REST ExplainedRepresentational State Transfer

Dhananjay NeneJuly 4, 2009

TechWeekend – Pune

http://blog.dhananjaynene.com http://twitter.com/dnene

What REST is not !

REST is not a ..

framework

REST is not a ..

technology

REST is not a ..

a standards specification

REST is an architecture style

.. as documented and described by Roy Fielding ..

.. which specifies a set of architecture constraints.

Fielding on Architecture Style

● An architecture style is a coordinated set of architectural constraints that restricts the roles and features of architectural elements, and the allowed relationships between those elements, within any architecture that conforms to that style● A style can be applied to many architectures● An architecture can consist of many styles

Architecture Constraint 1

Client - Server

Client Server

Separates user interface concerns from data storage concerns

Client Server

Improves portability of interface across multiple platforms

Client Server

Improves scalability by simplifying server components

Client Server

Allows the components to evolve independently

Architecture Constraint 2

StatelessnessNo Client State

Statelessness

Each request from client to server must contain all of the information necessary to understand the request and cannot take any advantage of any

stored context on the server.

and

Each request contains all of the information necessary for a connector to understand the

request, independent of any requests that may have preceded it

Statelessness

Session state is therefore kept entirely on the client

Statelessness

Improved visibility since a monitoring system does not have to look beyond a single request

Statelessness

Improved reliability due to easier recoverability from partial failures

Statelessness

Improved scalability due to not having to allocate resources for storing state

Statelessness

Server does not have to manage resource usage across requests

Statelessness

Tradeoff : Reduced Network Performance

Statelessness

Tradeoff : Reduced server control over application consistency

Statelessness is one of the most difficult to deal with constraints

(but more on that later)

Architecture Constraint 3

Specified Cacheability

Specified Cacheability

Data within a response to a request be implicitly or explicitly labeled as cacheable or non-

cacheable

Specified Cacheability

If a response is cacheable, then a client cache is given the right to reuse that response data for

later, equivalent requests

Specified Cacheability

Improves efficiency, scalability and user perceived performance

Specified Cacheability

Tradeoff : Reduced Reliability

Architecture Constraint 4

Uniform Interface

Uniform Interface

Overall system architecture is simplified and the visibility of interactions is improved

Uniform Interface

Implementations are decoupled from the services they provide and encourage independent

evolvability

Uniform Interface

Tradeoff : Degrades efficiency

since Information is transferred in a standardised form rather than one which is specific to application's needs

Uniform Interface

● Identification of resources● Manipulation of resources through

representations● Self descriptive messages● Hypermedia as the engine of application state

(HATEOAS)

Four interface constraints(more later .. we shall be spending the maximum time on this)

Architecture Constraint 5

Layered System

Layered System

Places a bound on overall system complexity

Layered System

Promotes substrate independence

Layered System

Can be used to encapsulate legacy services or protect new services from legacy clients

Layered System

Intermediaries can be used to improve system scalability by enabling load balancing

Layered System

Tradeoff : Add overhead and latency and reduce user perceived performance

Layered System

Placing shared caches at boundaries of organisational domain can result in significant benefits. Can also enforce security policies eg.

firewalls

Layered System

Intermediaries can actively transform message content since messages are self descriptive and their semantics are visible to the intermediaries

Architecture Constraint 5

Code on demand(is an optional constraint)

Code on demand

Client functionality can be extended by downloading and executing code in the form of

applets or scripts

Lets get back to .. and explore in far more detail ..

Interface constraints of ReST

Resources

Resources

What are resources ?

Any information that can be named is a resource

A resource is a conceptual mapping to a set of entities not the entity itself. Such a mapping can

change over time.

This presentation is a resource

As is this presentation's latest version (if I am regularly backing it up to different files)

All available presentations on ReST is also a resource. A resource can be a collection of

entities too.

Resource Identifiers

Every resource has a name that uniquely identifies it – the URI

Names don't change(at least not frequently)

Think of it like a primary key for each row in a database

http://informationbase/locationdb/citiestable/pune

REST doesn't dictate URI choice.Leaves it to the application author.

The URI should generally carry no meaning to the client except as a resource locator

However don't let that encourage you to name URIs arbitrarily and confusingly

Good, clean, structured URIs are helpful for developers

If you are naming a specific single resource all the information to locate the resource should be in the URI itself and not through additional parameters

eg. choosehttp://informationbase/locationdb/citiestable/pune

nothttp://informationbase/locator?type=city&name=pune

However optional parameters for identifying subsets of resources are conventionally

acceptable

eg.http://ibase/cities?startswith=pu&start=11&count=10

Resources have Representations

A representation captures the current or intended state of a resource

Resources are transferred between the client and the server

Resources may include metadata describing themselves

A particular resource may have multiple representations

Commonly used representation formats are html, xml and json

however they could also be pdf, png etc.

When multiple resource formats are supported by the server, the actual resource format returned is subject to content negotiation between the client

and the server

This should ideally happen through control data i.e. By using HTTP “Accept” headers and not by

appending additional information to the URL.

