However, services are mostly used in a service composition consisting of services from di erent organizations. In such a cross-organizational context, a feature cannot be condensed into a single feature module any more. The reason is that service implementations are black boxes, implemented and deployed by di erent organizations, and only the interface descriptions are available [ 1 ]. But this doesn't exclude the need to share semantically compatible features between those di erent services. A typical example of a cross-organizational crosscutting feature is security. When implementing an access control concern in an application, for instance, security actions need to be performed for every interaction between application components. However in a cross-organizational application, it is di cult to defend that a single module, for instance an aspect, should encapsulate the implementation of the internal security mechanisms of the organization involved as well as the global security policy governing how security must be addressed in the overall interaction between organizations. The latter security policy belongs to a level of abstraction above the internal security mechanism.

Therefore this paper proposes an aspect-based variability model for representing cross-organizational features in service networks such as systems of systems or service supply chains. We argue that cross-organizational features should be managed in a multi-layered architecture. Such a multilayered architecture is completely lacking in AOSD currently. The remainder of this paper is structured as follows. In section 2, we further illustrate and motivate the need for a such as feedback by email or by mobile text messages. Similarly, a client can select prioritized processing. By having this feature injected, the client's requests are prioritized over other requests. However, the prioritizing feature requires the billing feature: prioritizing requests comes at an expense. Figure 2 presents the stock trading service composition including the prioritized processing feature. We see that the stepwise feedback feature a ects both the QuotesPortalService, to retrieve customer account information, and the QuotesOrderService, to perform the prioritizing. A more trivial case is the secure communication feature: encryption and decryption operations should be performed at both sides of the connection. This clearly illustrates that a single feature, often consisting of a client and server functionality part, can a ect multiple services in a service composition. SettlementService Settlement settle up QuotesPortalService

Acquisition retrieve customer information process register

Prioritized Processing perform prioritizing QuotesOrderServer variability model for cross-organizational features in AOSD. Section 3 elaborates the overall approach and presents the application of the approach to an example. We discuss related work in section 4 and conclude in section 5.

In this section we further motivate and illustrate the importance of an aspect-based variability model for cross-organizational features in service networks.

We present an example in the e- nance domain (see Fig. 1). A bank o ers a stock trading service to inspect, buy and store stock quotes. To be able to provide this service, it cooperates with the stock market, which in turn cooperates with a settlement company. So the stock trading service is a composition of the services provided by these three companies. Each participant can take up two roles in a composition: service consumer (client) and service provider (server). For example the bank company is a server for the bank customers, but consumes the QuotesOrderService of the stock market.

QuotesPortalService QuotesOrderService SettlementService Bank Customers

Bank Company

Stock Quotes Market

Settlement Company

Order Registering

Order Processing

Transaction Preparation

During a typical session, a client inspects stock quote data, inspects the stored stock quotes in his custody account and potentially buys or sells some stocks. Clients can issue a stock order by using the web service portal facility of their bank. The bank service acquires the client's order and forwards it to the stock market. Processing the order request in the stock market consists of three sequential functional steps. Firstly, the client order is registered in the stock market by the OrderRegistration unit and then forwarded to the OrderProcessing unit. Secondly, at regular time intervals, the OrderProcessing unit searches for matches between buying and selling o ers. If two orders match, they are forwarded to the TransactionPreparation unit, which delegates the actual trade of goods to the settlement company.

Since di erent clients have di erent needs, this service composition can be customized with respect to agreed features such as prioritized processing, billing, stepwise feedback, logging, non-repudiation, transaction support, secure communication, authentication, authorization and secure serverside storage. Choosing di erent features results in di erents variants. If selected, the stepwise feedback feature, for instance, informs the client about the progress made in processing its requests, at the level of the individual services as well as the di erent sequential units within a service. Several alternatives are available for the stepwise feedback feature, Order Registering process

Order Processing prepare Transaction

Preparation

However, each company in a cross-organizational service network has its own IT administration and trust domain, and will not allow external parties to add or update feature implementations. The services provided by the di erent partners are black boxes, loosely-coupled and independently maintained by the company's own administrators. This black-box scenario hinders the feature modularization and composition in a cross-organizational context [ 1 ]. Therefore a feature cannot be condensed into a single module any more. Cross-organizational features need to be split up in client-side and server-side aspects, independently implemented with possibly di erent AO-technologies. However, a uniform high-level representation of those features is crucial to be able to share them in a particular application domain or service network.

