web services.

54. The gateway module as claimed in claim 52, further comprising the step of organizing the bundles into packages.

55. Computer readable media storing the instructions and/or statements for use in the execution in a computer of a method for managing functionality for one or more web services, the method comprising steps of: receiving communication from a client application over a standard protocol; processing the communication for a web service; and delegating the processed communication to the web service.

56. Electronic signals for use in the execution in a computer of a method for managing functionality for one or more web services, the method comprising steps of: receiving communication from a client application over a standard protocol; processing the communication for a web service; and delegating the processed communication to the web service.

57. A computer program product for use in the execution in a computer of a method for managing functionality for one or more web services, the computer program product comprising: a module for receiving communication from a client application over a standard protocol; a module for processing the communication for a web service; and a module for delegating the processed communication the web service.

Description:

PRIORITY

[0001] This patent application claims priority from U.S. Patent Application No. 60/324,191 entitled “Web Services Infrastructure”, Atwal et. al., filed Sep. 21, 2001.

FIELD OF THE INVENTION

[0002] This invention relates to an infrastructure for managing functionality for web services. In particular, the invention relates to a web services gateway.

BACKGROUND OF THE INVENTION

[0003] Software developers wish to provide programmatic functionality over the Internet through the creation of web services. These web services provide some valuable technology in which the developer has expertise. A web services is often deployed in such a way that the user of the web service has a direct connection with a server hosing the web service. For example, if there are ten servers hosting different web services, then there are ten “connection points” into the different web services. This makes addition of web server independent common features, such as application-level authentication, authorization and transaction logging tedious, time consuming and prone to errors at the integration layer.

[0004] FIG. 1 shows an example of a standard web service deployment environment. The standard web service deployment environment comprises an end user application 10 , web services providers 20 , and connections 30 . The web services providers 20 have web services WS 1 to WSn, where n is an integer greater than zero. The end user application 10 connects directly with each web services provider 20 to obtain different web services 25 that the end user application 10 request. In fact, each end user application 10 connects directly with each requested web service 25 from each web services provider 20 to obtain each different web service 25 requested. Thus, if the end user wishes to obtain X different web services 25 , then the end user application 10 must make a connection 30 to each of the X web services 25 .

[0005] One problem that arises from this process of exposing the web services 25 for consumption over the web by client applications is that in order to protect unauthorized access of these web services 25 over the Internet, all the web services 25 must somehow incorporate authentication and authorization of users and other security measures. When a user wishes to use a web service 25 on a server, the server usually needs to ensure that (a) the user is authentic and (b) is authorized to access the web service. This authentication of the user is typically done by sending the user's name and password to the server which then verifies the given data before granting access. Since the authentication data is sensitive, it is desirable to send the authentication data over a secured channel, such as the hypertext transfer protocol over secure socket layer (https), which encrypts the data. Once the user is authenticated, the user's access to the web service is verified. This is typically done by querying an Access Control List (ACL) for the user's access rights.

[0006] Complexity is added and efforts are duplicated if every web service 25 provided by a developer implements or is even aware of all of the above infrastructure. Aside from the infrastructure common to the services 25 provided, a developer may wish to provide value adding functionality to all or some of the web services 25 . There is currently no way of adding these methods without having to reimplement them for each web service 25 or without the web service 25 even being aware that they exist.

[0007] Additionally, a company may wish to combine several web services 25 or parts of several web services 25 into an existing or new web service 25 . It is time consuming for a developer to construct new web services 25 that call these other web services 25 , and limiting in that the combinations are fixed at design time. There is no way to dynamically aggregate web services 25 based on a user's identity or some other criteria.

[0008] Furthermore, the location or address of a web service 25 must remain fixed so that its client applications will always know where to find it. However, the logistics of deployment may dictate that a web service 25 needs to be moved or exists on multiple servers at the same time. A user may not be able to find a web service 25 that has been moved from one location to another.

[0009] Web services 25 may be created from existing libraries of functionality with an existing application programming interface (API). In order to restrict access and bill by method, identification data must be provided by the client for every invoked method call. Adding these additional parameters, or any parameter that may be required by the particular business logic involved to an existing API is both complex and time consuming.

[0010] Currently, web service 25 capabilities remain uniform, irrespective of the identity of the client accessing them. This implies that there is no means of tailoring those web services 25 , based on the presumed or assigned roles of the clients. For developers creating applications which consume a company's web services 25 , this software ‘contract’, i.e., the list of functionality provided by a particular web service 25 , is fixed. For companies providing these web services 25 , there is no standard means of modifying the contract for different developers. Also, these developers, provided with a particular contract for web services 25 , cannot count on the company providing the web services 25 with a means of limiting usage of these web services 25 to consumers of the application being developed by the developer.

[0011] Typically, the problems listed above are addressed by creating a library encapsulating the common or new functionality which is then consumed from each location where it is needed. This is inadequate here, as it does not offer the flexibility of leaving the web services 25 in question entirely intact and unaware that they are part of the infrastructure. Nor does it allow a dynamic data-driven approach to the problem since the behaviors are fixed at design time.

[0012] Current solutions also do not describe any mechanism for a means to customize that contract in any way, either for the developer of the application that consumes the web services 25 , or for the user of that application. In order to provide this customization, the publisher of the web service 25 must develop several versions of the web service 25 in parallel, each version with capabilities unique to each developer.

[0013] It is therefore desirable to provide means for better managing functionality for web services 25 .

SUMMARY OF THE INVENTION

[0014] It is an objective of the invention to provide a novel system and method for managing functionality for web services that obviates or mitigates at least one of the disadvantages of existing systems.

