REST JSON APIs with JAXRS Les Hazlewood CTO
- Slides: 79
REST + JSON APIs with JAX-RS Les Hazlewood CTO, Stormpath stormpath. com
. com • Identity Management and Access Control API • Security for your applications • User security workflows • Security best practices • Developer tools, SDKs, libraries
Outline • REST Fundamentals • Design: Base URL Versioning Resource Format Return Values Content Negotiation References (Linking) Pagination Query Parameters Associations Errors IDs Method Overloading Resource Expansion Partial Responses Caching & Etags Security Multi Tenancy Maintenance • Coding Time! (JAX-RS-based App)
Why REST? • • • Scalability Generality Independence Latency (Caching) Security Encapsulation Learn more at Stormpath. com
HATEOAS • • Hypermedia As The Engine Of Application State Further restriction on REST architectures. Learn more at Stormpath. com
REST Is Easy Learn more at Stormpath. com
REST Is *&@#$! Hard (for providers) Learn more at Stormpath. com
REST can be easy (if you follow some guidelines) Learn more at Stormpath. com
Example Domain: Stormpath • • • Applications Directories Accounts Groups Associations Workflows
Fundamentals Learn more at Stormpath. com
Resources Nouns, not Verbs Coarse Grained, not Fine Grained Architectural style for use-case scalability Learn more at Stormpath. com
What If? /get. Account /create. Directory /update. Group /verify. Account. Email. Address Learn more at Stormpath. com
What If? /get. Account /get. All. Accounts /search. Accounts /create. Directory /create. Ldap. Directory /update. Group. Name /find. Groups. By. Directory /search. Groups. By. Name /verify. Account. Email. Address. By. Token … Smells like bad RPC. DON’T DO THIS. Learn more at Stormpath. com
Keep It Simple Learn more at Stormpath. com
The Answer Fundamentally two types of resources: Collection Resource Instance Resource Learn more at Stormpath. com
Collection Resource /applications Learn more at Stormpath. com
Instance Resource /applications/a 1 b 2 c 3 Learn more at Stormpath. com
Behavior • • • GET PUT POST DELETE HEAD Learn more at Stormpath. com
Behavior POST, GET, PUT, DELETE ≠ 1: 1 Create, Read, Update, Delete Learn more at Stormpath. com
Behavior As you would expect: GET = Read DELETE = Delete HEAD = Headers, no Body Learn more at Stormpath. com
Behavior Not so obvious: PUT and POST can both be used for Create and Update Learn more at Stormpath. com
PUT for Create Identifier is known by the client: PUT /applications/client. Specified. Id { … } Learn more at Stormpath. com
PUT for Update Full Replacement PUT /applications/existing. Id { “name”: “Best App Ever”, “description”: “Awesomeness” } Learn more at Stormpath. com
PUT Idempotent Learn more at Stormpath. com
POST as Create On a parent resource POST /applications { “name”: “Best App Ever” } Response: 201 Created Location: https: //api. stormpath. com/applications/a 1 b 2 c 3 Learn more at Stormpath. com
POST as Update On instance resource POST /applications/a 1 b 2 c 3 { “name”: “Best App Ever. Srsly. ” } Response: 200 OK Learn more at Stormpath. com
POST NOT Idempotent Learn more at Stormpath. com
Media Types • Format Specification + Parsing Rules • Request: Accept header • Response: Content-Type header • • application/json application/foo+json; application … Learn more at Stormpath. com
Design Time! Learn more at Stormpath. com
Base URL Learn more at Stormpath. com
http(s): //api. foo. com vs http: //www. foo. com/dev/service/api/rest Learn more at Stormpath. com
http(s): //api. foo. com Rest Client vs Browser Learn more at Stormpath. com
Versioning Learn more at Stormpath. com
URL https: //api. stormpath. com/v 1 vs. Media-Type application/json+foo; application&v=1 Learn more at Stormpath. com
Resource Format Learn more at Stormpath. com
Media Type Content-Type: application/json When time allows: application/foo+json; bar=baz&v=1 … Learn more at Stormpath. com
camel. Case ‘JS’ in ‘JSON’ = Java. Script my. Array. for. Each Not my. Array. for_each account. given. Name Not account. given_name Underscores for property/function names are unconventional for JS. Stay consistent. Learn more at Stormpath. com
