api manager preconference

© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

Developing and Managing API with Adobe ColdFusion and API Manager Kevin, Mayur, Pavan


Agenda

Use Case Designing your API API Manager Actors Onboarding of the API Building Blocks Security SLA Analytics


API

API Manager

MERCHANT

STORE ADMINISTRATOR

CUSTOMER


E-commerce Store APIs

1. Product

2. Merchants

3. Order

4. Promotion

5. Payment Gateway

Presenter

Presentation Notes

One stop shop for customers to purchase products Retailers can list their products and gain easy traction and make business


Product API

Endpoints:

Add a product

(POST /products/v1 )

Get all products

(GET /products/v1 )

Add/Update Brand

(PUT /products/v1 )

Search product

(GET /products/v1/search?searchid=123)


Merchant API

Endpoints:

Add a product

(POST /merchant/v1/products/<merchant_id>)

Update Product Price

(PUT merchant/v1/products/<merchant_id>?product_id=101965 )

Update Product quantity

(PUT merchant/v1/products/<merchant_id>?product_id=101965 )

Delete a product under merchant store

(DELETE /merchant/v1/products/<merchant_id>? product_id=101965)


Order API

Endpoints:

Place a new Order

( POST /order/v1)

Retrieve List of All Orders

(GET /orders/v1/<customerId>)

Update an Order

(PUT /orders/v1/<orderid>)

Delete a Single Order

(DELETE /orders/v1/ /<customerId>/<orderid>)


Promotion API

Endpoints:

Create a promotion type (POST /promotion/v1)

Create a discount code(POST /promotion/discount)

Invalidate a discount code(PUT /promotion/discount/invalidate/<discount_code>)

Retrieve List of promotions(GET /promotion/v1)

8


Payment Gateways

Endpoints:

Get all registered gateways

(GET /gateway/v1)

Disable a Gateway

(PUT /gateway/v1/<gateway_id>)

Enable a Gateway

(PUT /promotion/v1/<gateway_id>)

9


Building API’s in ColdFusion You can create REST services by defining certain attributes in the tags cfcomponent, cffunction, and cfargument and publish

as REST resources. Script can also be used.

• Follows HTTP request-response model: Beyond having HTTP as a medium, the service lets you follow all HTTP norms. The components published as REST services can be consumed over HTTP/HTTPS request. The REST services are identified with URI (Uniform Resource Identifier) and can be accessed from a web page as well as by specifying the URI in the browser's address bar.

• Supports all HTTP methods : The REST enabled CFCs support the following HTTP methods: GET, POST, PUT, DELETE, HEAD, and OPTIONS.

• Implicit handling of serialization/deserialization: ColdFusion natively supports JSON and XML serialization/deserialization. So client applications can consume REST services by issuing HTTP/HTTPS request. The response can either be serialized to XML or JSON format.

• Publish web service as both REST service and WSDL service: You can create and publish the same ColdFusion component as a REST service and WSDL service.

10


<cfcomponent> Two arguments for the <cfcomponent> tag:

rest (true/false) – if true, the cfc is REST enabled.

restPath – path used to access the REST service.

Example:

<cfcomponent rest="true" restpath="/person">

11

Sample URI:http://localhost:8500/rest/restTest/restService

URL Component Description

http://localhost:8500 Base URL which includes the IP address and port of the ColdFusion server.Ifyou deploy ColdFusion as a JEE application, the URL will contain a context root, for example,http://localhost:8500*/cfusion*

rest Implies that the request sent is a REST request.This default value can be renamed by revising the context path in web.xml available at cfusion/wwroot/WEB-INF and update the same mapping in uriworkermap.properties file found at config\wsconfig\1.

restTest Application name or service mapping that you have used while registering the service in ColdFusion Administrator. If you do not specify a service mapping in the ColdFusion Administrator, then the application name is taken from Application.cfc.

restService Rest path you defined in the service. That is, the value of the attribute restPath in the tag cfcomponent.