[0015] In an aspect of the present invention, there is provided a gateway module for managing functionality for one or more web services. The web services gateway module comprises a client application interface unit for receiving communication from a client application over a standard protocol, a communication processor for processing the communication for a web service, and a web services interface unit for delegating the processed communication to the web service.

[0016] In another aspect of the present invention, there is provided a method for managing functionality for one or more web services. The method comprises steps of receiving communication from a client application over a standard protocol, processing the communication for a web service, and delegating the processed communication to the web service.

[0017] In another aspect of the present invention, there is provided computer readable media storing the instructions and/or statements for use in the execution in a computer of a method for managing functionality for one or more web services. The method comprises steps of receiving communication from a client application over a standard protocol, processing the communication for a web service, and delegating the processed communication to the web service.

[0018] In another aspect of the present invention, there is provided electronic signals for use in the execution in a computer of a method for managing functionality for one or more web services. The method comprises steps of receiving communication from a client application over a standard protocol, processing the communication for a web service, and delegating the processed communication to the web service.

[0019] In another aspect of the present invention, there is provided computer program product for use in the execution in a computer of a method for managing functionality for one or more web services. The computer program product comprises a module for receiving communication from a client application over a standard protocol, a module for processing the communication for a web service, and a module for delegating the processed communication the web service.

[0020] Other aspects and features of the present invention will be readily apparent to those skilled in the art from a review of the following detailed description of preferred embodiments in conjunction with the accompanying drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

[0021] The invention will be further understood from the following description with reference to the drawings in which:

[0022] FIG. 1 is a diagram showing a standard web service deployment environment;

[0023] FIG. 2 is a diagram showing a web service infrastructure in accordance with an embodiment of the invention;

[0024] FIG. 3 shows an example of a gateway module in accordance with an embodiment of the present invention;

[0025] FIG. 4 shows a method for managing functionality for one or more web services in accordance with an embodiment of the present invention;

[0026] FIG. 5 shows another example of a web services infrastructure in accordance with an embodiment of the present invention;

[0027] FIGS. 6A, 6B and 6 C show other methods for managing functionality for one or more web services in accordance with an embodiment of the present invention;

[0028] FIGS. 7A is a diagram showing the gateway module as a simple object access protocol processor in accordance with an embodiment of the invention;

[0029] FIGS. 7B is a diagram showing the gateway module as an application programming interface contract processor in accordance with an embodiment of the invention;

[0030] FIG. 8 is a diagram showing a modification to an application programming interface through the gateway module in accordance with an embodiment of the invention;

[0031] FIG. 9 shows another example of a gateway module in accordance with an embodiment of the present invention;

[0032] FIG. 10 shows another method for managing functionality for one or more web services in accordance with an embodiment of the present invention;

[0033] FIG. 11 is a diagram showing sequence of events to log into and make web service calls in accordance with an embodiment of the invention;

[0034] FIG. 12 is a flowchart showing a method for providing a pool of authentication identifiers in accordance with an embodiment of the present invention;

[0035] FIG. 13 is a flowchart showing a method for using a pool of authentication identifiers in accordance with an embodiment of the present invention;

[0036] FIG. 14 is a diagram showing another example of a login services module in accordance with an embodiment of the present invention;

[0037] FIG. 15 is a flowchart showing another method for providing a pool of authentication identifiers in accordance with an embodiment of the present invention;

[0038] FIG. 16 is a diagram showing an enhanced web service deployment environment in accordance with an embodiment of the invention;

[0039] FIG. 17 is a diagram showing a supply chain of producer-consumer relationships between a client application and the lowest level web services;

[0040] FIG. 18 is a diagram showing bundling on a per-client application basis in accordance with an embodiment of the present invention; and

[0041] FIG. 19 is a flowchart showing a method for billing and authorization of web services in accordance with an embodiment of the present invention.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

[0042] FIG. 2 shows a web services infrastructure 201 in accordance with an embodiment of the present invention. The web services infrastructure 201 comprises client applications 15 , web service providers 20 , a gateway module 300 , client application connections 31 to the gateway module 300 , and web service connections 32 to the gateway module 300 . More or fewer client applications 15 , web services 25 , and their respective connections 31 , 32 , may exist in the web services infrastructure 201 .

[0043] The client applications 15 may be end user applications 10 , other web service providers 20 , or any application which requests access to a web service 25 . Some client applications 15 may be used by client application developers to obtain a web service application programming interface (API) contract to develop other client applications 15 that will consume or use that particular web service 25 . Each client application 15 has a client application connection 31 . Client application connections 31 may be any suitable connection that allows the transfer of information between the client application 15 and the gateway module 300 . The web service providers 20 have web services WS 1 to WSx, WS 1 to WSy, and WS 1 to WSz, where x, y, and z are integers greater than zero. The web services 25 may be different for each web service provider 20 . Each web service 25 has a web service connection 32 to the gateway module 300 . Web service connections 32 may be any suitable connection that allows the transfer of information between the web services 25 and the gateway module 300 . The gateway module 300 is an application that adds common and additional functionality, as will be described below, to any web service 25 registered with the gateway module 300 . The gateway module 300 remains transparent to the client application 15 and the web service 25 . Web services 25 are registered with the gateway module 300 as described below. In this description, clients may sometimes be referred to as users, consumers, and/or end users.

[0044] FIG. 3 shows an example of a gateway module 300 in accordance with an embodiment of the present invention. The gateway module 300 comprises a client application interface unit 310 , a communication processor 311 and a web services interface unit 312 . These components of the gateway module 300 comprise code that may be executed as software or embedded in hardware. The client application interface unit 310 receives web services requests coming from a client application connection 31 (shown in FIG. 2 ) connecting a client application 15 (shown in FIG. 2 ) with the gateway module 300 . The client application interface unit 310 sends web services requests to the communication processor 311 . The communication processor 311 determines which web service 25 is being requested and sends the web service request to the web services interface unit 312 . The web services interface unit 312 sends the web service request to the appropriate web service 25 through the web service connection 32 (shown in FIG. 2 ) connecting that web service 25 with the gateway module 300 . Other components may be added to the gateway module 300 as described below.