Date/Timestamp There’s already a standard. Use it: ISO 8601 Example: { …, “created. Timestamp”: “ 2012 -07 -10 T 18: 02: 24. 343 Z” } Use UTC! Learn more at Stormpath. com
HREF • Distributed Hypermedia is paramount! • Every accessible Resource has a unique URL. • Replaces IDs (IDs exist, but are opaque). { “href”: https: //api. stormpath. com/v 1/accounts/x 7 y 8 z 9”, … } Critical for linking, as we’ll soon see Learn more at Stormpath. com
Response Body Learn more at Stormpath. com
GET obvious What about POST? Return the representation in the response when feasible. Add override (? _body=false) for control Learn more at Stormpath. com
Content Negotiation Learn more at Stormpath. com
Header • Accept header • Header values comma delimited in order of preference GET /applications/a 1 b 2 c 3 Accept: application/json, text/plain Learn more at Stormpath. com
Resource Extension /applications/a 1 b 2 c 3. json /applications/a 1 b 2 c 3. csv … Conventionally overrides Accept header Learn more at Stormpath. com
Resource References aka ‘Linking’ Learn more at Stormpath. com
• Hypermedia is paramount. • Linking is fundamental to scalability. • Tricky in JSON • XML has it (XLink), JSON doesn’t • How do we do it? Learn more at Stormpath. com
Instance Reference GET /accounts/x 7 y 8 z 9 200 OK { “href”: “https: //api. stormpath. com/v 1/accounts/x 7 y 8 z 9”, “given. Name”: “Tony”, “surname”: “Stark”, …, “directory”: ? ? } Learn more at Stormpath. com
Instance Reference GET /accounts/x 7 y 8 z 9 200 OK { “href”: “https: //api. stormpath. com/v 1/accounts/x 7 y 8 z 9”, “given. Name”: “Tony”, “surname”: “Stark”, …, “directory”: { “href”: “https: //api. stormpath. com/v 1/directories/g 4 h 5 i 6” } } Learn more at Stormpath. com
Collection Reference GET /accounts/x 7 y 8 z 9 200 OK { “href”: “https: //api. stormpath. com/v 1/accounts/x 7 y 8 z 9”, “given. Name”: “Tony”, “surname”: “Stark”, …, “groups”: { “href”: “https: //api. stormpath. com/v 1/accounts/x 7 y 8 z 9/groups” } } Learn more at Stormpath. com
Reference Expansion (aka Entity Expansion, Link Expansion) Learn more at Stormpath. com
Account and its Directory? Learn more at Stormpath. com
GET /accounts/x 7 y 8 z 9? expand=directory 200 OK { “href”: “https: //api. stormpath. com/v 1/accounts/x 7 y 8 z 9”, “given. Name”: “Tony”, “surname”: “Stark”, …, “directory”: { “href”: “https: //api. stormpath. com/v 1/directories/g 4 h 5 i 6”, “name”: “Avengers”, “creation. Date”: “ 2012 -07 -01 T 14: 22: 18. 029 Z”, … } } Learn more at Stormpath. com
Partial Representations Learn more at Stormpath. com
GET /accounts/x 7 y 8 z 9? fields=given. Name, surname, directory(name) Learn more at Stormpath. com
Pagination Learn more at Stormpath. com
Collection Resource supports query params: • Offset • Limit …/applications? offset=50&limit=25 Learn more at Stormpath. com
GET /accounts/x 7 y 8 z 9/groups 200 OK { “href”: “…/accounts/x 7 y 8 z 9/groups”, “offset”: 0, “limit”: 25, “first”: { “href”: “…/accounts/x 7 y 8 z 9/groups? offset=0” }, “previous”: null, “next”: { “href”: “…/accounts/x 7 y 8 z 9/groups? offset=25” }, “last”: { “href”: “…”}, “items”: [ { “href”: “…” }, … ] } Learn more at Stormpath. com
Many To Many Learn more at Stormpath. com
Group to Account • A group can have many accounts • An account can be in many groups • Each mapping is a resource: Group. Membership Learn more at Stormpath. com
GET /group. Memberships/23 lk 3 j 2 j 3 200 OK { “href”: “…/group. Memberships/23 lk 3 j 2 j 3”, “account”: { “href”: “…” }, “group”: { “href”: “…” }, … } Learn more at Stormpath. com
GET /accounts/x 7 y 8 z 9 200 OK { “href”: “…/accounts/x 7 y 8 z 9”, “given. Name”: “Tony”, “surname”: “Stark”, …, “groups”: { “href”: “…/accounts/x 7 y 8 z 9/groups” }, “group. Memberships”: { “href”: “…/group. Memberships? account. Id=x 7 y 8 z 9” } } Learn more at Stormpath. com
Errors Learn more at Stormpath. com
• As descriptive as possible • As much information as possible • Developers are your customers Learn more at Stormpath. com
