Exe as Webservice Endpoint

Question

I got a webservice endpoint and I stumple upon how to correctly implement it. It seems to be an parameterized exe-file which returns an XML Reply. There is no documentation.

I am used to soap, wcf and rest but this is completely unknown to me, has anyone a guide or a best case how to implement such a service? I can consume it with a HTTP GET but there are some questions left to me:

I know the questions are quite broad... But I could not find anything about it in the interwebz.

• Is there a secure way to publish exe files as webservice?
• Are there any critical downsides implementing such an interface?
• Make I myself a fool and this is just an alias?

Example Url: http://very.exhausting.company/Version/SuperStrange.exe?parameter=String

Answer 1

Web servers

What you call a webservice endpoint is nothing else than a web server listening on some host (normally 0.0.0.0) and some port on a physical or virtual machine and responding with some HTTP response to HTTP requests sent to that host, port and URIs that the web server cares to process.

Any web server is itself an application or a static or dynamic component of an application as the following examples illustrate:

• JBoss, Glassfish, Tomcat etc. are applications, known as application servers, into which containers/servlets/plugins implementing web servers and corresponding endpoints are deployed. These listen on some port exposing generic web servers routing requests to those containers and their servlets;
• a fat jar started with java -jar on a JVM which deploys a vert.x verticle featuring a vert.x HttpServer listening on some port is nothing else than a web server;
• an interpreter such as node.js parsing and executing JavaScript code based on the express module will most likely deploy a web server on some port;
• finally, a statically or dynamically linked application written in languages such as C++ or Go can expose a web server listing on some port.

All of the above cases feature different deployment mechanisms, but what they deploy is essentially the same: a piece of software that listens for HTTP requests on some port, executes some logic based on request and returns HTTP responses to the caller.

Your windows exe file is most likely a statically linked application that provides a web server.

Protocols

So we know you have a web server as it reacts to an HTTP GET. How does it relate to REST, SOAP etc? Effectively, REST, SOAP etc are higher level protocols. TCP is the low level, HTTP is based on top of that and your server supports that. REST, SOAP and everything else that you mention are higher level protocols that are based, among others, on HTTP. So all you know is that your application (web server) supports HTTP, but you do not know which higher level data exchange protocol it implements. It definitely implements some, at least a custom one that its author came up with to exchange data between a client and this application.

You can try to reverse engineer it, but it is not clear how would you find out about all possible endpoints, arguments, payload structures, accepted headers etc. Essentially, you have a web server publishing some sort of an API, but there is no generic way of telling what that API is.

Security

The world around you does not have to know how the API is published. You can put any of the above 4 web server implementations behind exactly the same firewall or a reverse proxy with SSL termination exposing just one host and port over SSL. So there is no difference in security, with respect to the world, whether you deploy it as exe or as a war into JBoss. This is not to say, that your exe file is secure: depending on how it is implemented it may allow all sorts of attacks, but again, this is equally true for any mechanism.