[0045] Alternatively, the gateway module 300 may not include a client application interface unit 310 , whereby the function of the client application interface unit 310 is performed by either the communication processor 311 or an external module. Parts of the remainder of this application will refer to a gateway module 300 containing a client application interface unit 310 . However, the client application interface unit 310 may be removed, and the communication processor 311 modified, as described above.

[0046] As is described above, the gateway module 300 may be used by both client application developers and client application users. When developing client applications 15 that may use a web service 25 , client application developers may use the gateway module 300 to obtain a web service API contract from a web service 25 . When a client application 15 is used by a client application user, the client application 15 may use the gateway module 300 to send a method call to a web service. Some method calls instruct a web service to perform a task. Some method calls instruct a web service to return an item or response. The web service 25 may use the gateway module 300 to return an item or response to the client application 15 .

[0047] FIG. 4 shows a method for managing functionality for one or more web services 25 ( 400 ) in accordance with an embodiment of the present invention. The method ( 400 ) begins with receiving a web service request from a client application 15 ( 401 ). This step may be performed by the client application interface unit 310 , or the communication processor 311 as described above. Next, the web service request is processed ( 402 ). This step may be performed by the communication processor 311 . Finally, the web service request is delegated to the appropriate web service 25 ( 403 ). This step may be performed by the web services interface unit 312 . Once the appropriate web service 25 has the web service request ( 403 ), the method is done ( 404 ). Further steps may be added to this method ( 400 ) as described below.

[0048] An aspect of an embodiment of the gateway module 300 pertains to the field of distributed computing, where software running on a client system interacts with software running on remote server systems. More specifically, where the software running on a server has been developed such that its capabilities can be discovered programmatically using the tools based on a standard network protocol based on a standard language. An example of a standard network protocol is the Internet protocol known as simple object access protocol (SOAP), which is itself based on the standard extensible markup language (XML). The actual data transmitted between the client application 15 used by client application user and the server code may be transmitted via SOAP. The server functionality is typically referred to as web services. A typical client application 15 may be either a web browser or an Internet-aware application. The following description refers mainly to SOAP communication, but the gateway module 300 may be used with other standard protocols based on a standard language.

[0049] FIG. 5 shows another example of a web services infrastructure 501 in accordance with an embodiment of the present invention. The web services infrastructure 501 comprises client applications 15 , client application connections 31 , a gateway module (or gateway module) 500 , web services WS 1 , WS 2 and WS 3 , and web service connections 32 . More or fewer client applications 15 , web services 25 , and their respective connections 31 and 32 may exist in the web services infrastructure 501 . The gateway module 500 comprises a client application interface unit 310 , a communication processor 311 , a web services interface unit 312 , an authentication module 520 , an authorization module 525 , and a web service registry repository 530 . The gateway module 500 is a centralized access point for client applications 15 to connect to web services 25 . The authentication module 520 and the authorization module 525 may alternatively be contained in a combined authentication and authorization module. Other components may be added to the gateway module 500 , as described below.

[0050] The client application interface module 310 may operate on hypertext transfer protocol (http) and SOAP. The communication processor 311 and the web services interface unit 312 may be similar to those described above referring to FIG. 3 . The authentication module 520 and the authentication module 525 may comprise code for authenticating and authorizing a client application 15 . The web service repository 530 is a centralized registry of web services being exposed. It may store a unique identifier (ID) of the web service 25 , its location, an API contract request string, and a brief description, all of which is mapped to the web service's unique name or uniform resource identifier (URI).

[0051] The gateway module 500 is an application that sits between client applications 15 and the web services 25 being consumed, intercepting communication between them. Some communication between client application 15 and web service 25 occurs over the SOAP protocol, while some communication includes the exchange of an API contract description, such as a web service description language (WSDL) contract document. The gateway module 500 acts as a SOAP processor with respect to communication between a web service 25 and a client application 15 used by a client application user. Furthermore, the gateway module 500 acts as an API contract (for example, WSDL) processor with respect to communication between a web service 25 and a client application 15 used by a client application developer. Therefore, the gateway module 500 transparently alters both the way the client application 15 calls the web service 25 , and how the web service 25 appears to the client application 15 without either party being aware of the gateway module 500 .

[0052] FIG. 6A shows another example of a method for managing functionality for one or more web services 25 ( 600 ) in accordance with an embodiment of the present invention. This example relates to a client application user. To request the use of a web service 25 , a client application 15 sends a SOAP based method call through the client application connection 31 . The client application interface unit 310 receives the method call ( 601 ) and passes the method call to the communication processor 311 . The communication processor 311 determines which web service 25 is associated with the method call. The method call is then passed to the authentication module 520 to authenticate the method call as coming from the client application 15 ( 602 ). The method call is passed back to the communication processor 311 . If the client application is authentic ( 602 ), then the method call is passed to the authorization module 525 to determine if the client application 15 has authorization to use the requested web service 25 ( 603 ). The method call is passed back to the communication processor 311 . If the client application is not authentic ( 602 ), then the method call is rejected ( 609 ). If the client application 15 is not authorized to use the method in the web service 25 ( 603 ), then the method call is rejected ( 610 ). A rejected method call may be returned back to the client application 15 through the corresponding client application connection 31 . The rejection may include an error message explaining why the method call is rejected. Alternatively, a rejected method call may be ignored and the corresponding client application connection 31 closed. If a method call is rejected ( 609 ) or ( 610 ), the method is done ( 611 ).

