REST-based Web Services (II) Helen Paik School of Computer Science and Engineering University of New South Wales Resources: RESTful Web Services by L. Richardson and S. Ruby, O’Reilly Building Web Services the REST Way, By Roger L. Costello – http://www.xfront.com/REST-Web-Services.html ICSOC 2008 Summer School session on REST-based Services article: How to get a cup of coffee by Jim Webber (http://www.infoq.com/articles/webber-rest-workflow) Week 7 H. Paik (CSE, UNSW) REST Week 7 1 / 61
61
Embed
ICSOC 2008 Summer School session on REST-based Services · Drink Made Drink Released Lookup Next Order Make Drink Take Payment Lookup Next Order the barista loops around looking for
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
REST-based Web Services (II)
Helen Paik
School of Computer Science and EngineeringUniversity of New South Wales
Resources:
RESTful Web Services by L. Richardson and S. Ruby, O’Reilly
Building Web Services the REST Way, By Roger L. Costello –http://www.xfront.com/REST-Web-Services.html
ICSOC 2008 Summer School session on REST-based Services
article: How to get a cup of coffee by Jim Webber(http://www.infoq.com/articles/webber-rest-workflow)
But ... the server decides on that resource’s URI and returns the newURI for the resource in the response
Common human Web example:
posting to Web log: Server decides URI of posting and any commentsmade on that postcreating a new employee, a new order, etc.
H. Paik (CSE, UNSW) REST Week 7 2 / 61
On POST and PUT
PUT “creates” or “updates” a resource:
HTTP spec says: PUT method requests that the enclosed entitybe stored under the supplied Request-URI. If the Request-URIrefers to an already existing resource, the enclosed entitySHOULD be considered as a modified version of the one residingon the origin server. If the Request-URI does not point to anexisting resource, and that URI is capable of being defined as anew resource by the requesting user agent, the origin server cancreate the resource with that URI.
Use PUT to create a new resource when you know the URI for the newresource.
Always use PUT to update an existing resource
H. Paik (CSE, UNSW) REST Week 7 3 / 61
Business Processes/Workflow and REST
Take the Coffee Order Process from Jim Webber as example ...
The customer workflow:
OrderPlaced
OrderUpdated
Paid DrinkReceivedPlace Order Pay Pickup
Order Updated
Update AcceptedUpdate Rejected
customers advance towards the goal of drinking some coffee byinteracting with the Starbucks service,the customer orders, pays, and waits for the drink,between ‘order’ and ‘pay’, the customer can update (asking forskimmed milk)
H. Paik (CSE, UNSW) REST Week 7 4 / 61
Business Processes/Workflow and REST
The barista workflow:
OrderChosen
DrinkMade
DrinkReleased
LookupNext Order
MakeDrink
Take Payment
LookupNext Order
the barista loops around looking for the next order to be made,preparing the drink, and taking the payment,
The outputs of the workflow are available to the customer when thebarista finishes the order and releases the drink
Points to Remember: We will see how each transition in two statemachines is implemented as an interaction with a Web resource. Eachtransition is the combination of a HTTP verb on a resource via its URIcausing state changes.
H. Paik (CSE, UNSW) REST Week 7 5 / 61
Customer’s View Point: I want to order a coffee ...
Placing an Order
•! Place your order by POSTing it to a well-known URI
Remember interactions with resources are stateless
The resource “forgets” about you while you’re not directly interactingwith it
Which means race conditions are possible ...
A good/responsible practice for updating a resource:
Use If-Unmodified-Since on a timestamp to make sure no one elsehas change the resource since last time you checked !!
Or use If-Match and an ETag, instead of the timestamp
If the condition check fails (i.e., the resource has changed since), youwill get a 412 PreconditionFailed – i.e., you will avoid gettingunexpected response ...
H. Paik (CSE, UNSW) REST Week 7 12 / 61
Warning: Don’t be Slow!
•! Can only make changes until someone actually makes your drink
–! You’re safe if you use If-Unmodified-Since or If-Match
4 Alice logs in to Insurance Provider using her credentials at that site(the Broker never sees these) and authorises the Broker to access herexisting policies for a defined period of time.
