tions are starting to be integrated with each other. This creates a need for technology for glueing together applications both within and across organizations, without having to re-engineer individual components. We propose an approach for developing this glue technology based on message ows and discuss the open research problems in realizing this approach.
1 Introduction
Recent advances in networking and the pervasive deployment of the internet have created new opportunities for computing research. Many applications are evolving from monolithic to distributed systems. Business processes are increasingly being automated and interconnected in spontaneous ways. Companies increasingly require the integration of once independent applications, either because they are vertically integrating components of the business, or because of mergers or outsourcing of function to separate organizations. In summary, there is a convergence to loosely integrated distributed systems, where each component can evolve independently. In this paper, we make the case for research in \glue technology" for loosely integrating distributed systems. The basic observation underlying this technology is that widely disseminated, often real-time \events" (or messages) | e.g. stock quotations, advertisements, o ers to buy and sell, weather reports, trafc conditions, etc. | are becoming ubiquitously available through the Internet. These public events, as well as internal events, such as orders, shipments, deliveries, manufacturing line changes, can form the \glue" to link applications within and across organizations. Since this technology is based on messages, we use the term Message Oriented Middleware, or MOM for short, to refer to it. Consider the opportunities that arise within a single company. Today, most large companies consist of several smaller organizations that are supported by applications that were developed and have evolved largely independently of each other. In most cases, people provide the linkage between these smaller organizations. For example, when a sale occurs, the sales representative sends a request to manufacturing to produce the product. In such cases, what is needed is a technology that allows companies to automate such processes by tying together its organizations' independent applications. Once tied together, the integrated computing system is potentially cheaper to operate, faster and less prone to errors
than the system in which humans glued together independent organizations. Further, this kind of integration opens up new opportunities for macroscopic analysis such as forecasting, and requirements analysis across the company that can further streamline operations. The value of tying together applications can easily be extended to partnerships between companies. One obvious scenario is when two companies merge. Usually each company has its own set of independent applications | the challenge is to provide \computing glue" to tie these applications together. Another obvious scenario is when two companies do business with each other. In today's model, people are heavily involved in transacting business between companies. Business integration o ers the opportunity to automate business interactions between companies by tying together their applications. As more consumers shop, invest, pay bills and taxes, read, and perform cooperative work and play online, the same glue technology may be extended to support business-to-consumer interactions. Better integration between business software and end-user software such as web browsers o ers the promise of more power and greater ease of use to the end-user. We propose an approach for developing the glue technology required for MOM. Our proposed approach is derived from the publish and subscribe model OPSS93] and event delivery systems WIS]. In this model, the basic unit of data is a message, which corresponds to what are called \events" in publish/subscribe or event delivery systems SV97]. Clients register as publishers or subscribers of messages. Messages are sent to and delivered from information spaces, each of which has a prede ned message schema BKS+ 99]. Information spaces may be tied together via message ow graphs that specify how messages are propagated and transformed between producers and consumers. A message ow graph may route a ltered subset of messages from one information space to another, merge messages from multiple sources, or deliver a transformed version of a message from one information space to another. Some information spaces contain states summarizing the message history of other information spaces. This state can be re-mapped back into a message sequence, often in more than one way. Systems can exploit this non-determinism by relaxing the ordering of messages, by dropping obsolete messages, by compressing the past history being sent to a newly connecting subscriber or to a subscriber who has reconnected after being o -line. In the near future, we envision a pervasive MOM environment that glues together a large number of stand-alone applications. Each application may evolve independently from the others in this environment. The MOM environment will support such evolution without requiring changes in other applications, and in fact, without requiring the other applications to be aware of the addition and removal of applications and clients. (The only exceptions would be those applications dealing with access control and security). The MOM environment will allow new applications to \tap into" information generated by existing applications without disturbing them. This will allow users to add higher order features such as auditing, monitoring, and data mining on top of existing information ows, after the fact, and without disrupting the underlying applications.