[0053] If the client application 15 does have authorization ( 603 ), then the method call is passed to the web services interface unit 312 . The web services interface unit 312 searches the web service registry repository 530 to determine the location of the requested web service 25 ( 604 ). The web service registry repository 530 provides a mapping from the identity of the web service (a URI) to the physical location of the web service 25 and any other attributes of the web service 25 that are desirable to assist the gateway module 500 to interpret, process, and make actual requests or method calls of said web service 25 . Once the location of the web service 25 is determined ( 604 ), the method call is delegated to the web service 25 via the corresponding web service connection 32 ( 605 ).

[0054] If the method call does not have a corresponding response ( 606 ), then the method is done ( 610 ). Otherwise, the web services interface unit 312 receives a corresponding response from the web service 25 ( 607 ), in response to the method call. The web services interface unit 312 passes the response to the communication processor 311 to be passed back to the client application interface unit 310 . The client application interface unit 310 sends the response through the appropriate client application connection 31 to the client application 15 from which the method call originated ( 608 ). The method is done ( 611 ).

[0055] FIG. 6B shows another example of a method for managing functionality for one or more web services 25 ( 620 ) in accordance with an embodiment of the present invention. This example also relates to a client application user. To request the use of a web service 25 , a client application 15 calls an authentication method through the client application connection 31 . The authentication method call contains the client application credentials such as user name and password. The client application interface unit 310 receives the authentication method call ( 621 ) and passes the authentication method call to the authentication module 520 to authenticate the client application credentials ( 622 ). If the credentials are authentic ( 622 ), i.e., the client application is registered with the gateway module 500 , then the authentication module 520 issues an authentication identifier (ID) ( 523 ) and passes the authentication ID to the client application interface unit 310 to pass to the client application 15 . If the credentials are not authentic ( 622 ), then the authentication call is rejected ( 631 ) and the method is done ( 633 ). Alternatively, the authentication module 520 issue an error response to be sent to the client application 15 .

[0056] An issued authentication ID may be passed as a parameter with subsequent web service method calls invoked by the client application 15 . The client application interface unit 15 receives a web service method call ( 624 ) and passes the method call to the communication processor 311 . The communication processor 311 determines which web service 25 is associated with the method call. The method call is then passed to the authorization module 525 to determine if the client application 15 associated with the authentication ID is authorized to use the method call in the web service 25 ( 625 ). For example, authorized client applications 15 for methods in web services 25 may be listed in a repository. If the client application 15 is not authorized to use the method call ( 625 ), then the method call is rejected ( 632 ) and the method is done ( 633 ).

[0057] If the client application 15 is authorized to use the method call ( 625 ), then the method call is passed to the communication processor 311 to be processed ( 626 ), i.e., prepared to be delegated to the web service 25 . The authentication ID parameter is removed from the method call and the modified method call is passed to the web service interface unit 312 . The web services interface unit 312 searches the web service registry repository 530 to determine the location of the requested web service 25 , as described above. The method call is delegated to the web service 25 via the corresponding web service connection 32 ( 627 ).

[0058] If the method call does not have a corresponding response ( 628 ), then the method is done ( 633 ). Otherwise, a response is received from the web service 25 ( 629 ) and sent to the client application 15 ( 630 ), as described above. The method is done ( 633 ).

[0059] FIG. 6C shows another example of a method for managing functionality for one or more web services 25 ( 650 ) in accordance with an embodiment of the present invention. This example relates to a client application developer. To request an API of a web service 25 , a client application 15 sends an API request method call (API request) through the client application connection 31 . The client application interface unit 310 receives the API request and passes the API request to the communication processor 311 ( 651 ). The communication processor 311 determines which web service 25 is associated with the API request. The API request is then passed to the web services interface unit 312 . The web services interface unit 312 searches the web service registry repository 530 to determine the location of the requested web service API ( 652 ). The web service registry repository 530 provides a mapping from the web service 25 URI to the physical location of the web service 25 and any other attributes of the web service 25 that are desirable to assist the gateway module 500 to interpret, process, and make actual requests or method calls of said web service 25 . Once the location of the web service 25 is determined ( 652 ), the API request is delegated to the web service 25 via the corresponding web service connection 32 ( 653 ).

[0060] The web services interface unit 312 receives the requested web service API contract from the web service 25 ( 654 ) in response to the API request. The web services interface unit 312 passes the API contract to the communication processor 311 to be passed back to the client application interface unit 310 . The client application interface unit 310 sends the response through the appropriate client application 31 to the client application 15 from which the API request originated ( 655 ). The method is done ( 656 ). Alternatively, the method may include access restriction measures such as requirements for authentication and/or authorization, as described above with respect to web service method calls.

[0061] The gateway module 500 is transparent to the client application 15 and the web services 25 . The gateway module 500 processes communication between client application 15 and web service 25 . In the case of a client application developer, a single entry point, i.e., a single address, is exposed for client application developers to retrieve a web service API contract document, such as WSDL. WSDL contains a port, which is a single address in which to bind a client application 15 . A WSDL returned by normal web services 25 contains its own address. Hence if a client application 15 has ten web services, the client application 15 will require ten addresses to connect to these web services 25 (as depicted in FIG. 1 ). An API contract processor in the communication processor 311 , such as a WSDL processor, replaces this port address with the address of the gateway module 500 before returning the WSDL back to the client application developer. This ensures that the client application 15 that will be created by the client application developer will send its SOAP requests to the address that is associated with the client application interface unit 310 . Subsequent SOAP requests sent by the client application 15 are received by the client application interface unit 310 and delegated to a web method call processor, such as a SOAP processing module, in the communication processor 311 .

