What you won't read in books about RESTful services

The thin line between RESTful and AWfulJakub Kubrynski

jk@devskiller.com / @jkubrynski 1 / 48

"The Code is more what you'd call guidelines than actual rules. Welcomeaboard the Black Pearl, Miss Turner"

-- Cpt. Hector Barbossa to Elizabeth Swann

RT Ben Hale

Formal REST constraintsClient-Server

Stateless

Interface / Uniform Contract

Layered System

Richardson maturity model

http://martinfowler.com/articles/richardsonMaturityModel.html

POST vs PUT

POST vs PUTPOST creates new resources

PUT updates existing resources

PUT can create resource if ID is already known

Maybe PATCH?no "out of the box" support

partial update

@RequestMapping(value = "/{id}", method = PATCH)public void updateArticle(HttpServletRequest request, @PathVariable("id") String id) { Article currentArticle = repository.findOne(id);

Article updatedArticle = objectMapper.readerForUpdating(currentArticle) .readValue(request.getReader());

repository.save(updatedArticle);}

Cachingbe aware - especially IE caches aggressively

disable caching

@Configurationpublic class RestConfig extends WebMvcConfigurerAdapter {

@Override public void addInterceptors(InterceptorRegistry registry) { WebContentInterceptor webContentInterceptor = new WebContentInterceptor(); webContentInterceptor.setCacheSeconds(0); registry.addInterceptor(webContentInterceptor); }}

Cache headerscache-control: public, max-age=0, no-cache

public / privateno-cacheno-storemax-ages-maxage

Cache headerscache-control: public, max-age=0, no-cache

public / privateno-cacheno-storemax-ages-maxage

If-None-Match: "0d41d8cd98f00b204e9800998ecf8427e"Spring brings ShallowEtagHeaderFilter

Compressionreduces response size dramatically

in Tomcat extend Connector with

compression="on"compressionMinSize="2048"noCompressionUserAgents="gozilla, traviata"compressableMimeType="text/html,text/xml"

HATEOASself-descriptive

client understands hypermedia

{ "name": "Alice", "links": [ { "rel": "self", "href": "/customers/1213" }, { "rel": "parent", "href": "/customers/14" }, { "rel": "currentOrder", "href": "/orders/14312" } ]}

HTTP/1.1 201 CreatedLocation: http://api.mydomain.com/orders/1234

HATEOAS in Springpublic class Customer extends ResourceSupport { ... }// or wrap entity into Resource object

import static org.springframework.hateoas.mvc.ControllerLinkBuilder.*;

public HttpEntity<Customer> get(@PathVariable("id") String customerId) { Customer customer = repository.findOne(customerId); String pId = customer.getBoss(); String oId = customer.currentOrderId();

customer.add(linkTo(methodOn(CustomerController.class).get(customerId)).withSelfRel()); customer.add(linkTo(methodOn(CustomerController.class).get(pId)).withRel("parent")); customer.add(linkTo(methodOn(OrderController.class).get(oId)).withRel("currentOrder"));

return new ResponseEntity<Customer>(customer, HttpStatus.OK);}

public ResponseEntity create(@RequestBody Customer customer) { String id = repository.save(customer); return ResponseEntity.created(linkTo(CustomerController.class).slash(id).toUri()) .build();}

@DanaDanger HTTP codes classification20x: cool

30x: ask that dude over there

40x: you fucked up

50x: we fucked up

Exceptionsinclude detailed information

{ "status": 400, "code": 40483, "message": "Incorrect body signature", "moreInfo": "http://www.mycompany.com/errors/40483"}

Exceptionsinclude detailed information

{ "status": 400, "code": 40483, "message": "Incorrect body signature", "moreInfo": "http://www.mycompany.com/errors/40483"}

hide stacktrace

Handling Spring MVC exceptions@ControllerAdvicepublic class MyExceptionHandler extends ResponseEntityExceptionHandler {

/* Handling framework exceptions */ @Override protected ResponseEntity<Object> handleExceptionInternal(Exception ex, Object body, HttpHeaders headers, HttpStatus status, WebRequest request) { LOG.error("Spring MVC exception occurred", ex); return super.handleExceptionInternal(ex, body, headers, status, request); }

/* Handling application exceptions */ @ResponseStatus(value = HttpStatus.NOT_FOUND) @ExceptionHandler(ResourceNotFoundException.class) public void handleResourceNotFound() { }}

API Versioningdon't even think aboutapi.domain.com/v2/orders

URIs to the same resources should be fixed betweenversions

API Versioningdon't even think aboutapi.domain.com/v2/orders

URIs to the same resources should be fixed betweenversions

use Content-Type

1 version: application/vnd.domain+json

2 version: application/vnd.domain.v2+json

Filtering and sortingGET /reviews?rating=5

GET /reviews?rating=5&sortAsc=author

Dynamic queries are easier in POST body

POST /reviews/searches

GET /reviews/searches/23?page=2

Documentationrunnable with examples

Swagger

Stateless or not?password hashing cost

session replication

load-balancing

Stateless or not?password hashing cost

session replication

load-balancing

stateless session?