<cffunction>

<cffunction> restPath – specify to use a sub-resource path for the CFC.

httpMethod – the HTTP method to use GET, POST, PUT, DELETE, HEAD, OPTIONS

Example: <cffunction name="getPerson” returntype="string” access="remote” httpmethod="GET”

restPath=“/person/{personID}” produces="application/json”>

12


<cfargument>

<cfargument> restArgSource – Where to find the value of the argument path,query,form,cookie,header,matrix

restArgName – The name that can be mapped to the argument name.

Example: <cfargument name=”personID" required="true" type="numeric" restargsource="path" />

13


Registering an application with the REST service

After you create the CFC you want to REST-enable, specify the folder for registering as web service either using the autoRegister Application setting , the function restInitAplication() or in the ColdFusion Administrator or using the ColdFusion Admin API.

If you are in a shared environment:

<cfset this.restsettings.autoregister = true />

restInitApplication(rootPath[,serviceMapping[,options]])

These options not require administrator privileges.

14


REST Responses

15

Default Response Description

200 OK Sent if the response has a body.

204 No Content Sent if the response doesn’t have a body.

Default Response Description

404 Not Found Request URL is not valid

406 Not Acceptable No function in the REST service can produce the MIME type requested by the client

415 Unsupported Media Type A resource is unable to consume the MIME type of the client request

405 Method not allowed If the client invokes an HTTP method on a valid URI to which the request HTTP method is not bound.

Custom responses can be created using the restSetResponse method for success or <cfthrow type=“RestError”> for errors.


Areas I look into:Web Services (SOAP, REST) , PDF, Spreadsheet API Manager

Hobbies:Working on DIY projectsOf course watching TV Series (GOT !!! )

Adobe ColdFusion TeamI AM AN ENGINEER


API

API Manager

MERCHANT

STORE ADMINISTRATOR

CUSTOMER


E-commerce Store APIs

1. Product

2. Merchants

3. Order

4. Promotion

5. Payment Gateway

Presenter

Presentation Notes

One stop shop for customers to purchase products Retailers can list their products and gain easy traction and make business


API Manager Actors

19

ADMINISTRATOR PUBLISHER API Developer

SUBSCRIBERAPP Creator


Onboarding the API

Manual API Creation CF Discovery Swagger Import Soap to Rest Soap Pass Through

Presenter

Presentation Notes

Manual – Payment gateway CF Discovery – Merchant API, Order API Soap To Rest – Promotion API Swagger Import – Product API


API Manager Building Blocks

API Visibility API Versioning API Life cycle Security SLA Caching Analytics


API Visibility

Public Partner Intranet


API Versioning

Upgrade APIs without worrying about backward compatibility by managing multiple versions using a single platform.


API Life cycle

Draft Published Deprecate Retire

25


Caching

26

During experiments, Many bird species store peanuts in a cache for later retrieval. In the wild, these birds store acorns and insects.

Wikipedia


About me

Developer & Security Evangelist at Adobe

Previously Security Consultant at RSA Security

Movie Buff

Email: [email protected]


API Security

28

Identity Authentication Authorization


User Store and API Security

API Security API Key Basic OAuth2 and OAuth2 with SAML

User Store LDAP Data Base SAML


API/APP Key Authentication

Suitable for Business to Business Sharing Application Identification

30


Authentication (Who say you are)

31

How to Bring in the Users ? (User Stores) LDAP DATABASE SAML

Administrator can configure user stores.


Sample User Store: Database

32


BASIC Authentication

Simplest & Standard form of authenticating

Auth happens via username & password.

Pass Username & password in each request

Requires HTTPS

Application Should securely store the password

33


When it is not Enough!!!!