[0062] Two scenarios are described above: A) requests from a client application user (method calls over SOAP); and B) requests from a client application developer for the API contract (WSDL). In scenario A, the gateway module 500 acts as a SOAP processor. Scenario A occurs over the SOAP protocol whenever a method of the web service 25 is invoked. In scenario B, the gateway module acts as an API contract (WSDL) processor. Scenario B does not occur over SOAP and occurs during the design/development time of the client application 15 consuming the web service 25 . In both scenarios, there may be two areas of processing: i) the processing of the request before the request is forwarded to the web service 25 ; and ii) if there is a response, the processing of the response before it is returned to the client application 15 .

[0063] This description contains references to login and logon procedures. The embodiments of the inventions described in this specification apply to both login and logon procedures. A login reference is intended to include a logon reference and vice versa.

[0064] A client application user or client application developer may call a Login method, passing his/her credentials, through the use of a client application 15 . The credentials may be authenticated and a list of web services 25 to which the client application 15 is authorized to access may be established and stored in a repository. After authenticating the credentials, the gateway module 500 returns an authentication ID to be passed with every method call. Advantageously, this simplifies the authentication and authorization checking steps in the management of web service 25 functionality. The use of authentication IDs will be described further below.

[0065] In order to achieve the transparency described above, client application developers may use parameters added to and/or modified from existing parameters to method calls of web services 25 API contract. These extra and/or modified parameters are created by an administrator or developer of the gateway module 500 and assist the gateway module 500 to distinguish method calls from one client application 15 from method calls of another client application 15 . Furthermore, the extra and/or modified parameters assist in other administrative functions such as classification and storage of the web service 25 method calls, and storage of authentication IDs. The API contract request method may also include extra parameters. The areas of processing referred to above relate to i) transformations between the method call received from the client application 15 and the method call passed to the web service; and ii) transformations between the response, if any, received from the web service and the response passed to the client application 15 .

[0066] FIG. 7A shows a depiction 701 of the web services infrastructure 501 as a SOAP processor in accordance with an embodiment of the present invention. A client application 15 (such as an end user application used by a client application user) invokes a SOAP method call (client call) 701 . The client call 701 is received by the gateway module 500 , as described above. The client call 701 is modified by a SOAP processor of the communication processor 311 of the gateway module 500 . The modification here may include the removal of an extra parameter which was added to the web service SOAP method call by the client application developer. Thus the modification translates the client call 701 into the actual web service SOAP method call (WS call) 702 understood by the web service 25 . The WS call 702 is sent by the gateway module 500 to the web service 25 , as described above.

[0067] The gateway module 500 receives a web service SOAP response (WS response) 703 from the web service 25 , as described above. The SOAP processor of the communication processor 311 translates the WS response 703 into a SOAP based response (client response) 704 that the client application 15 will understand. The translation may be the addition or modification of a parameter in the WS response. The gateway module 500 then sends the client response 704 to the client application 15 , as described above.

[0068] The ability to act as a SOAP processor allows the functionality of the web services 25 to be better managed. Since the web services infrastructure 501 is listening to SOAP communication between client 15 and web service 25 , the web services infrastructure 501 has the information to determine what methods 701 are being called, under what conditions and even by whom, provided that identification information was given by the caller. Furthermore, the web services infrastructure 501 is able to check authentication, authorization, and/or billing information and determine if the method call should be allowed to proceed to the service. When the response from the web service 25 returns, the web services infrastructure 501 is then able to update any relevant billing or audit information, as described below. In general the web services infrastructure 501 can perform infrastructure functions common to the related web services 25 because the web services infrastructure 501 is privy to the information passed from client application 15 to web service 25 .

[0069] FIG. 7B shows a depiction 750 of the web services infrastructure 501 as an API contract processor in accordance with an embodiment of the present invention. A client application 15 (such as a programmer application used by a client application developer) may make a method call (developer call) 751 requesting the API contract of a web service 25 . The developer call 751 is received by the gateway module 500 , as described above. The developer call 751 is modified by an API contract processor of the communication processor 311 of the gateway module 500 . The modification here may include the removal of an extra parameter which was added to the API contract method call. Thus the modification translates the developer call 751 into the actual API contract method call (API call) 752 understood by the web service. For example, an HTTP GET request method call may be used to obtain a web service API contract. The API call 752 is sent by the gateway module 500 to the web service 25 , as described above.

[0070] In response to the API call 752 , the gateway module 500 receives an API contract (for example, WSDL) 753 from the web service 25 as described above. The API contract processor of the communication processor 311 translates the WSDL 753 into a modified WSDL 754 that the client application developer will use. The translation may be the addition or modification of a parameter in the WSDL 753 , such as the modification of an address, as described above. The gateway module 500 then sends the modified WSDL 754 to the client application 15 , as described above.

[0071] By modifying the API contract (WSDL) 753 as it is delivered from the web service 25 to the client application 15 , the web services infrastructure 501 is able to enforce the requirement of the consuming client application developer to insert parameters into any or all method calls in that web service 25 . This allows the newly developed client application 15 to believe the added or amended parameters are part of the web service 25 method being invoked while the web service 25 is not even aware that parameters exist. When the new client application 15 calls the method 701 , the SOAP processor in the gateway module 500 strips out the extra parameters, performs any processing required, and passes the SOAP message (minus the extra parameters) 702 onto the web service 25 . For example, the web services infrastructure 500 can receive and process a user identifier parameter which allows for the association of method calls 701 , 702 to a given client application 15 and all of the authorization and billing information appropriate for that client application 15 . The web services 25 are not concerned with the identifier and the identifier need not be a parameter for any of their methods 702 . From the client application 15 point of view, however, the methods 701 use this parameter.