In this section we present our approach to achieve a multilayered architecture for the uniform representation of crossorganizational features in AOSD. A multi-layered architecture, distinguishing between policy and mechanism, is a core tenet of the body of research on cross-organizational coordination architectures. We shortly review the stateof-the-art in this eld. Subsequently, based on this tenet, we propose that aspect-based variability is rst described at the level of a technology-independent feature ontology that is well-de ned for a domain or a speci c service network. Each organization implements this feature ontology independently using an AOP technology of its choice. The mapping between the independent feature ontology and the aspect-based implementation is then speci ed as part of the second layer of the model. Finally, we show how this feature ontology is used for cross-organizational service customization.

Our approach is inspired by the design principles of crossorganizational design. In the eld of cross-organizational coordination architectures, a layered system architecture is a core principle of the reference model [ 31 ]. This reference model distinguishes between (i) the type of agreements that are established, (ii) the language for describing the agreements, and (iii) the middleware for establishing and executing the agreements.

The language for describing how the interactions between two or more independent services are to be done is further re ned into a conceptual and a computational model [ 31 ]: 1. A conceptual model provides the modeling concepts to describe the regulations at a su cient high-level of abstraction that is independent from the organizations internal processes and data. 2. A computational model o ers behavioral concepts that are mappable to implementable actions in the underlying software system that can be enforced upon contracted services.

The conceptual model of the language should be as independent as possible from the computational model to enable that di erent organizations can implement the same agreement di erently depending on their choice of implementation platform, while adhering to the terms of the agreement. When multiple independent organizations interact with each other, they have to integrate their business processes in order to be able to operate, gain added-value and survive in a market. To enable this, a certain agreement must be complied by all participating organizations in the business relationship. We think that a common feature ontology can be part of this agreement. Therefore, it is plausible to assume that services in a service network can share a common feature ontology.

The conceptual model in our approach for specifying crossorganizational features consists of a feature ontology. Similarly to the conceptual model of the cross-organizational coordination architectures, this feature ontology should be high-level and independent from the aspect-based implementation to enable organizations in service networks to implement cross-organizational features using an AOP technology of their choice (see Fig. 3). In order to be successful, the feature ontology must have a clear scope on which particular application domain or area it applies, for example, a speci c market such as nancial services or an individual (long-running) business relationship between multiple organizations.

The speci cation of such a common feature ontology is divided into a base level and one or more application-speci c levels. The base ontology is a framework and vocabulary for specifying application-speci c ontologies. An applicationspeci c ontology contains a catalog of features that can be used within a certain cross-organizational service network. Application-speci c ontologies are hierarchically structured: the application-speci c ontology of a speci c service composition imports and extends the ontology of the application domain.

A feature ontology can be seen as a high-level, technologyindependent agreement between the parties involved (typically a service consumer and service provider). This agreement prescribes the intended behavior of the feature and clearly sets out the roles that di erent parties involved have to play, as depicted in Fig. 3. These roles are described by a name (e.g. Service Consumer) and a set of responsibilities. These responsibilities specify constraints on behavior (the speci cation of an algorithm to be used) and interfaces (message types and operations that are required or provided). Further, composition rules can be speci ed that prescribe which features depend on other features and which features can't be executed during the same request due to feature interference.

