REST APIRepresentational State TransferUmme Habiba

KTH-Applied

Information Security

Lab SEECS

February 14, 2013

Web Basics: Operations, via the HTTP API

0 HTTP provides a simple set of operations. Amazingly, all Web exchanges are done using this simple HTTP API:0 GET

0 Properties: Safe, Idempotent0 Usage: Retrieving a resource

0 POST0 Properties: UNSAFE0 Creating a resource within a collection (resource URI unknown)

0 PUT0 Properties: Idempotent0 Usage: Creating or updating a resource at a known URI

0 DELETE0 Properties: Idempotent0 Usage: Deleting a resource

2 Umme Habiba: KTH-Applied Information Security Lab SEECS

Resource Oriented Architecture?

0ROA is the term for REST on HTTP/URI0A Service consists of all the resources available within a

certain domain of control0Since REST is a type of SOA, ROA is an implementation of

SOA as well.

Umme Habiba: KTH-Applied Information Security Lab SEECS

AmazonWeb Server

POST / HTTP/1.1Host: ttp://www.amazon.com

Book: DaVince CodeCredit Card: VisaNumber: 123-45-6789Expiry: 12-04-06

Book: Da Vince CodeCredit Card: VisaNumber: 123-45-6789Expiry: 12-04-06

Desired action

Target Machine

Data being Posted

HTTP Header

HTTP Payload

Web Basics: Simple Set of Operations, via the HTTP API

4 Umme Habiba: KTH-Applied Information Security Lab SEECS

REST

Roy Fielding described REST as an architecture style which attempts “to minimize latency and network communication, while at the same time maximizing the independence and scalability of component implementations"

5 Umme Habiba: KTH-Applied Information Security Lab SEECS

REST - Not a Standard

0REST is not a standard 0REST is just a design pattern 0REST does prescribe the use of standards:

0 HTTP0 URL0 XML/HTML/GIF/JPEG/etc. (Resource Representations)0 text/xml, text/html, image/gif, image/jpeg, etc. (Resource

Types, MIME Types)

6 Umme Habiba: KTH-Applied Information Security Lab SEECS

Why is it called "Representational State Transfer? "

7

ResourceClienthttp://www.boeing.com/aircraft/747

Boeing747.html

The Client references a Web resource using a URL. A representation of the resource is returned (in this case as an HTML document).The representation (e.g., Boeing747.html) places the client in a new state. When the client selects a hyperlink in Boeing747.html, it accesses another resource. The new representation places the client application into yet another state. Thus, the client application transfers state with each resource representation.

Fuel requirementsMaintenance schedule...

Umme Habiba: KTH-Applied Information Security Lab SEECS

REST Constraints0 Important ‘things’ (Noun) are Resources

0 Addressed through a URI

0Uniform interface (Verb)0 In HTTP: GET, PUT, POST, DELETE

0Verb-Noun separation makes integration easier0 GET /customer/45

Instead of getCustomer(45) OR viewCustomer(45) OR showCustomer(45)

8 Umme Habiba: KTH-Applied Information Security Lab SEECS

REST0Create a resource for every service.0Separation of resource from representation0The data that a Web service returns should link to other data.0Resources are identified by URIs0Resources are manipulated through their representations0Self-descriptive messages

9 Umme Habiba: KTH-Applied Information Security Lab SEECS

Why not plain HTML?

0Web pages are designed to be understood by people,0 layout and styling do matter, not just raw data

0Every URI could have a human-readable and a machine-process-able representation:0 Web Services clients ask for the machine-readable one0 Browsers ask for the human-readable.

0A web page is a representation of a resource0URIs tell a client that there's a concept somewhere0Clients can then request a specific representation of the

concept from the representations the server makes available

10 Umme Habiba: KTH-Applied Information Security Lab SEECS

Why hypertext?

0Because the links mirror the structure of how a user makes progress through an application

0The user is in control, thanks to the Back button and other non-local actions

0 In a Web service, the client should be in control in the same sense

11

<order self='http://example.com/customers/1234' > <amount>23</amount> <product ref='http://example.com/products/4554' /> <customer ref='http://example.com/customers/1234' />

</order> Umme Habiba: KTH-Applied Information Security Lab SEECS

What is REST??

0Uniform Interface0Stateless0Cacheable0Client-Server0Layered System0Code on Demand (Optional)

12 Umme Habiba: KTH-Applied Information Security Lab SEECS

Uniform Interface

0 Simplifies & decouples Architecture for better visibility & evovlability.

0 Resource based representation0 Manipulation of resources through representations0 Self-descriptive messages0 Principle of Generality on Interface0 Con: Degrades efficiency 0 Optimized: Large grain hypermedia transfer

13 Umme Habiba: KTH-Applied Information Security Lab SEECS

Client Server

0 Separation of Concerns0 Improve Portability of UI0 Scalability per simple server components0 Independent evolution

14 Umme Habiba: KTH-Applied Information Security Lab SEECS

Cache

0Eliminates Client server Interactions, partially or completely 0 Improves Scalability and performance0Reduced latency in average0Con: Decrease on reliability, cached data may not be the

recently updated

15 Umme Habiba: KTH-Applied Information Security Lab SEECS

Layered System

0 Restrict knowledge of system to 1 layer0 Bounds systems complexity + Encapsulation0 Intermediaries and load balancing0 Con: Add overhead and latency0 Optimized: Pipes & Filters behavior with intermediaries

processing partially the message

16 Umme Habiba: KTH-Applied Information Security Lab SEECS

Stateless

0Statelessness is the key.0Necessary state is contained in the request itself.0Prevents partial failures0No context in server, session in client 0Visibility, reliability, and scalability0Con: Decrease network performance

17 Umme Habiba: KTH-Applied Information Security Lab SEECS

Code On Demand (Optional)0 Temporary extend or customize client functionality

(extensibility- java scripts and java applets)0 Client simplification0 Con: Reduces visibility0 This is the only optional constrain

18 Umme Habiba: KTH-Applied Information Security Lab SEECS

Who is using REST?

0Google0GData, OpenSocial

0Standards0Atom, WebDAV

0Amazon0S3, SimpleDB

0Microsoft (!)0Project Astoria, Web3S

Umme Habiba: KTH-Applied Information Security Lab SEECS19

Advantages of REST

0 Its architectural constraints when applied as a whole, generate:0 Scalable component interactions0 General interfaces0 Independently deployed connectors0 Reduced interaction latency0 Strengthened security0 Safe encapsulation of legacy systems

0 Separates server implementation from the client's perception of resources

0 Scales well to large numbers of clients0 Enables transfer of data in streams of unlimited size and type

20 Umme Habiba: KTH-Applied Information Security Lab SEECS

Thank You

21