Password Anti Pattern

Trust Issues – Third Party Apps

Can’t Revoke Application

No Selective Data Sharing

34

Presenter

Presentation Notes

Many popular Web applications allow third-party software to access their underlying services through open APIs. This enables the development of Web mashups and mobile and desktop client applications. Although these open APIs bring a lot of value to the Web and make it possible for various services to interoperate in important ways, it can be difficult to make this functionality available in a manner that safeguards the security of end users. The APIs often require authentication for sensitive or user-specific features. For example, in order for a desktop application to be able to access a user's account on a hypothetical Web service, the user must first supply the application with their login credentials. The application can only access the user's account if it transmits the user's credentials to the server. Although this form of simple login-based authentication is very easy to implement, it creates a tremendous number of problems. One of the biggest issues is that there is no easy way for the user to revoke access permissions from an individual application. It can be especially difficult to remove your credentials from third-party Web applications, which you can't just uninstall. When third-party software runs amok with your login information for a Web application, the only way to stop it in some cases is to change your password. Another problem with simple login-based authentication is that there is no way to control how much access an individual third-party application gets: it's an all-or-nothing deal based on whether you are willing to give the program your password. What users need is a granular authorization system that will allow them to selectively grant revocable privileges to individual applications without having to supply a global password. Several popular Web applications, such as Facebook, have implemented their own authentication systems that aim to do precisely that. But for application developers who want to make their software work with a variety of popular Web services, it's not especially pleasant to have to work with a variety of different authentication systems. Obviously, what developers need is a standards-based solution. That's where OAuth comes into play. It's the first step towards delivering a standard protocol for password-less Web authentication that works across the Web and the desktop.


An open protocol to allow secure authorization

in a simple and standard method from web,

mobile and desktop applications.

Introducing


Resource Owner: the person or the application

that holds the data to be shared.

Resource Server: the application that holds the

protected resources.

Authorization Server : the application that

verif ies the identity of the users.

Client : the application that makes requests to

RS on behalf of RO.

OAuth 2.0: Actors




Resource Server : the application that holds the



verif ies the identity of the users.


RS on behalf of RO.

OAuth 2.0: Actors




Resource Server : the application that holds the



verifies the identity of the users.


RS on behalf of RO.

OAuth 2.0: Actors


I want to see a list of games

Protocol Flow


Hey, API Manager, could you pleasegive me a list of games?

Protocol Flow


Protocol Flow

Sorry Pal, This is a secured API. Provide me an Access Token.


Protocol Flow

@alvaro_sanchez


Protocol Flow

Hi, Could you provide me your username & password ?


Here you go. My username is [email protected] and password is top-secret

Protocol Flow


Protocol Flow

@alvaro_sanchez


Hi API Manager, here is my token:7ee85874dde4c7235b6c3afc82e3fb

Protocol Flow


Protocol Flow

Hi, I have been given the token 7ee85874dde4c7235b6c3afc82e3fb. Is it Legitimate ?


Protocol Flow

Of Course. The Token is valid & it belongs to [email protected]


All Well!!. Here is the list of games

Protocol Flow


Here you are the list of games. Have a good day!

Protocol Flow


OAuth 2.0 is a delegation protocol, as this guy has no idea about the credentials of

this guy

Protocol Flow


SLA

SLA Plans Rate Limiting Throttling HARD and SOFT Limit

Presenter

Presentation Notes

Throttling is a process that is used to control the usage of APIs by consumers during a given period. You can define throttling at the application level as well as API level. Throttling limit is considered as cumulative at API level. Rate-limiting is a process that is used to define the rate at which consumers can access APIs. Also, it determines the speed at which a consumer can access APIs. Rate limit is calculated in real time.


Analytics

Administrator Analytics Publisher Analytics Subscriber Analytics


Recap - APIs – From concept to Go-To-Market

Step 1Define your business

objectives

58

Step 2Design your API

Step 3On-board your API

Step 4Manage your API Step 5

Secure your API

Step 6Engage Customers

Step 7Measure impact

Presenter

Presentation Notes

Walk thru an example

api manager preconference

Technology