Several crucial research problems remain unsolved in the MOM approach, and even those that are solved have not been completely implemented yet. A complete and precise model for this approach has not yet emerged. Several key distributed computing problems remain open such as scalability, and how to provide end-toend guarantees on message delivery. Some of the known algorithms tackle subsets of the overall problem. Questions related to fault-tolerance, security, message ordering, and topology changes that have been well studied in the context of other types of messaging systems are open areas for further research in the context of MOM. There are several e orts from various other communities to provide glue technology to tie together applications, and it is not clear at this stage whether a single glue technology is best suited for all environments. The database community has extended the classical ideas underlying databases to distributed environments via distributed transactions TGGL82] and federated databases Hsi92]. The languages community has extended the concept of objects to a distributed environment via remote method invocation (CORBA Gro98], RMI BN83], etc.). Group communication systems such as Isis have also been used to glue together applications in a distributed environment BCJ+ 90,Bir93,Edi96]. Finally, there exist higher-level approaches such as Work ow that are targeted towards speci c subsets of the overall problem WfM,PPHC98]. We will compare our proposed MOM approach with these other approaches. The rest of this paper is organized as follows. In section 2 we examine several examples that motivate the need for message oriented middleware. In section 3 we elaborate on the message oriented middleware model. In section 4 we discuss open areas for further research in this area. In Section 5 we examine alternative approaches. Section 5 concludes with work related to content-based publish/subscribe systems.
2 Examples
In this section, we provide two examples that motivate the need for Message Oriented Middleware and illustrate the various requirements imposed on this approach: 1. Stock Trading. This example of application integration demonstrates the need for MOM-based systems to be highly scalable and for on-the- y transformation of messages into formats suitable for di erent clients. This example also illustrates the need for anonymity between message publishers and message subscribers. 2. Home Shopping. This example is a home shopping application and further demonstrates the need for cross-domain messaging. This example also illustrates the need for interpreting message streams to capture applicationspeci c meaning.
In order to continue to use legacy client applications, it may be necessary to integrate these applications by performing other transformations. For example, legacy NYSE client applications may wish to access NASDAQ trade events in the NYSE format and vice versa.
Consider a home shopping application where consumers may request up-to-theminute information and pricing on retail items from \virtual markets" for products such as automobiles, computers, or camera equipment (Figure 2). Each message represents a seller's ad: the seller's identity and location, the type of article, and attribute-value pairs representing the attributes of the article being sold. For example, automobile advertisements would include the make, model, year, mileage, and options. The price might either be xed, or left open to competitive bidding in a real-time auction. Additional messages represent bids by buyers, and the open and closing of auctions. Consumers subscribe through a number of tests on these attributes. As in the previous example, messages must be routed to some subset of all subscribers based on their information content. An important function that MOM must support for this scenario is the communication of dynamic changes in the availability and the price of items. The seller may lower the price or withdraw his ad in response to lack of interest by customers. Or buyers may raise the price as a result of competitive bidding. Typically a buyer would subscribe not just to a stream of events, but to a state, determined by the message history, such as the current price of items matching his criterion. As a result, new subscribers would not receive all messages from the beginning of time but instead only those messages representing the current valid prices for these selected items. Messages which have become superseded by updates or which correspond to items no longer available for sale need not be delivered. This example illustrates the importance of interpreting event histories as a state | specifying such a summarization requires the system to understand that a new price for the same item supersedes the previous price, and that the termination of an auction or the withdrawal of an ad cancels all previous prices for that item. The ability to subscribe to a state summarizing a message history has additional e ects on message delivery if the buyer wants to subscribe not merely to the current o er for each selected item, but instead wants to track for instance, the lowest-priced ad matching his criteria, plus any items for which the buyer is still the low bidder. In this case, messages which do not impact the lowest price because they are ads for articles with higher prices are not delivered. Note that if the low-priced ad is modi ed or withdrawn, or if its price is bid up in an auction so that it is no longer the low-priced ad, then it may be necessary to either deliver the ad for the second-low-priced item (if it had previously been suppressed) or to redeliver it. For example, consider the auto advertisements in Figure 2. The $20,000 price is the low price, so the $30,000 price is not delivered. However, once the $20,000 price is withdrawn or raised above $30,000, the ad for the $30,000 automobile is delivered to replace it.