PreferAccept: text/xml;q=0.5, application/json

http://infobase/cities/pune

to

http://infobase/cities/pune.json

REST doesn't dictate or constrain you to using particular representation formats. Use what suits

the application context the best.

Interface constraint 3

Self descriptive messages

Requests and responses contain inband description about the schema it adopts

This is done by describing the XML Schema for the representation (or its units) using the same by declaring its appropriate XML namespace. Further

clarity can be introduced by using a custom “application/vnd.*****” Content-Type header.

The entire schema does not need to be known upfront. Only the mandatory and relevant parts

need to be known.

The schema can continue to be extended without client modifications if it is only adding optional

elements or attributes.

Intermediate layers can both parse and transform messages intelligently

Metadata helps both page and form rendering and client side validations could be introduced based

on an understanding of the schema and its semantics

Interface constraint 4

Hypermedia as the engine of application state(HATEOAS)

Hypermedia

Hypermedia is used as a logical extension of the term hypertext in which graphics, audio, video, plain text and hyperlinks intertwine to create a generally non-linear medium of information.

source : Wikipedia

HyperText

Simultaneous presentation of information and controls such that the information becomes the

affordance through which the user obtains choices and selects actions

- Roy Fielding

Application State

state that determines "where" the user is in the process of completing a task

It is not the resource or state of the resource on the server

To understand application state, you need to visualise the pages / resources of the application

as a wireframe model or a state machine and each page as a state

Each state allows for only a few valid triggers to allow it to navigate to another state

These possible navigations out of the state can be embedded in the resource representation

overlying the state by using hypertext (links)

Since each state self describes the possible links given the context, the client can choose to select

the appropriate link by examining the link metadata.

To put it differently

Make hypermedia constrain client choices, and the client choice influences the application state

Therefore :Hypermedia as the engine of application state

Client needs to know only the starting URL

In addition client needs to be able to understand the mediatypes and semantics associated with the links (ie. What does a link with a particular

“rel” type mean)

One more aspect of Uniform Interfaces

Uniform Operations

In case of database tables, these areInsert, Select, Update, Delete

In common parlance these areCreate, Read, Update, Delete (CRUD)

In REST over HTTP these arePOST, GET, PUT, DELETE

Those are the only verbs you need

Simplifies semantics

Simplifies client complexity

Simplifies application model

Clients interact with REST based systems by sequentially performing one of POST, GET, PUT, DELETE operations on self describing resources and by traversing the links offered by the server

For this clients need to understand resource representation schemas (xml schemas) and ...

Client need to understand semantics of the relationship types (<link rel=”...”>) offered by the

server

REST is the DBMS of the internet

With a slight caveat

It doesn't break encapsulation

It exposes resource representations and not resources themselves

Thats like a parallel set of tables / views that clients can access and which have triggers which

in turn appropriately update the real tables

Its often much easier and quicker to understand table schemas than it is to understand stored

procedure semantics

This is an important distinction compared to RPC/SOA based architectures which in case of this analogy would represent stored procedures

Which is why a client is likely to be far quicker off the starting block if given a set of schemas and

standard SQL semantics to work with rather than a list of stored procedures describing each

procedure, its parameters and the interrelationships between the procedures.

Thats what makes ReST so much easier for its clients and users

Sample ReST request

Sample ReST response

ReST simplifies

● Hypertext is standardised. Fewer UIs● Identification is standardised. Lesser

communication● Exchange protocols are standardised. Fewer

Integrations● Interactions are standardised. Fewer semantics● Data formats are standardised. Fewer

translations

- Roy Fielding

No IDLs, WADLs, WSDLs

No static compilations required

No methods and what each method means

No inter method sequencing

No registries

When dealing with complex stuff, you always feel,

you can use some rest.

When you use ReST, things are simpler

Benefits of REST

- Roy Fielding

Uniform resources having identifiers increases reuse potential

Uniform interface hides implementation details supporting low coupling

Hypertext allows for late binding leading to reduction in attempted inappropriate accesses

and resultant errors

Server failures don't befuddle client state leading, while shared state is easily recoverable leading to

improved fault tolerance

Supports gradual and fragmented change across organisations.

Services can be layered, clustered and cached leading to improved scalability

ReST extends the very capabilities that made WWW successful into application design and

architecture

What are these characteristics of static W W W and ReST?

You can connect to any web server if you know the home page URL

You can connect to ReST application if you know the starting URI

On the home page you can view the content along with the appropriate hyperlinks which

suggest appropriate paths for you to traverse

The response will provide you important initial content along with hyperlinks which describe their

nature to navigate to other resources

You can navigate to the next page by clicking on the hyperlink

You can conduct an operation by performing a POST/GET/PUT/DELETE on one of the

suggested URIs

You can save the hyperlink URL, bookmark it or email it to you boss or tweet it to your friends

A ReST client can store a URI for future use or embed it as a foreign key in other resources that it

maintains

They will not need to repeat your sequence of steps. They will be able to directly access the

page given the URL.

The receiving ReST client will be able to directly access the earlier stored URI without going

through a sequence of pages

You can save the contents of any page by saving its HTML representation

You can save the representation of any resource into a XML / Document database

You can modify the contents of the web pages by entering data in forms (and even full page content

in blogs, Wikis etc.) and POSTing them.

