REST in a Nutshell
By Derrick Isaacson
Can I get that
without the bacon?
Said no one ever
http://www.food.com/photo-finder/all/bacon?photog=1072593
http://baconipsum.com/?paras=1&type=all-meat&start-with-lorem=1
http://www.someecards.com/usercards/viewcard/MjAxMi03YWZiMjJiMTg3NDFhYTUy
Simplicity of Single Component Services
• I can’t remember if that getter function takes 100ns or 100ms. - Said no engineer ever• Should I try to model this server request as a “remote procedure call”?• 6 orders of magnitude difference!
•My front-side bus fails for only 1 second every 17 minutes! - Said no engineer ever• 99.9% availability
•Our internet only supports .NET. - Said no engineer ever• Do we need an SDK?
"A distributed system is at best a necessary evil, evil because of the extra complexity...An application is rarely, if ever, intrinsically distributed. Distribution is just the lesser of the many evils, or perhaps better put, a sensible engineering decision given the trade-offs involved."
-David Cheriton, Distributed Systems Lecture Notes, ch. 1
Distributed System ArchitecturesDoes it have to be “Service-oriented”?
http://upload.wikimedia.org/wikipedia/commons/d/da/KL_CoreMemory.jpg
Distributed Memory
RPC
<I’m> <not> <making> <a> <service> <request>
<I’m> <just> <calling> <a> <procedure>
Distributed File System
mount -t nfs -o proto=tcp,port=2049 nfs-server:/ /mnt
Distributed Data Stores
• Replated MySQL• Mongo• S3• RDS• BigTable• Cassandra…
P2P
Streaming Media
The hourglass model
“There is no magic dust that makes an HTTP request a web
service request.”
-Leonard Richardson & Sam Ruby, RESTful Web Services
Representational State TransferAn Observation by Roy Fielding
Which Architectures Featured…
1. Low entry-barrier2. High performance in the face of distributed
state3. Huge (Internet) scale4. Extensibility/evolvability (backwards
compatibility)
Uniform Interface
1. Uniform identification of resources2. Uniform resource manipulation3. Representation separate from the identity4. Hypermedia as the engine of application state5. Self-descriptive messages
HTTP Request
HTTP Response
URI Anti-patterns
•http://example.com/foo/addBar•http://example.com/foo/bar?auth=123abc•http://example.com/foo/current•http://example.com/a.12@b1oc
Hypermedia
GET /users/123
What would Roy say about this design?
roy.gbiv.com
{
id : "123",
name : "John Smith",
phone : "303-404-5050",
email : "[email protected]",
photo : "YWZzYSAyMzR2NQzJ2dzLmZhc20uLC8uLA==",
groups : [
{
name: "Super Friends"
members: [
...
]
}
],
books : [
{
name : "RESTful Web Services",
description : "Fun times",
publishDate : "2013-01-01 13:05:06"
},
...
]
}
Hypermedia{
id : "123",
name : "John Smith",
phone : "303-404-5050",
email : "[email protected]",
photo : "YWZzYSAyMzR2NQzJ2dzLmZhc20uLC8uLA==",
groups : [
{
name: "Super Friends"
members: [
...
]
}
],
books : [
{
name : "RESTful Web Services",
description : "Fun times",
publishDate : "2013-01-01 13:05:06"
},
...
]
}
{
id : "http://example.com/users/123",
name : "John Smith",
phone : "303-404-5050",
email : "[email protected]",
photo : "http://flickr.com/photos/12345",
groups : [
"http://facebook.com/groups/abc",
...
],
books : [
"http://goodreads.com/books/4567",
"http://example.com/manuscripts/123",
...
]
}
SDK Anti-pattern
Where's my SDK?
"A REST API should spend almost all of its descriptive effort in defining the media type(s) used for representing resources and driving application state... [Failure here implies that out-of-band information is driving interaction instead of hypertext.]" - Roy Fielding
Casserole Anti-patternPOST /groups HTTP/1.1
Content-Length: 1234
ObjectType: json
{
method : "UPDATE",
id : "123"
authToken : "abc123",
object : {
group : {
...
}
}
}
HTTP/1.1 500 Internal Server Error
Content-Length: 456
{
cacheTime : 0,
status : "authorization failed"
}
Uniform Interface:Methods
Method Safe Idempotent
OPTIONS
GET
HEAD
POST
PUT
DELETE
TRACE
PATCH
CONNECT*
* Reserved for use of SSL tunneling
GET /service/customers/123 HTTP 1.1
Host: example.com
User-Agent: XYZ 1.1
Accept: text/html, application/xhtml+xml,application/xml
Keep-Alive: 300
Connection: keep-alive
If-Modified-Since: Fri, 02 Oct 2013 16:47:31 GMT
If-None-Match: "600028c-59fb-474f6852c9dab"
Cache-Control: max-age=60
HTTP/1.1 200 OK
Date: Sun, 04 Oct 2013 19:36:25 GMT
Server: Apache/2.2.11 (Debian)
Last-Modified:Fri, 02 Oct 2013 16:48:39 GMT
Etag: "600028c-59fb-474f6852c9dab"
Cache-Control: max-age=300
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 7160
Keep-Alive: timeout=15,max=91
Connection: Keep-Alive
Content-Type: application/xml
Uniform Interface:Headers(self-descriptive messages)
My pizza has too
much cheese and
toppings
Said no one ever
http://upload.wikimedia.org/wikipedia/commons/6/60/Pizza_Hut_Meat_Lover's_pizza_3.JPG
GET /service/customers/123 HTTP 1.1
Host: example.com
User-Agent: XYZ 1.1
Accept: text/html, application/xhtml+xml,application/xml
Keep-Alive: 300
Connection: keep-alive
If-Modified-Since: Fri, 02 Oct 2013 16:47:31 GMT
If-None-Match: "600028c-59fb-474f6852c9dab"
Cache-Control: max-age=60
HTTP/1.1 200 OK
Date: Sun, 04 Oct 2013 19:36:25 GMT
Server: Apache/2.2.11 (Debian)
Last-Modified:Fri, 02 Oct 2013 16:48:39 GMT
Etag: "600028c-59fb-474f6852c9dab"
Cache-Control: max-age=300
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 7160
Keep-Alive: timeout=15,max=91
Connection: Keep-Alive
Content-Type: application/xml
My message is
too self-descriptive
Said no one ever
Uniform Interface:Status
Status-Code Reason-Phrase
200 OK
201 Created
202 Accepted
301 Moved Permanently
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
500 Internal Server Error
Uniform Interface: Error Codes
• 400s vs 500s• Safe to retry?• Cacheable (if no Cache-Control header present)?• Does the client need to modify the request?
Inaccurate Status Codes
HTTP/1.1 200 OK
{ error: true}
Uniform Interface: Content-Type Negotiation
Request header: AcceptContent-Types accepted by client
Accept: text/*, text/html, text/x-vcard, application/json
More specific types take precedence.
Server responds with 406 Not Acceptable if it does not support the requested media type(s).
Server responds with 415 Unsupported Media Type if it does not support the request entity’s media type.
Uniform Interface: Authentication
How does a server prevent unauthorized access?1.Authorization: Fooauth abc123=
2.Authentication-Info: mytype
RFC 2617Over-engineered narrowly-defined mumbo jumbo?
“The central feature that distinguishes the REST architectural style from other network-based styles is its emphasis on a uniform interface between components.”
“WOWMy system has
too muchuniformity,
loose coupling, and
performance.”
-said no one ever
Questions?
golucid.co
http://www.slideshare.net/DerrickIsaacson