Notice that, in this example, there is no real organizational boundary. Anyone might register as a publisher (potential seller) or as a subscriber (potential buyer) of an information space for a particular product.
{ selection: the destination message history receives a copy of the subset of the
function S over all the messages in the source message history. In the home shopping example, a client may be interested in the lowest priced ad for Saab cars with less than 80,000 miles and a price under $6000. { expand: expand is the inverse of collapse. The source message history is (nondeterministically) computed to be any message history which summarizes to the destination state under the summarization function S. All such message histories are said to be equivalent | the system is free to choose which one of the many message histories to deliver to a destination. Message ow graphs can evolve dynamically, and in fact the changes to these graphs and requests to change the graph are themselves meta-events that can be subscribed to. As in similar systems, access control policies limit who may add and delete nodes and arcs, and where they may be added. Notice that this model has some characteristics of database systems, some of group communication systems, and some unique characteristics of its own. Information spaces in MOM are analogous to tables in relational databases. Just as database tables have data schemas, information spaces have message schemas. The selection relation between information spaces is similar to the select operator between relational tables. Just as a relational database allows linkages between tables and views, MOM allows linkages between information spaces via message ow graphs. Like group communication systems, messages ow from producers to consumers without explicit requests from consumers | i.e., both systems are pushbased. In a push-based environment, it is natural that operations on the message ow, such as selections, transforms, and summarizations, are performed incrementally. De ning and implementing the ow graph model gives rise to a number of open research issues. These issues are discussed in detail in the next section.
4 Research Issues
The message ow graph is a useful abstraction for specifying many problems such as the ones discussed in the previous section. It is easy to explain to users familiar with either data ow graphs or with spreadsheets. There are, however, a number of open issues. One is the type system for de ning schemas for messages and information spaces. Whereas it makes sense to organize relational databases as tables in normal form with each row consisting of a tuple of scalars, a similar \normal form" is probably not feasible for message histories. One reason is that while relational tables containing rows of di erent formats can be factored into separate tables, message histories cannot be so factored without losing the intrinsic total order characteristic of histories. It is probably necessary to allow messages to contain variant types, as well as embedded lists or bags.
4.1 Model
Another open issue is the language for expressing the selection predicates, the transforms, and the summary functions used by expand and collapse. We want to be able to express problems like \cheapest current o er for a Saab" without elaborate programming. There is a tradeo between convenience, expressive power, and analyzability. Another issue is how to handle access control. In this model, access control can involve more than merely saying \this user may subscribe from this space". Some subscriptions require all messages to be archived forever, while others allow messages to be expired relatively quickly | these di erences have consequences for physical resource requirements on broker servers, so there should be a way to allow access control to take these consequences into account.
4.2 Scalability
There are many dimensions of scalability. In this section, we deal with the potentially large fanout of select, transform, or summarization arcs from a single information space. In a large application, or in an anonymous environment such as home shopping where a single information space may be advertised very widely, the number of subscribers may be very large | perhaps in the tens of thousands or more. In this environment it becomes necessary to deploy algorithms that quickly match events against a large number of potential subscriptions | we refer to this problem as the message matching problem. Though the number of subscriptions to an information space may be large, say N (where N may be 10,000 or more), we expect only a few subscriptions to match any single event, say K. E cient algorithms exist for solving the message matching problem in messaging systems based on subject-based subscription, a simple table lookup based on the subject of the message yields a constant time algorithm, which is also optimal. In the more general content-based subscription systems, this approach does not work since di erent subscriptions may refer to di erent elds of the message schema. Naive solutions take O(N) steps to solve the message matching problem. It is highly desirable to develop algorithms to solve the message matching problem that are sublinear in N. This is an active area of ongoing research ASS+ 99]. Note that the message matching problem is complementary to the query problem in databases. In a database query, a single query (typically a select) is matched against a large amount of data | the challenge here is to develop algorithms that are sublinear in the amount of data in the database. In the message matching problem a single piece of data (a message) needs to be matched against a large number of standing queries (subscriptions). Since the problems are complementary, neither solution is useful in the other context. Note that the matching problem was rst studied in the context of active databases. E cient solutions to this problem are thus applicable in MOMs and in databases HCKW90]. A problem similar to the message matching problem arises when there is a large fanout of arcs between a single information space and multiple states. By analyzing the multiple summarization functions we may be able to avoid the
need to make multiple copies of the same state update and to exploit the fact that if one state doesn't change as a result of a message, a set of related states will also not change.