Listing 1: Example of high-level features. feature P r i o r i t i z e d P r o c e s s i n g f dependsOn : B i l l i n g ; r o l e S e r v i c e C o n s u m e r f r e s p o n s i b i l i t y r e t r i e v e C u s t o m e r A c c o u n t f p r o v i d e s : CustomerAccount ; g r o l e S e r v i c e P r o v i d e r f r e s p o n s i b i l i t y p e r f o r m P r i o r i t i z i n g f r e q u i r e s : CustomerAccount ; p r o v i d e s : A c c o u n t a b l e I t e m ; g g g

g For example, the PrioritizedProcessing feature from Fig. 2 needs two roles: a service consumer who retrieves customer account information, and a service provider, responsible for performing the prioritizing. The service provider role requires a CustomerAccount attribute, which will be provided by the service consumer role. After the prioritizing, the service provider role will provide a AccountableItem attribute that will be used by the Billing feature. The feature description is presented in Listing 1. It also de nes a composition rule that prescribes that PrioritizedProcessing requires the Billing feature.

The mapping between the high-level feature ontology and the aspect-based implementations is speci ed on the level of the service platform, hiding the implementation details for external parties. The use of AOSD [ 9 ] enables a clean separation of concerns, in which the core functionality of a service is separated from any feature behavior. Therefore they are implemented separately from each other as composite entities containing a set of aspect-components, providing the behavior of the features (so called advice). This advising behavior can be dynamically composed on all the components of a service { at client-side and at server-side. By capturing the semantics of the features in a high-level feature ontology, the di erent features can be implemented independently by each of the service providers using their favorite service platform and AO-composition technology. Hence, the di erent services in the network may have their own optimized aspect-based implementations of the di erent features, and the most appropriate feature implementation in each service may depend on environmental circumstances. This decentralized feature management allows a variety of service platforms using di erent AO-composition technologies to be interconnected. In addition, the implementation of the di erent features and the software composition strategy are open for adaptation by each of the local administrators. However, the feature implementations have to satisfy certain constraints, enforced by the feature ontology.

Each feature implementation mapping within a speci c organization is described by means of a declarative speci cation that speci es: (i) the feature and role that is implemented, (ii) the aspect-component that implements the particular role, and (iii) optionally an AO-composition for weaving the aspect-component into the internal processes and data of the organization (see Listing 2).

Listing 2: Example of a feature implementation mapping. featureImplementationMapping PPImpl f implements : P r i o r i t i z e d P r o c e s s i n g ; r o l e : S e r v i c e C o n s u m e r ; ao component : PPAOComponent ; ao c o m p o s i t i o n f

. . . g

g

The Web Services Description Language (WSDL) is an XMLbased language that provides a model for describing web services. The web service is de ned by an interface, describing the operations that can be performed and the message types that are required/provided by these operations. The Service binding

Service Consumer X Feature i

features

WSDL also de nes services as collections of network endpoints, or ports. A port is nothing more than the address or connection point to the web service (typically a http URL). To be able to use our feature ontology, the WSDL should be extended with the set of available features (see Fig. 4). The variability model is accessible to the clients of the service application and allows them to select a desired set of features. Con guration of features across the service network happens through instantiation of service bindings. A service binding is a declarative speci cation, specifying the web service location, the selected port and which features are desired (see Listing 3).

Listing 3: Example of a service binding. servicebinding f URI : h t t p : //www . s t o c k t r a d i n g e x a m p l e . be ; p o r t : S t o c k T r a d i n g S e r v i c e S o a p E n d p o i n t ; f e a t u r e s : P r i o r i t i z e d P r o c e s s i n g , B i l l i n g ; g

We rst discuss the work in the context of cross-organizational service provisioning. Next we discuss the related research in the domain of service composition.