[0072] FIG. 8 shows an example of a modification to an API contract through the gateway module 500 in accordance with an embodiment of the present invention. A web service API contract 753 may contain many method calls, i.e., WS calls 702 . As an example, FIG. 8 shows a web service WS 1 API contract 753 as containing 50 WS calls 702 . Three examples of WS calls 702 given in FIG. 8 include:

[0073] method1(string param1, int param2, MyType param3);

[0074] method2(char param1, MyType param2); and

[0075] method 3( ).

[0076] FIG. 8 also depicts the modified web service WS 1 API contract 754 as seen by the client application 15 with method calls, i.e., client calls 701 , that contain an additional parameter “gparam1” of type “AuthID”. For example, this additional parameter may be an identifier that the client application 15 is authorized to use the method in the web service 25 . In this example, the additional parameter is placed as the first parameter to all client calls 701 . Other parameters may be added to the client calls 701 . Thus, the three corresponding examples of client calls 701 in the client application 15 are:

[0077] method1(AuthID gparam1, string param1, int param2, MyType param3);

[0078] method2(AuthID gparam1, char param1, MyType param2); and

[0079] method3(AuthID gparam1).

[0080] Additionally, if it is a requirement for a web service 25 to have certain parameter types converted to other types (from the perspective of the client caller), these parameters, along with the associated target types, and the conversion method would be described in the web service registry 530 , or an additional table indexed off of the web service registry 530 .

[0081] By modifying the API contract, the gateway module 500 can make it appear that any web service 25 has any set of methods as desired, regardless of what methods the service actually implements. As long as calls to these methods are honored somewhere inside of the web services infrastructure 501 , it appears to the client application 15 as though the client method was really implemented by the web service 25 . The web service 25 remains unaware that the client method exists let alone that the separate client call 701 was made. In general the web services infrastructure 501 is able to dynamically modify the methods that would appear to be offered by a web service 25 ; even adding methods that might have a central implementation somewhere inside of the web services infrastructure. For example, for more convenient calling on the client side, the web service provider 20 may add a DoMethod( ) method that takes an enumeration of the methods offered by a given web service 25 to each web service 25 it offers.

[0082] In similar ways that extra methods can be added to a given web service 25 , new virtual services can be composed of methods from various other web services 25 using the infrastructure 501 . By creating a complete API contract 753 for a virtual service that does not really exist, the infrastructure 501 can then route the client calls 701 made to said virtual service methods to the real web services 25 that implement the WS methods 702 . These virtual services could be composed by a system administrator through an application that interfaces with the infrastructure's databases.

[0083] Again, through modification of the API contract 753 whenever it is requested, the gateway module 500 is able to make it appear that a web service 25 resides at any virtual location. By ensuring that the WSDL processor of the gateway module 500 intercepts references to the web service 25 at this virtual location, the gateway module 500 can then route the call to one of the physical locations where it actually exists. When a web service 25 changes its physical location, it is just a matter of updating the data table in the web service registry repository 530 that indicates its location to the gateway module 500 . The original entry in the web service registry repository 530 may be created through a gateway module system administration application when a web service 25 is registered with the gateway module 500 . Clients need not even be aware that the web service 25 has moved.

[0084] FIG. 9 shows another example of a gateway module 900 in accordance with an embodiment of the present invention. The gateway module 900 includes a client application interface unit 310 , a communication processor 311 , a web services interface unit request dispatcher, 312 , a web services registry repository 530 , a metering module 950 , a web method call processor 960 , a web service API contract processor 965 , a billing module 970 , and a login services module 980 . The login services module comprises an authentication module 520 , an authorization module 525 , an authentication identifier (ID) provider 940 , and an authentication ID validator 945 . Components may be added to or removed from the gateway module 900 .

[0085] The client application interface unit 310 , communication processor 311 , web services interface unit 312 , authentication module 520 , authorization module 525 , and web services registry repository 530 may be similar to those described above. The metering module 950 keeps track of the usage of web service client call 701 methods for the specific client application 15 , including the number of client calls 701 made and amount of server resource consumed. The web method call processor 960 comprises code to perform the modifications to the method calls 701 , 702 and responses 703 , 704 described above. The web method call processor 960 may be a SOAP processor, or any suitable processor for other web method protocols. The API contract processor 965 comprises code to perform the modifications to the API method calls 701 , 702 and WSDL 703 , 704 described above. The API contract processor 965 may be a WSDL processor, or any suitable processor for other web service API. The billing unit 970 comprises code to bill client applications 15 for the transparent use of web services 25 . The login services module 980 comprises code to administer and service a login request received from a client application 15 , and to administer authorization and authentication of a client application 15 . The login request may be passed directly to the login services module 980 from the client application interface unit 310 . Alternatively, the login request may be first sent to the communication processor 311 to be sent to the login services module. The authentication ID provider 940 may comprise code which assigns one or more authentication IDs to a client application 15 when the client application 15 logs into a web service 25 . The authentication ID validator 945 may comprise code to validate the authentication ID. These components will be further described below.

[0086] FIG. 10 shows another example of a method for managing functionality for one or more web services 25 ( 1000 ) in accordance with an embodiment of the present invention. The method ( 1000 ) begins with listening for communications between client applications 15 and web services 25 ( 1001 ). The communications may be client applications 15 attempting to log into web services 25 , client applications 15 sending web service method calls 701 or API contract method calls 751 , or web services 25 sending responses to either method calls 703 or API contract method calls 753 .