Avoiding session creation in Spring@EnableWebSecuritypublic class SpringSecurity extends WebSecurityConfigurerAdapter {

@Override protected void configure(HttpSecurity http) throws Exception { http .csrf().disable() .authorizeRequests() .antMatchers("/secure/**").fullyAuthenticated() .and()

.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.NEVER)

.and() .httpBasic(); }}

SecuritySQL Injection

HQL InjectionList<Product> products = em.createQuery( "SELECT p FROM Product p where p.category = '" + categ + "'", Product.class) .getResultList();

categ = ' OR '1'='1

SELECT __fields__ FROM products WHERE category = '' OR '1'='1'

categ = ' OR '1'='1

List<Product> products = em.createQuery( "SELECT p FROM Product p where p.category = :categ", Product.class) .setParameter("categ", categ) .getResultList();

categ = ' OR '1'='1

List<Product> products = em.createQuery( "SELECT p FROM Product p where p.category = :categ", Product.class) .setParameter("categ", categ) .getResultList();

SELECT __fields__ FROM products WHERE category = ' OR ''1''=''1'''

CSRF - Cross-site request forgery<img src="https://api.mybank.com/transfers/from/1233/to/1234/amount/5000">

CSRF - Cross-site request forgery<img src="https://api.mybank.com/transfers/from/1233/to/1234/amount/5000">

One time request tokens

Correct CORS headers

CORS - Cross Origin Requests SharingPreflight request

OPTIONS /cors HTTP/1.1Origin: http://www.domain.comAccess-Control-Request-Method: PUTAccess-Control-Request-Headers: X-Custom-HeaderHost: api.mydomain.orgAccept-Language: en-USConnection: keep-aliveUser-Agent: Mozilla/5.0...

Preflight response

Access-Control-Allow-Origin: http://www.domain.comAccess-Control-Allow-Methods: GET, POST, PUTAccess-Control-Allow-Headers: X-Custom-HeaderContent-Type: text/html; charset=utf-8

XML External Entity<?xml version="1.0" encoding="utf-8"?><comment> <text>Yeah! I like it!</text></comment>

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE myentity [ <!ENTITY a "Yeah! I like it!"> ]><comment> <text>&a;</text></comment>

XML External Entity<?xml version="1.0" encoding="utf-8"?><!DOCTYPE myentity [ <!ENTITY a SYSTEM "/etc/passwd"> ]><comment> <text>&a;</text></comment>

<?xml version="1.0" encoding="utf-8"?><comment> <text>root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt ..... </text></comment>

XML External Entity<?xml version="1.0" encoding="utf-8"?><!DOCTYPE myentity [<!ENTITY a "abcdefghij1234567890" > <!ENTITY b "&a;&a;&a;&a;&a;&a;&a;&a;&a;&a" > <!ENTITY c "&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;" > <!ENTITY d "&c;&c;&c;&c;&c;&c;&c;&c;&c;&c;" > ...<!ENTITY h "&g;&g;&g;&g;&g;&g;&g;&g;&g;&g;" >]><comment> <text>&h;</text></comment>

http://knowyourmeme.com/photos/531557 thx to @mihn

Thanks!

What you won't read in books about RESTful services

Internet

RESTFul APIs

RESTful Web Services AEKAPOP@BUU.AC.TH. What is RESTful?

Introducing Books To Students Who Won't Read By: John Tallacksen

We Won't Forget, We Won't Give up

JDD2014: What you won't read in books about implementing REST services - Jakub Kubryński

Restful imaginarium

RESTful Rabbits

RESTful design

RESTful Java

Today's Top "RESTful" Services and Why They Are Not RESTful

RESTful applications

Developing and Securing RESTful Web Services for Oracle ... · 5.5 Securing RESTful Web Services Using Java Security Annotations 5-4 6 Testing RESTful Web Services 7 Monitoring RESTful

RESTful Java Web Services - Van Staalduinetim.vanstaalduine.com/.../books/Packt_-_RESTful_Java_Web_Services.pdf · RESTful Java Web Services Master core REST concepts and create RESTful

RESTful Services

SAPInsiderBI2015 Restful

Building RESTful - NetBeansBuilding RESTful Web Services in NetBeans 6.0 RESTful component palette. • Generation of JavaScript client stubs from RESTful web services for building

RESTful Server Configuration with iDRAC RESTful API€¦ · RESTful Server Configuration with iDRAC RESTful API Dell EMC Customer Solutions Center October 2018 Authors ... RESTful

Developing a RESTful Web application for Liberty in …€¦ · RESTful web application JCICS RESTful web COBOL program ... Developing a RESTful Java web service ... HT TP re ques

I Won't Say I Will But I Won't Say I Won't

RESTful Microservices