REST JSON APIs with JAXRS Les Hazlewood CTO
- Slides: 79
REST + JSON APIs with JAX-RS Les Hazlewood CTO, Stormpath stormpath. com
. com • Identity Management and Access Control API • Security for your applications • User security workflows • Security best practices • Developer tools, SDKs, libraries
Outline • REST Fundamentals • Design: Base URL Versioning Resource Format Return Values Content Negotiation References (Linking) Pagination Query Parameters Associations Errors IDs Method Overloading Resource Expansion Partial Responses Caching & Etags Security Multi Tenancy Maintenance • Coding Time! (JAX-RS-based App)
Why REST? • • • Scalability Generality Independence Latency (Caching) Security Encapsulation Learn more at Stormpath. com
HATEOAS • • Hypermedia As The Engine Of Application State Further restriction on REST architectures. Learn more at Stormpath. com
REST Is Easy Learn more at Stormpath. com
REST Is *&@#$! Hard (for providers) Learn more at Stormpath. com
REST can be easy (if you follow some guidelines) Learn more at Stormpath. com
Example Domain: Stormpath • • • Applications Directories Accounts Groups Associations Workflows
Fundamentals Learn more at Stormpath. com
Resources Nouns, not Verbs Coarse Grained, not Fine Grained Architectural style for use-case scalability Learn more at Stormpath. com
What If? /get. Account /create. Directory /update. Group /verify. Account. Email. Address Learn more at Stormpath. com
What If? /get. Account /get. All. Accounts /search. Accounts /create. Directory /create. Ldap. Directory /update. Group. Name /find. Groups. By. Directory /search. Groups. By. Name /verify. Account. Email. Address. By. Token … Smells like bad RPC. DON’T DO THIS. Learn more at Stormpath. com
Keep It Simple Learn more at Stormpath. com
The Answer Fundamentally two types of resources: Collection Resource Instance Resource Learn more at Stormpath. com
Collection Resource /applications Learn more at Stormpath. com
Instance Resource /applications/a 1 b 2 c 3 Learn more at Stormpath. com
Behavior • • • GET PUT POST DELETE HEAD Learn more at Stormpath. com
Behavior POST, GET, PUT, DELETE ≠ 1: 1 Create, Read, Update, Delete Learn more at Stormpath. com
Behavior As you would expect: GET = Read DELETE = Delete HEAD = Headers, no Body Learn more at Stormpath. com
Behavior Not so obvious: PUT and POST can both be used for Create and Update Learn more at Stormpath. com
PUT for Create Identifier is known by the client: PUT /applications/client. Specified. Id { … } Learn more at Stormpath. com
PUT for Update Full Replacement PUT /applications/existing. Id { “name”: “Best App Ever”, “description”: “Awesomeness” } Learn more at Stormpath. com
PUT Idempotent Learn more at Stormpath. com
POST as Create On a parent resource POST /applications { “name”: “Best App Ever” } Response: 201 Created Location: https: //api. stormpath. com/applications/a 1 b 2 c 3 Learn more at Stormpath. com
POST as Update On instance resource POST /applications/a 1 b 2 c 3 { “name”: “Best App Ever. Srsly. ” } Response: 200 OK Learn more at Stormpath. com
POST NOT Idempotent Learn more at Stormpath. com
Media Types • Format Specification + Parsing Rules • Request: Accept header • Response: Content-Type header • • application/json application/foo+json; application … Learn more at Stormpath. com
Design Time! Learn more at Stormpath. com
Base URL Learn more at Stormpath. com
http(s): //api. foo. com vs http: //www. foo. com/dev/service/api/rest Learn more at Stormpath. com
http(s): //api. foo. com Rest Client vs Browser Learn more at Stormpath. com
Versioning Learn more at Stormpath. com
URL https: //api. stormpath. com/v 1 vs. Media-Type application/json+foo; application&v=1 Learn more at Stormpath. com
Resource Format Learn more at Stormpath. com
Media Type Content-Type: application/json When time allows: application/foo+json; bar=baz&v=1 … Learn more at Stormpath. com
camel. Case ‘JS’ in ‘JSON’ = Java. Script my. Array. for. Each Not my. Array. for_each account. given. Name Not account. given_name Underscores for property/function names are unconventional for JS. Stay consistent. Learn more at Stormpath. com
Date/Timestamp There’s already a standard. Use it: ISO 8601 Example: { …, “created. Timestamp”: “ 2012 -07 -10 T 18: 02: 24. 343 Z” } Use UTC! Learn more at Stormpath. com
HREF • Distributed Hypermedia is paramount! • Every accessible Resource has a unique URL. • Replaces IDs (IDs exist, but are opaque). { “href”: https: //api. stormpath. com/v 1/accounts/x 7 y 8 z 9”, … } Critical for linking, as we’ll soon see Learn more at Stormpath. com
Response Body Learn more at Stormpath. com
GET obvious What about POST? Return the representation in the response when feasible. Add override (? _body=false) for control Learn more at Stormpath. com
Content Negotiation Learn more at Stormpath. com
Header • Accept header • Header values comma delimited in order of preference GET /applications/a 1 b 2 c 3 Accept: application/json, text/plain Learn more at Stormpath. com
Resource Extension /applications/a 1 b 2 c 3. json /applications/a 1 b 2 c 3. csv … Conventionally overrides Accept header Learn more at Stormpath. com
Resource References aka ‘Linking’ Learn more at Stormpath. com
• Hypermedia is paramount. • Linking is fundamental to scalability. • Tricky in JSON • XML has it (XLink), JSON doesn’t • How do we do it? Learn more at Stormpath. com
Instance Reference GET /accounts/x 7 y 8 z 9 200 OK { “href”: “https: //api. stormpath. com/v 1/accounts/x 7 y 8 z 9”, “given. Name”: “Tony”, “surname”: “Stark”, …, “directory”: ? ? } Learn more at Stormpath. com
Instance Reference GET /accounts/x 7 y 8 z 9 200 OK { “href”: “https: //api. stormpath. com/v 1/accounts/x 7 y 8 z 9”, “given. Name”: “Tony”, “surname”: “Stark”, …, “directory”: { “href”: “https: //api. stormpath. com/v 1/directories/g 4 h 5 i 6” } } Learn more at Stormpath. com
Collection Reference GET /accounts/x 7 y 8 z 9 200 OK { “href”: “https: //api. stormpath. com/v 1/accounts/x 7 y 8 z 9”, “given. Name”: “Tony”, “surname”: “Stark”, …, “groups”: { “href”: “https: //api. stormpath. com/v 1/accounts/x 7 y 8 z 9/groups” } } Learn more at Stormpath. com
Reference Expansion (aka Entity Expansion, Link Expansion) Learn more at Stormpath. com
Account and its Directory? Learn more at Stormpath. com
GET /accounts/x 7 y 8 z 9? expand=directory 200 OK { “href”: “https: //api. stormpath. com/v 1/accounts/x 7 y 8 z 9”, “given. Name”: “Tony”, “surname”: “Stark”, …, “directory”: { “href”: “https: //api. stormpath. com/v 1/directories/g 4 h 5 i 6”, “name”: “Avengers”, “creation. Date”: “ 2012 -07 -01 T 14: 22: 18. 029 Z”, … } } Learn more at Stormpath. com
Partial Representations Learn more at Stormpath. com
GET /accounts/x 7 y 8 z 9? fields=given. Name, surname, directory(name) Learn more at Stormpath. com
Pagination Learn more at Stormpath. com
Collection Resource supports query params: • Offset • Limit …/applications? offset=50&limit=25 Learn more at Stormpath. com
GET /accounts/x 7 y 8 z 9/groups 200 OK { “href”: “…/accounts/x 7 y 8 z 9/groups”, “offset”: 0, “limit”: 25, “first”: { “href”: “…/accounts/x 7 y 8 z 9/groups? offset=0” }, “previous”: null, “next”: { “href”: “…/accounts/x 7 y 8 z 9/groups? offset=25” }, “last”: { “href”: “…”}, “items”: [ { “href”: “…” }, … ] } Learn more at Stormpath. com
Many To Many Learn more at Stormpath. com
Group to Account • A group can have many accounts • An account can be in many groups • Each mapping is a resource: Group. Membership Learn more at Stormpath. com
GET /group. Memberships/23 lk 3 j 2 j 3 200 OK { “href”: “…/group. Memberships/23 lk 3 j 2 j 3”, “account”: { “href”: “…” }, “group”: { “href”: “…” }, … } Learn more at Stormpath. com
GET /accounts/x 7 y 8 z 9 200 OK { “href”: “…/accounts/x 7 y 8 z 9”, “given. Name”: “Tony”, “surname”: “Stark”, …, “groups”: { “href”: “…/accounts/x 7 y 8 z 9/groups” }, “group. Memberships”: { “href”: “…/group. Memberships? account. Id=x 7 y 8 z 9” } } Learn more at Stormpath. com
Errors Learn more at Stormpath. com
• As descriptive as possible • As much information as possible • Developers are your customers Learn more at Stormpath. com