[0087] If the client application interface unit 310 receives a login request ( 1002 ) to a web service 25 , the client application interface unit 310 sends the login request to the login services module 980 . Alternatively, the login request may be passed to the communication processor 311 to be passed onto the login services module 980 . The login services module 980 processes the login request ( 1003 ). The authentication module 520 validates the client application 15 , as described above. If the login request is successful, i.e., the client application 15 is valid, then the authentication ID provider 960 issues an authentication ID for the client application 15 . Information regarding the web service 25 for which the authentication ID is valid may be stored in the authentication ID validator 965 . Alternatively, the information relating to the issued authentication ID may be stored in an additional repository accessible by the authentication ID validator 965 . The client application interface unit 310 returns the authentication ID to the client application 15 ( 1004 ). The gateway module 500 now returns to a state of listening for communications ( 1001 ). This thread will be further described below.

[0088] If the client application interface unit 310 receives a client call 701 or a developer call 751 ( 1005 ), the client application interface unit 310 passes the call 701 , 751 to the communication processor 311 . The call 701 , 751 contains an authentication ID passed as a parameter. The web method call processor 960 would process a client call 701 ( 1006 ), as described above. The API contract processor 965 would process a developer call 751 ( 1006 ), as described above. The removed authentication ID is sent to the authentication ID validator 965 for validation. If the authentication ID is valid, then the communication processor 311 passes the corresponding WS call 702 or API call 752 to the web services interface unit 312 to be delegated to the appropriate web service 25 ( 1007 ). Information regarding the client application 15 and the call 701 , 751 may be logged in a repository. The gateway module 500 now returns to a state of listening for communications ( 1001 ).

[0089] If the web services interface unit 312 receives a WS response 703 or a WSDL 753 ( 1008 ), then the web services interface unit 312 passes the WSDL 703 to the communication processor 311 . The web method call processor 960 would process a WS response 703 ( 1009 ), as described above. The API contract processor 965 would processes a WSDL 703 ( 1009 ), as described above. If the call 702 , 752 and the response 703 , 753 are asynchronous, then information stored in a repository may be accessed to determine the client application 15 which sent the original call 701 , 751 corresponding to the response 703 , 753 . If the call 702 , 752 and the response 703 , 753 are synchronous, then the identity of the client application 15 which sent the original call 701 , 751 is clear. The client response 704 or modified WSDL 754 is passed to the client application interface unit 310 to be sent to the client application 15 ( 1010 ). The gateway module 500 now returns to a state of listening for communications ( 1001 ).

[0090] Other steps may be added to the method ( 1000 ), including metering the gateway module 900 usage and billing the client application 15 , as well as billing a web service provider 20 .

[0091] In alternative examples of a communication processor 311 , the web method call processor 960 and the API contract processor 965 may comprise further sub-components, to handle their tasks. For example, the web method call processor may either contain a SOAP method call processor and a SOAP response processor. Similarly, the API contract processor may contain a WSDL communication processor and a WSDL response processor. Method call processors for other protocols and API contract processors for other API contract documents may be added to the web method call processor and the API contract processor, respectively. Furthermore, the communication processor 311 may be created to only contain desired sub-components.

[0092] An alternative to the login thread ( 1001 - 1002 - 1003 - 1004 - 1001 ) described above will now be described. Some of the detail in this alternative description may be used to augment the description of the above thread as well.

[0093] Using a secured channel is safer but slower than an unsecured channel since a secured channel requires the extra encryption/decryption steps. An alternative solution is to have the client application 15 log into the web service 25 once by sending client application credentials, typically a user name and password, over the secure channel and in return the client application 15 will receive a unique authentication identifier (ID) over the secured channel. Sometimes an authentication ID is called a session ID. However, there is a distinction between a session ID that refers to a locked communication between a client and a server and a session ID that refers to the fact that authentication has occurred. Thus, the term authentication ID is used in this specification.

[0094] Successive calls to the web service 25 are then made over an unsecured channel with the authentication ID to identify the client application 15 . Since the client application credentials are not sent during the successive calls, the calls no longer needs to be done over a secure channel. The calls can be sent over an unencrypted channel, such as http. This will improve performance as well as limit the number of times that the client application credentials are sent. When the server receives a web service call, it will authorize the client application 15 by verifying that the authentication ID is valid at that point in time.

[0095] This use of an authentication ID is only partially acceptable since the client credentials are safe as they are passed over the secure channel once and the client application 15 can still be authenticated for access to web services using the authentication ID. The problem is that since the web service calls are not done over a secured channel, the authentication ID could be compromised. Anyone who is observing the unsecured channel could note the authentication ID as it is used in the web service calls. The observer could then reuse this authentication ID and gain unauthorized access to the web service 25 .

[0096] One adaptation to the use of an authentication ID is to have the authentication ID time out after a certain period of time. Once an authentication ID has expired, anyone who has obtained it with or without authorization will no longer be able to use it and the authorized user will have to logon again and receive a new authentication ID. While the time-out of an authentication ID solution is better than no solution, there is still the problem that a misuse of a web service may occur for a limited time.

[0097] Another aspect of the gateway module 900 described here uses a pool of authentication IDs. A pool of authentication IDs contains a plurality of authentication IDs. As described above, the authentication ID provider 940 may comprise code which assigns one or more authentication IDs to a client application 15 when the client application 15 logs into a web service 25 . These authentication IDs are passed as parameters in the method calls 701 , 751 as described above. The authentication ID validator 945 may comprise code to validate the authentication ID. This authentication code be done in a number of ways. In an example of an embodiment of the present invention, a working table mapping is setup when the client application 15 is authenticated (i.e., authentication ID returned). The authentication ID is checked every time a method is called, then deleted if the client application 15 logs off or the authentication ID expires. An alternative of using a hashing system would require care to remain as secure.