POST /directories 409 Conflict { “status”: 409, “code”: 40924, “property”: “name”, “message”: “A Directory named ‘Avengers’ already exists. ”, “developer. Message”: “A directory named ‘Avengers’ already exists. If you have a stale local cache, please expire it now. ”, “more. Info”: “https: //www. stormpath. com/docs/api/errors/4092 4” } Learn more at Stormpath. com
Security Learn more at Stormpath. com
Avoid sessions when possible Authenticate every request if necessary Stateless Authorize based on resource content, NOT URL! Use Existing Protocol: Oauth 1. 0 a, Oauth 2, Basic over SSL only Custom Authentication Scheme: Only if you provide client code / SDK Only if you really, really know what you’re doing Use API Keys instead of Username/Passwords Learn more at Stormpath. com
HTTP Authentication Schemes • Server response to issue challenge: WWW-Authenticate: <scheme name> realm=“Application Name” • Client request to submit credentials: Authorization: <scheme name> <data> Learn more at Stormpath. com
401 vs 403 • 401 “Unauthorized” really means Unauthenticated “You need valid credentials for me to respond to this request” • 403 “Forbidden” really means Unauthorized “I understood your credentials, but so sorry, you’re not allowed!” Learn more at Stormpath. com
API Keys • • • Entropy Password Reset Independence Speed Limited Exposure Traceability Learn more at Stormpath. com
IDs Learn more at Stormpath. com
• IDs should be opaque • Should be globally unique • Avoid sequential numbers (contention, fusking) • Good candidates: UUIDs, ‘Url 64’ Learn more at Stormpath. com
HTTP Method Overrides Learn more at Stormpath. com
POST /accounts/x 7 y 8 z 9? _method=DELETE Learn more at Stormpath. com
Caching & Concurrency Control Learn more at Stormpath. com
Server (initial response): ETag: "686897696 a 7 c 876 b 7 e” Client (later request): If-None-Match: "686897696 a 7 c 876 b 7 e” Server (later response): 304 Not Modified Learn more at Stormpath. com
Maintenance Learn more at Stormpath. com
Use HTTP Redirects Create abstraction layer / endpoints when migrating Use well defined custom Media Types Learn more at Stormpath. com
IT’S CODING TIME!!! • Let’s build a JAX-RS REST App! • git clone https: //github. com/stormpath/todosjersey. git Learn more at Stormpath. com
. com • Free for any application • Eliminate months of development • Automatic security best practices Sign Up Now: Stormpath. com Les Hazlewood | @lhazlewood
- Les hazlewood
- Utsa advising
- Tvc veterans education
- Hamlet in purgatory
- Canine rest shape
- Rests and rest seats
- Newton's second lawlaw
- Rest and rest seat
- Anatomy of honeybee
- Nbu api
- Cloud storage models and communication apis
- Tmf apis
- Apis daten condor
- Api one piece
- Pharmaceutical intermediates sourcing
- Apis honey
- Qualcomm snapdragon platform apis unreal unityverge
- Unix file apis
- Inversion attacks
- What is api in unix
- Nbu air
- Apis for dummies
- Stealing machine learning models via prediction apis
- Cto
- Gaia wire cto
- Star cto technique
- Apa itu cto
- Sfa cto
- Survey cto
- Cto forum magazine
- Barclays digital transformation
- Cto organizational chart
- Manuales cto
- Cto persona
- Spinal
- Gponhub
- Uscybercom cto 10-084
- Thomson reuters labs
- Cto sims
- Cto ceo cmo
- Cto
- Dts stuck at cto submit
- Org chart creation tool
- Tata motors cto
- Miraclebros guidewire
- Hybrid algorithm cto
- Workday oms
- Defense travel management office
- Ceoceo
- 9gag api json
- Python subprocess json
- Json linked data
- Xml to json jquery
- Dom to json
- Microsoft windows logos
- Bnf json
- Php is json
- Sqlite uwp
- Json associative array
- From json to html table softuni
- Rapidjson vs nlohmann
- Json format
- "keys.json" mongodb google cloud
- Dwd json
- Sap abap json
- Yandex image search
- "keys.json" mongodb google cloud
- Embulk output mysql
- E language
- Misty douglas
- Jws json serialization
- Rapidjson addmember
- Json stands for
- Composition dragibus
- Qu'est-ce que tu aimes manger
- Trouvez les réponses. écrivez-les en chiffres (numbers).
- Le volcan le plus dangereux du monde
- Les trois obstacles et les quatre démons
- Part de la planta en la fulla s'uneix a la tija
- Les parts de les flors