POST /directories 409 Conflict { “status”: 409, “code”: 40924, “property”: “name”, “message”: “A Directory named ‘Avengers’ already exists. ”, “developer. Message”: “A directory named ‘Avengers’ already exists. If you have a stale local cache, please expire it now. ”, “more. Info”: “https: //www. stormpath. com/docs/api/errors/4092 4” } Learn more at Stormpath. com
Security Learn more at Stormpath. com
Avoid sessions when possible Authenticate every request if necessary Stateless Authorize based on resource content, NOT URL! Use Existing Protocol: Oauth 1. 0 a, Oauth 2, Basic over SSL only Custom Authentication Scheme: Only if you provide client code / SDK Only if you really, really know what you’re doing Use API Keys instead of Username/Passwords Learn more at Stormpath. com
HTTP Authentication Schemes • Server response to issue challenge: WWW-Authenticate: <scheme name> realm=“Application Name” • Client request to submit credentials: Authorization: <scheme name> <data> Learn more at Stormpath. com
401 vs 403 • 401 “Unauthorized” really means Unauthenticated “You need valid credentials for me to respond to this request” • 403 “Forbidden” really means Unauthorized “I understood your credentials, but so sorry, you’re not allowed!” Learn more at Stormpath. com
API Keys • • • Entropy Password Reset Independence Speed Limited Exposure Traceability Learn more at Stormpath. com
IDs Learn more at Stormpath. com
• IDs should be opaque • Should be globally unique • Avoid sequential numbers (contention, fusking) • Good candidates: UUIDs, ‘Url 64’ Learn more at Stormpath. com
HTTP Method Overrides Learn more at Stormpath. com
POST /accounts/x 7 y 8 z 9? _method=DELETE Learn more at Stormpath. com
Caching & Concurrency Control Learn more at Stormpath. com
Server (initial response): ETag: "686897696 a 7 c 876 b 7 e” Client (later request): If-None-Match: "686897696 a 7 c 876 b 7 e” Server (later response): 304 Not Modified Learn more at Stormpath. com
Maintenance Learn more at Stormpath. com
Use HTTP Redirects Create abstraction layer / endpoints when migrating Use well defined custom Media Types Learn more at Stormpath. com
IT’S CODING TIME!!! • Let’s build a JAX-RS REST App! • git clone https: //github. com/stormpath/todosjersey. git Learn more at Stormpath. com
. com • Free for any application • Eliminate months of development • Automatic security best practices Sign Up Now: Stormpath. com Les Hazlewood | @lhazlewood
Les hazlewood
Utsa advising
Tvc veterans education
Hamlet in purgatory
Canine rest shape
Rests and rest seats
Newton's second lawlaw
Rest and rest seat
Anatomy of honeybee
Nbu api
Cloud storage models and communication apis
Tmf apis
Apis daten condor
Api one piece
Pharmaceutical intermediates sourcing
Apis honey
Qualcomm snapdragon platform apis unreal unityverge
Unix file apis
Inversion attacks
What is api in unix
Nbu air
Apis for dummies
Stealing machine learning models via prediction apis
Cto
Gaia wire cto
Star cto technique
Apa itu cto
Sfa cto
Survey cto
Cto forum magazine
Barclays digital transformation
Cto organizational chart
Manuales cto
Cto persona
Spinal
Gponhub
Uscybercom cto 10-084
Thomson reuters labs
Cto sims
Cto ceo cmo
Cto
Dts stuck at cto submit
Org chart creation tool
Tata motors cto
Miraclebros guidewire
Hybrid algorithm cto
Workday oms
Defense travel management office
Ceoceo
9gag api json
Python subprocess json
Json linked data
Xml to json jquery
Dom to json
Microsoft windows logos
Bnf json
Php is json
Sqlite uwp
Json associative array
From json to html table softuni
Rapidjson vs nlohmann
Json format
"keys.json" mongodb google cloud
Dwd json
Sap abap json
Yandex image search
"keys.json" mongodb google cloud
Embulk output mysql
E language
Misty douglas
Jws json serialization
Rapidjson addmember
Json stands for
Composition dragibus
Qu'est-ce que tu aimes manger
Trouvez les réponses. écrivez-les en chiffres (numbers).
Le volcan le plus dangereux du monde
Les trois obstacles et les quatre démons
Part de la planta en la fulla s'uneix a la tija
Les parts de les flors