Cross-organizational coordination architectures. A multilayered architecture, distinguishing between policy and mechanism, is a core principle of the body of research on cross-organizational coordination architectures. Firstly, agreements must be represented digitally by means of a language that o ers the necessary concepts for describing and enforcing agreements. Second, coordination middleware must be developed in order to establish agreements dynamically, and to enforce the agreements or detect violations against it. The current state-of-the-art on cross-organizational coordination architectures in the general area of SOA consists of policy-based and contract-based frameworks. Contract frameworks (such as BCL [ 21 ], [ 11 ], [ 26 ], GlueQoS [ 32 ], TBPEL [ 29 ] and SLAng [ 28, 27 ]) focus mostly on negotiation, enactment and monitoring, while policy-based architectures (e.g. Ponder [ 7 ] and LGI [ 22 ]) focus exclusively on enforcement. These coordination architectures establish agreements dynamically between two or more organizations, but fail to support the coordination of system-wide customizations of service compositions. Our approach deals with this by providing an aspect-based variability model for cross-organizational features, managed in a multi-layered architecture.

Service composition. Previous research focussed already on automated composition of web services into composite web services [ 10, 6, 13 ]. For this purpose, matchmaking algorithms search for matching web services based on their input/output, the interaction protocol and functional behavior, using a forward or backward chaining algorithm and a discovery service. The matchmaking process can be either centralized (i.e. planning a complete composition at once), or decentralized, allowing each web service in the composition to decide individually which web services to select in providing the required services for processing the request. This functional matchmaking process is originally based upon WSDL information in the UDDI directory to select the appropriate services. In more recent work, the matchmaking process is based upon QoS properties of the di erent web services [ 32, 33, 34, 16, 4, 8 ]. Here, non-functional properties such as security, reliability and performance are used by the matchmaking algorithm to select the most appropriate service. For example, in [ 33 ], Zheng et al. propose a quality-driven approach to select component services during the execution of a composite service. For this purpose, they de ne a web service quality model based upon ve nonfunctional properties and a global quality-driven selection algorithm formulating these properties as a linear optimization problem. In this approach, every service is assumed to have one particular QoS pro le, described in the quality model. [ 18 ] presents an heuristic algorithm for composing services to achieve global QoS requirements in dynamic service environments.

A common denominator in this research domain is the usage of ontologies [ 3 ] to store semantic information about web services to automate the matchmaking of services in a web service composition based upon functional and nonfunctional properties [ 25, 16, 30 ]. In our approach, we use ontologies and semantic information to describe features as rst class entities rather than describing web services with their properties. In this way, the information about the features is web service independent. Thanks to this ontology, automated reasoning can be done about the customization of the orchestration on a per-request basis, without considering the actual web service composition.

The GlueQoS middleware-based approach of Wohlstadter et al. [ 32 ] manages dynamically changing QoS requirements of web services by delaying QoS commitments of the services. Each service describes its QoS preferences, and a middleware-based resolution mechanism searches for a satis able set of QoS features to inter-operate for services that encounter each other for the rst time. Similar to our approach, GlueQoS uses a xed ontology for classifying features and describing their interactions and possible interference. However, their selection of features is fully decentralized and on a per-collaboration basis (optimally suited for a highly dynamic web service composition), but lacking support for client-speci c customization and consistent processing throughout cross-organizational service compositions, as our approach does.

Finally, our approach does not pretend to replace existing WS-standards such as WS-Coordination [ 24 ], WS-Policy [ 2 ] and WS-Security [ 23 ], but we intend to o er a complementary approach for consistent customization of features in orchestrations. For example, in our approach we use a perrequest tagging solution to achieve coordination between the client and the di erent web services. In case more complex coordination schemes are needed (e.g. if coordination messages don't follow the message ow), our approach can be combined with WS-Coordination. This coordination specication was originally de ned for coordinating transaction protocols, but is extensible for all kinds of coordination protocols in a web service environment.

In this paper, we proposed an aspect-based variability model for representing cross-organizational features in service networks. Our approach consists of a multi-layered architecture, mapping a technology-independent feature ontology onto an aspect-based implementation.

The approach supports maintaining the compatibility of feature implementations across a service network of independent organizations. The common feature ontology can also be leveraged to support client-speci c customization of crossorganizational features across such service networks. As only limited tests have been performed, further validation and evaluation of our approach are necessary.