{ Perform message matching at the publisher and use the result of the match-
ing to route to the destinations. With this solution, straightforward routing techniques will not work when there are a large number of clients, since (a) point-to-point routing will not take advantage of common paths, (b) routing based on destination lists could result in large message headers, and (c) routing based on multicast groups could require a very large number of groups (if there are N subscribers, the system may need as many as 2N multicast groups). { Broadcast the message to all message brokers and let each message broker match the message against its locally connected subscribers. This solution is likely to waste communication bandwidth in very large networks, since if subscriptions are su ciently selective, messages will often be sent to a broker none of whose attached clients requires the message.
Approaches to the problem being studied include: (1) performing partial matching at each broker, forwarding messages (either by conventional pointto-point or by multicast) to the subset of neighboring brokers requiring the message (2) matching messages to a combination of pre-allocated multicast groups (3) exploiting the relationships between the subscriptions to reduce the combinatorial possibilities of multicast groups. The existence of message transformations complicates the situation even further | some transformations can be moved and/or replicated on multiple brokers others cannot, either because they involve data that cannot be moved (e.g. a large database mapping names to social security numbers), or because they involve \opaque" algorithms not visible to the middleware.
ow graph is viewed as an abstract reliable entity: Subscriptions are persistent, and messages may not be lost, permuted, or duplicated, nor must spurious messages be generated (unless such distortions can be masked as a result of ltering or state equivalence). The implementation must preserve the appearances of persistence even though in the message distribution scenarios shown above, the distributed system may contain intermittently connected and intermittently faulty hardware components. This means that when a faulty subscriber reconnects, it must be possible to either deliver all the messages that it has missed, or else to compute (via analysis of the e ects on the state of interest) a shorter set of messages which will re-create this state. Unlike with group communication systems, it is not su cient to report to a faulty or disconnected subscriber that its subscription has been dropped. For example, the Replenishment Analysis teams must continue to receive inventory updates after a dropped connection is reestablished. We need algorithms to provide this appearance of persistence in a distributed network of message brokers. We also need algorithms to exploit the cases where state equivalence permits dropping of messages, and to exploit the properties of state equivalence to deliver compressed message sequences after a reconnection.
route. It is desirable wherever possible to deliver messages optimistically without waiting for this control information. In the simplest cases, the subscriber's state of interest doesn't depend upon order or isn't a ected by extraneous unlogged messages. However, in more interesting cases, the state of interest does depend upon order, but the state interpretation makes it possible for \recovery" messages to retrieve the correct state after an out-of-order or unlogged message has arrived. For example, in the home shopping example, it may be that an o er to sell for $20000 is followed by an o er to sell for $30000. If the o er for $30000 arrives rst, it can still be immediately delivered when the o er for $20000 arrives later, the recovery action is to deliver it if it is for a di erent item than the $30000 o er, and to discard it as obsolete if it is for the same item. It is an open problem to analyze a set of subscriptions to state derived from message histories, and determine (a) under which conditions messages can be optimistically delivered without waiting for control messages, and (b) what \recovery" messages must be inserted if it is later determined that the state needs to be corrected. End-users don't care about the topology of the underlying network. Ideally (a) it should be possible to recon gure the topology of the underlying network nondisruptively, and (b) it should not require complex planning on the part of a network administrator to con gure. Any approach to the topology recon guration problem must address scenarios in which multiple organizations may own parts of the communications links and logging disks, and these organizations must be able to recon gure and/or control use of their facilities. MOM needs at least three varieties of security: (1) control of who may publish to, or subscribe from the information spaces of the virtual message ow graph, (2) control of the physical resources, (3) privacy protection of the data that ows between publishers and subscribers. Any security solution must accept the fact that there is no single \application" and no single owner of the whole network. There are open issues about: (1) preventing a user from overloading system resources by either generating messages too quickly or by requesting states that make it impossible to discard any old messages (2) how to deal with clients to the same information space from di erent organizations having di erent access rights and (3) the tension between the requirement for brokers to do contentbased matching and the requirement for some brokers not to be able to interpret the content.