[0098] The user of a client application 15 logs onto a web service 25 by sending client application credentials, typically a user name and password, over a secured channel as described above. In return, the client application 15 will receive a group or pool of authentication IDs. The pool of authentication IDs returned is secure since the pool is sent back over the secured channel. The exact number of authentication IDs returned can vary depending on the system administration requirements for the web service 25 . Once the client application 15 has this pool of authentication IDs, the client application 15 may use a different authentication ID from this pool with each successive call to the web service 25 . The authentication ID that is used will then expire upon use so that it can not be reused. This means that even if an eavesdropper is able to compromise an authentication ID, the eavesdropper will not be able to use it since it can only be used once.

[0099] FIG. 11 shows the sequence of logging onto a web service 25 and using the pool of authentication IDs. In FIG. 11 , the sequences are listed as A, B, C 1 , R 1 , . . . , Cn, Rn, where n is an integer greater than one. The step “A” represents a client application 15 sending client application credentials over a secured channel, such as https. The step “B” represents the server authenticating the user and returning a pool of n authentication IDs over the secured channel. The steps “C 1 ” to “Cn” represent the client application 15 making up to n web service calls over an unsecured channel using a different authentication ID from the pool of n IDs returned. Each authentication ID will expire upon use. The steps “R 1 ” to “Rn” represent the server validating the authentication ID used and returning the result of the web service call to the client application 15 .

[0100] After the client application 15 has used up all the authentication IDs in the pool that was given, the client application 15 may log on again to receive another pool of authentication IDs. No one other than the client application 15 will be able to use the authentication IDs since the authentication IDs are always given to the client application 15 over a secured channel and the authentication IDs expire upon use. Each authentication ID is not compromised during or after its use over an unsecured channel because an unauthorized person who manages to capture an authentication ID only receives an expired authentication ID.

[0101] Further security features may be added to the pool of authentication IDs. For example, unused authentication IDs in a pool of authentication IDs can be set to expire after a preset event such as the expiry of a period of time.

[0102] FIG. 12 shows a method for providing a pool of authentication IDs ( 1200 ) for use in web services communication. The method begins with the client application interface unit 310 receiving a request for a pool of authentication IDs ( 1201 ) over a secured channel. Typically, the request will come from a user using a client application 15 . The request is passed to the authentication ID provider 940 of the login services module 980 . The authentication ID provider 940 creates and assigns a pool of authentication IDs ( 1202 ). The authentication IDs may be passed as parameters by the client application 15 during web service communication, such as SOAP communication. The authentication IDs may be created and assigned by code in the authentication ID provider 940 . The pool of authentication IDs is passed to the client application interface unit 310 to be sent to the client application 15 ( 1203 ) over a secured channel and the method is done ( 1204 ). The client application 15 may now use the authentication IDs.

[0103] FIG. 13 shows a method for using a pool of authentication IDs. During subsequent client calls 701 over an unsecured channel such as http, an authentication ID from the pool of authentication IDs is sent as a parameter in the client calls 701 . The client application interface unit 310 receive a client call 701 containing the authentication ID ( 1301 ). The authentication ID is parsed from the client call 701 by the communication processor 311 , as described above, and passed to the authentication ID validator 945 . If the authentication ID is not valid ( 1302 ), then the client call 701 is rejected and the method is done ( 1305 ). If the authentication ID is valid ( 1302 ), then the next step is to check whether the client application 15 is authorized to access the web service method relating to the client call 701 ( 1303 ). If the client application 15 is not authorized ( 1303 ), then the client call 701 is rejected and the method is done ( 1305 ). If the client application 15 is authorized ( 1303 ), then the WS call 702 is sent ( 1304 ), as described above, and the method is done ( 1305 ).

[0104] FIG. 14 shows another example of a login services module 1400 in accordance with an embodiment of the present invention. The login services module 1400 may be used by the gateway module 900 . The login services module 1400 comprises an authentication ID provider 940 , an authentication ID validator 945 , an authentication module 520 , an authorization module 525 , and an information repository 1401 . The authentication module 520 , authorization module 525 , authentication ID provider 940 and authentication ID validator 945 are similar to those described above. The information repository 1401 contains information used to authenticate and authorize client applications 15 , as well as storing authentication ID allocations. The information repository 1401 may be a database. The authentication ID provider 940 , authentication ID validator 945 , authentication module 520 , and authorization module 525 are connected to the information repository 1401 and may be accessed by the communication processor 311 .

[0105] Alternatively, the repository 1401 may be accessed by components of the gateway module 900 , including the metering module 950 and the billing module 970 . Client applications 15 may be charged for the pool of authentication IDs based upon the size of the pool of authentication IDs. Packages of authentication IDs may be available for a client application 15 to order. For example, a client application 15 may order a basic package of 100 authentication IDs, or a premium package of 1000 authentication IDs. Other sizes of packages may be preset. A client application 15 may also be prompted by the authentication ID provider to enter the number of authentication IDs in the pool of authentication IDs.

[0106] Alternatively, the billing module 970 may charge based upon use of an authentication ID. In such a scenario, the metering module 950 tracks and records usage of the pool of authentication IDs. The information collected by the metering module 950 is stored in the repository 1401 , or another central repository which may be accessed by components of the gateway module 900 .

[0107] FIG. 15 shows a method for providing a pool of authentication IDs ( 1500 ) for use in web services communication. The method begins with the login module 1400 receiving a request for a pool of authentication IDs from a client application 15 . Specifically, the login services module 1400 receives client application credentials from the client application interface unit 310 which receives the request over a secured