You can perform PUT, POST and DELETE operations on resources to modify them

You can upload new files by browsing for the file on your desktop and submitting the button on

appropriately configured pages (PUT file)

You can add new resources by conducting the POST operation

The server retains no information about the pages you've traversed

The server retains no information about you or the pages you've traversed

The server can send you different media types (eg. HTML, PDF, Videos etc.) by describing these

media types in the headers

The server sends the metadata describing the resource representation inband with the

representation

Did you notice there is no global internet registry for website discovery ?

There is no registry required for ReST applications

Yahoo tried, as does Open Directory but it just doesn't work

And it may not for many other architectures requiring registries

Since the content depends on basic HTML tags and each URL is uniquely addressable, it is easy for search engines to index its content and allow

users to find the required pages

Representations for URIs can be browsed, indexed and eventually searched through

These are all characteristics that made static www simple to use, deploy and leverage making it

popular and eventually omnipresent

These are also characteristics of ReST contributing to its simplicity and ease of leveraging accounting for its popularity

Designing ReSTful applications

Using a ReST supportive framework does not make your application ReSTful

You need to model your application interfaces as a set of resources

And basic CRUD operations on these resources

Since controllers in traditional web frameworks drive the interface, we shall focus on these

When the interface is meant for browsers, there are some limitations. Hence browser oriented

interfaces are a little different than POST, GET, PUT, DELETE

Assuming each controller represents a lifecycle manager for a particular resource type, it needs a

few basic methods. And the same methods get reproduced across all such controllers

Resource URI HTTPMethod

ControllerMethod

Description

/cities GET index Get list of cities (optional params)

/cities POST create Create a new city

/cities/Pune GET show Show pune resource representation

/cities/Pune PUT update Modify pune resource

/cities/Pune DELETE destroy Delete pune resource

/cities/new GET new Initiate a new city resource creation

/cities/Pune;edit GET edit Initiate a new city modification

No more actions like city.expand (CityExpansion.create) ,

city.holdElections (CityElection.create) etc.

You will need to create new controllers which represent new nouns representing the action

Not all controllers will implement all methods. But they should not implement any more methods.

As you move from an action oriented design towards resource oriented design, thinking of

everything as nouns is one of the early challenges to overcome

Transaction.approve becomes TransactionApproval

Account.pay become AccountPayment.create

etc. etc.

For each resource you need to document the XML Schema and define a mime type

(application/vnd.***)

especially when the consumer is a machine

For each resource representation you need to list what are the appropriate URIs (application state

transitions) to be returned along with the representations and implement introduction of

these in the controller actions as well

REST and Security

This is one area where I choose to be non ReSTful

Sometimes the deliberate requirements of opaqueness of security and transparency of ReST

don't cooperate well

Cookies

Cookie interaction fails to match REST's model of application state, often resulting in confusion for

the typical browser application.

- Roy Fielding

I agree with that .. but ...

Cookies can help in user identification (other options being Basic HTTP authentication)

Basic HTTP Authentication is weak

Computes a hash which can be intercepted and reused later

If you do use Basic HTTP authentication at the minimum use HTTPS

But I prefer cookies when they are strictly used for user identification only

But cookies break the statelessness model

Yes they do. I prefer to store only the data thats expensive to compute but can be recomputed in

case of loss in the session against the cookie. No storage of conversational state in the session

That is hard to ensure .. and thats another self imposed architecture constraint

But I think it is more practical for secure applications

Even though it takes away their ability of being called 100% ReSTful

What about alternative architecture styles (SOA) ?

They are an extension of the RPC construct not the www construct

They simply do not have most of the benefits I just referred to

And the hype-engine is really struggling to compete with the wide successes of ReST

Experience has shown when sites offered both SOA and ReST interfaces, clients quickly ended

up choosing ReST

- sounds intituitive enough to me but do not recollect the source.

Rest is not SOA

They both attempt to solve a similar set of problems ....

.... differently!

● ReST requires you to think resources not actions or services

● ReST requires you to lay a greater emphasis on documentation of your schema and practically none on the actions

● ReST requires you to provide in band metadata● ReST works very nicely with layered

architectures● Another way to describe ReST is ROA :

Resource Oriented Architecture

The clear distinctions between ROA and SOA are being blurred for non technical reasons. Be

aware when you read content debating ReST/SOA

(including this presentation)

SOA is the evolution of RPC semantics

ReST / ROA is the evolution of www semantics

A look forward to increasing ReST popularity

ReST already is starting to dominate the internet space and there's a good likelihood it could dominate enterprise architectures as well.

References and Sources

● Roy Fielding's Dissertation on ReST● A little REST and Relaxation : presentation by Roy Fielding● Pragmatic Intro to REST and SOA, REST and the Web:

presentations by Stephan Tilkov● Pragmatic REST And RESTful Web Apps: presentations by

Subbu Allamaraju● Describing RESTful applications : Article by Subbu Allamaraju at

InfoQ.● RESTful Best Practices : presentation by calamitas● The REST architectural style : presentation by Robert Wilson

Thank You !