4.8 Security
5 Alternative Approaches
Other technologies, including object request brokers (ORBs) and database management systems (DBMSs) are being used to glue applications together in the
kinds of scenarios presented in this paper Gro98,Hsi92,WfM,BN83]. However, each of these approaches has its limitations for the purpose of MOM applications, as described below.
integrated, right from the design stage. Changes are di cult if not impossible to make after an application has been deployed. Also, since remote method invocation is a point-to-point concept, it is not possible to interpose new applications between existing information ows without disrupting the existing applications. { Disconnected operation: RMI systems support a synchronous style of interaction | this makes them unsuitable in environments where clients may disconnect.
{ Pull-based: The receiving application may poll the shared database for new { Active Databases: The receiving application may be alerted about new data
\incoming" data this unnecessarily introduces extra network tra c. in the database using a trigger mechanism. However, the trigger mechanism may not scale over a large number of receivers interested in di erent kinds of updates to the shared database.
centralized database. This approach o ers limited scalability, and does not have the ability to cross organizational boundaries. Changes must rst propagate to the centralized database before being sent to interested viewers. { Distributed database architecture: In this architecture, the database is replicated at multiple sites. In many scenarios for gluing applications together, the replication guarantees provided by distributed databases may be too strong. { Federated databases: In this architecture KK90,Hsi92,GL94], a collection of independently designed databases is made to function as a single database. This involves name con ict resolution, schema conversion, and the execution of transactions on multiple databases as a single global transaction. Although this approach may be appropriate for organizing multiple databases within a single company, or for merging two companies together, it is unlikely to be feasible to run global serial transactions across multiple organizations and thousands of anonymous subscribers worldwide.
In general, a database used as a communication channel is too heavyweight as glue between applications. This approach has a signi cant administrative overhead and may not provide the same kind of communication throughput that a more specialized communication channel could provide. Thus, although databases cannot be a total solution, especially given heavyweight commit protocols that we often don't need in the message ow graph solutions, databases are still potential clients of MOM systems.
munication systems | that a failed process is automatically removed from the group | is inappropriate for MOM applications. In MOM, subscriptions are persistent, when a failed process recovers it needs to be updated with all the messages that it did not receive. { Opaque messages: In general, group communication systems do not interpret the content of messages. This forces them to support qualities of service based on low level properties of the protocol, not on the semantics of messages. MOM systems can get more information from applications and use it to provide various qualities of service more e ectively.
{ Fault model: The fault model that is typically implemented in group com-
Work ow systems (e.g., WfM,Lut94]) are used for coordinating potentially distributed tasks via a speci cation of the sequence and control of tasks. While these systems are typically used to solve problems at a \higher-level", they may also be used to glue applications by treating each application as an \activity" that communicates with other \activities" via a work ow manager (which is the software component that controls the ow of work between activities). However, the major shortcomings of this approach when used for integrating applications are: { Work ow speci cations are relatively static in nature | activities and their interactions do not change once the ow has been de ned. Applications requiring integration, on the other hand, may need to support changes to subscriptions at a frequent rate. { Work ow managers are centralized in practice. This may limit the scalability and the throughput of the system. Building a distributed Work ow system is an active area of ongoing research PPHC98].
From an implementation point of view, none of the above projects has addressed all the research issues mentioned earlier in this paper. The rst scalable solutions for matching and multicasting have appeared recently ASS+ 99,BCM+ 99]. The SIENA project has explored issues relating to e cient propagation of subscriptions. Questions of e cient matching and multicast, message reliability, message ordering, and optimistic delivery are currently being explored in the Gryphon project.