H. Paik (CSE, UNSW) REST Week 7 38 / 61
REST and security
OAuth:
1 Insurance Provider redirects Alice to the callback URL:
302 Redirect
Location: http://broker.org/token_ready?oauth_token=xyz2 Broker knows Alice approved, it asks Provider for Access Token:
GET /accesstoken?oauth_consumer_key=abc&oauth_token=xyz
Host: insurance.org3 The Insurance Provider sends back the Access Token:
200 Success
oauth_token=zxcvb4 Broker creates hash or signature using access token, nonce,
HATEOAS = Hypermedia As The Engine Of Application State
From Wikipedia: The principle is that a client interacts with anetwork application entirely through hypermedia provideddynamically by application servers. A REST client needs no priorknowledge about how to interact with any particular applicationor server beyond a generic understanding of hypermedia.
Think how people interact with a Web site. No one needs to look up amanual to know how to use a Web site ... Hypermedia (i.e., documentswith links to other thinks) itself serves as a self-explanatory guide for theusers.
The HATEOAS principle aims to realise this in API design.
H. Paik (CSE, UNSW) REST Week 7 47 / 61
SOAP-based service vs. HATEOAS
SOAP-based service is on a single endpoint. The same endpoint receivesrequests for operations. The body of request details which operation torun with what parameters. Think e.g., MarketDataUtilService().
In SOAP, HTTP is merely a carrier of the SOAP messages. HTTP itselfdoesn’t play a big role in the protocol of the servicedesign/implementation/interaction.
In REST, HTTP is at the center of the API. Given that HTTP (Hypertext)is about allowing the users to navigate the site using links, HTTP-basedAPI also should allow the clients to navigate the service using links.
H. Paik (CSE, UNSW) REST Week 7 48 / 61
Not using HATEOAS
Not implementing the links in REST API would look like this:
help the clients use the API (self-describing as possible)
navigate paging (prev, next)help create new/related itemsallow retrieving associations (i.e., relationships)hint at possible actions (update, delete)
evolve your workflow (e.g., adding extra step in a workflow = addinga new link)
Standard link relations:http://www.iana.org/assignments/link-relations/link-relations.xhtml
Although the principle is well-understood, how HATEOAS links areimplemented (i.e., how the links appear in the responses) is different fromone implementation to another ...
H. Paik (CSE, UNSW) REST Week 7 51 / 61
The Richardson Maturity Model
Leonard Richardson: can we measure to what level your service isRESTful?
Level 0: One URI (single endpoint) exposed, requests containoperation details
Level 1: Expose resource URIs - individual URIs for each resource.Requests could still contain some operation details
Level 2: HTTP Methods - use the standard HTTP methods, statuscodes with the resource URIs,
Level 3: HATEOAS - self-documenting responses, responses includelinks that the client can use
in picture: https://technobeans.files.wordpress.com/2012/09/richardson-maturity-model.png
Improved server scalability and easier load-balancing (no session state)
Client software can be reused (uniform interface)
Can be implemented with any server-side technology
HTTP client libraries are widespread
The ”web” in ”Web services” is for real!
H. Paik (CSE, UNSW) REST Week 7 53 / 61
Negative aspects of REST
No interface description language like IDL or WSDL
need to “read” the doc to understand how to interact ...
e.g., typical examples ... Facebook, Twitter, Google Search API
Low tooling support for automation (but frameworks are comingalong)
REST purist vs. pragmatic developers - no right/wrong answer ??
H. Paik (CSE, UNSW) REST Week 7 54 / 61
When can I use REST?
For Web Services
build your web service using the REST style
alternative to some of WS-*, not a replacement for WS-*
Clients interfacing to public REST APIs
e.g. Amazon S3 REST API, Google Data APIs
Many other public APIs have a REST like interface
Often combined with interactive Web clients
client sends AJAX requests to a REST interface using a JavaScriptlibrary e.g. jQuery ... the responses (JSON, XML etc) are thenmanipulated and displayed on the client
H. Paik (CSE, UNSW) REST Week 7 55 / 61
REST + SOAP
Wrapping REST request/response with SOAP envelopes: