restful soa - 中科院暑期讲座
DESCRIPTION
TRANSCRIPT
![Page 2: RESTful SOA - 中科院暑期讲座](https://reader030.vdocuments.mx/reader030/viewer/2022012313/5483d992b079591a0c8b49cb/html5/thumbnails/2.jpg)
2
Outline
The Programmable Web What is REST Characteristics and Benefits of REST The Best Practice of REST What is a RESTful SOA?
![Page 3: RESTful SOA - 中科院暑期讲座](https://reader030.vdocuments.mx/reader030/viewer/2022012313/5483d992b079591a0c8b49cb/html5/thumbnails/3.jpg)
3
换个角度看 Web 2.0
http://www.youtube.com/watch?v=6gmP4nk0EOE
![Page 4: RESTful SOA - 中科院暑期讲座](https://reader030.vdocuments.mx/reader030/viewer/2022012313/5483d992b079591a0c8b49cb/html5/thumbnails/4.jpg)
4
chmod 777 web – 可编程的 Web!
![Page 5: RESTful SOA - 中科院暑期讲座](https://reader030.vdocuments.mx/reader030/viewer/2022012313/5483d992b079591a0c8b49cb/html5/thumbnails/5.jpg)
5
API Billionaires Club
![Page 6: RESTful SOA - 中科院暑期讲座](https://reader030.vdocuments.mx/reader030/viewer/2022012313/5483d992b079591a0c8b49cb/html5/thumbnails/6.jpg)
6
More of the APIs are using REST
Simple to use and simple to access!
![Page 7: RESTful SOA - 中科院暑期讲座](https://reader030.vdocuments.mx/reader030/viewer/2022012313/5483d992b079591a0c8b49cb/html5/thumbnails/7.jpg)
7
Outline
The Programmable Web What is REST Characteristics and Benefits of REST The Best Practice of REST What is a RESTful SOA?
![Page 8: RESTful SOA - 中科院暑期讲座](https://reader030.vdocuments.mx/reader030/viewer/2022012313/5483d992b079591a0c8b49cb/html5/thumbnails/8.jpg)
8
REST is REST is all aroundall around
Syndication using RSS
AJAX – Asynchronous JavaScript and XML
The blogosphere– the universe of weblogs
Every Web Site
REST Interface offered by
– Amazon
– eBay
– Yahoo
![Page 9: RESTful SOA - 中科院暑期讲座](https://reader030.vdocuments.mx/reader030/viewer/2022012313/5483d992b079591a0c8b49cb/html5/thumbnails/9.jpg)
9
What is REST?What is REST?
“REST” is acronym from “Representational State Transfer”
" REST " was coined by Roy Fielding in his Ph.D. dissertation [1] to describe a design pattern for implementing networked systems.
[1] http://www.ics.uci.edu/~fielding/pubs/dissertation/top.htm
![Page 10: RESTful SOA - 中科院暑期讲座](https://reader030.vdocuments.mx/reader030/viewer/2022012313/5483d992b079591a0c8b49cb/html5/thumbnails/10.jpg)
1010
REST OverviewREST Overview REST 是一种架构风格 , 而非一个标准。
– Client-Server: a pull-based interaction style: consuming components pull representations.
– Stateless: each request from client to server must contain all the information necessary to understand the request, and cannot take advantage of any stored context on the server.
– Resource-centric– Uniform interface: all resources are accessed with a generic interface
(e.g., HTTP GET, POST, PUT, DELETE). – Named resources - the system is comprised of resources which are
named using a URL.
Nouns (Unconstrained)e.g. http://wikipedia.org
Verbs (Constrained)e.g. GET/POST
Adjectives - Content-types (Constrained)e.g. HTML, XML, GIF
![Page 11: RESTful SOA - 中科院暑期讲座](https://reader030.vdocuments.mx/reader030/viewer/2022012313/5483d992b079591a0c8b49cb/html5/thumbnails/11.jpg)
11
示例: RESTful Service for Photo Management
![Page 12: RESTful SOA - 中科院暑期讲座](https://reader030.vdocuments.mx/reader030/viewer/2022012313/5483d992b079591a0c8b49cb/html5/thumbnails/12.jpg)
12
The Web
Client WebServer
Request
Response
GET http://example.org/news/
200 OK…
![Page 13: RESTful SOA - 中科院暑期讲座](https://reader030.vdocuments.mx/reader030/viewer/2022012313/5483d992b079591a0c8b49cb/html5/thumbnails/13.jpg)
13
HTTP Request
GET /news/ HTTP/1.1
Host: example.org
Accept-Encoding: compress, gzip
User-Agent: Python-httplib2
![Page 14: RESTful SOA - 中科院暑期讲座](https://reader030.vdocuments.mx/reader030/viewer/2022012313/5483d992b079591a0c8b49cb/html5/thumbnails/14.jpg)
14
HTTP Response
HTTP/1.1 200 Ok
Date: Thu, 07 Aug 2008 15:06:24 GMT
Server: Apache
ETag: "85a1b765e8c01dbf872651d7a5"
Content-Type: text/html
Cache-Control: max-age=3600
<!DOCTYPE HTML>
...
![Page 15: RESTful SOA - 中科院暑期讲座](https://reader030.vdocuments.mx/reader030/viewer/2022012313/5483d992b079591a0c8b49cb/html5/thumbnails/15.jpg)
15
Resource = http://example.org/news/
GET /news/ HTTP/1.1 Host: example.org Accept-Encoding: compress, gzip User-Agent: Python-httplib2
![Page 16: RESTful SOA - 中科院暑期讲座](https://reader030.vdocuments.mx/reader030/viewer/2022012313/5483d992b079591a0c8b49cb/html5/thumbnails/16.jpg)
16
Method = GET
GET /news/ HTTP/1.1 Host: example.org Accept-Encoding: compress, gzip User-Agent: Python-httplib2
![Page 17: RESTful SOA - 中科院暑期讲座](https://reader030.vdocuments.mx/reader030/viewer/2022012313/5483d992b079591a0c8b49cb/html5/thumbnails/17.jpg)
17
Common Methods for Resources
GET – Safe, Idempotent, Cacheable– Returns a state representation of the identified resource.
PUT – Idempotent– Performs some form of application-specific update to the identified resource
DELETE – Idempotent– Destroys a resource at the identified location (URI).
POST– Creates a new resource at an identified location (URI)
HEAD – Safe, Idempotent– Check the status of the identified resource.
![Page 18: RESTful SOA - 中科院暑期讲座](https://reader030.vdocuments.mx/reader030/viewer/2022012313/5483d992b079591a0c8b49cb/html5/thumbnails/18.jpg)
18
Representation
<!DOCTYPE HTML><html> <head> <script src="utility.js" type="text/javascript"> </script> .... <body> <p><img src="logo.png"> <a href="/home/”>Home</a> ...
Code on Demand
Hypertext
![Page 19: RESTful SOA - 中科院暑期讲座](https://reader030.vdocuments.mx/reader030/viewer/2022012313/5483d992b079591a0c8b49cb/html5/thumbnails/19.jpg)
19
Control Data
...Server: ApacheETag: "85a1b765e8c01dbf872651d7a5"Content-Type: text/htmlCache-Control: max-age=3600...
![Page 20: RESTful SOA - 中科院暑期讲座](https://reader030.vdocuments.mx/reader030/viewer/2022012313/5483d992b079591a0c8b49cb/html5/thumbnails/20.jpg)
20
Outline
The Programmable Web What is REST Characteristics and Benefits of REST The Best Practice of REST What is a RESTful SOA?
![Page 21: RESTful SOA - 中科院暑期讲座](https://reader030.vdocuments.mx/reader030/viewer/2022012313/5483d992b079591a0c8b49cb/html5/thumbnails/21.jpg)
21
Recap the Characteristics of REST
Resources centric– URI– Uniform Interface
– Methods– Representation
Protocol– Client-Server– Stateless– Cacheable– Layered
![Page 22: RESTful SOA - 中科院暑期讲座](https://reader030.vdocuments.mx/reader030/viewer/2022012313/5483d992b079591a0c8b49cb/html5/thumbnails/22.jpg)
22
Layered Architecture in The Web
Client WebServer
Request
Response
![Page 23: RESTful SOA - 中科院暑期讲座](https://reader030.vdocuments.mx/reader030/viewer/2022012313/5483d992b079591a0c8b49cb/html5/thumbnails/23.jpg)
23
Layered Architecture in The Web
Client WebServer
Intermediaries
![Page 24: RESTful SOA - 中科院暑期讲座](https://reader030.vdocuments.mx/reader030/viewer/2022012313/5483d992b079591a0c8b49cb/html5/thumbnails/24.jpg)
24
Caching in The Web
User Agent OriginServer
Proxies GatewaysCC
CC
![Page 25: RESTful SOA - 中科院暑期讲座](https://reader030.vdocuments.mx/reader030/viewer/2022012313/5483d992b079591a0c8b49cb/html5/thumbnails/25.jpg)
25
Caching in The Web
User Agent OriginServer
Proxies GatewaysCC
CC
...Server: ApacheETag: "85a1b765e8c01dbf872651d7a5"Content-Type: text/htmlCache-Control: max-age=3600...
![Page 26: RESTful SOA - 中科院暑期讲座](https://reader030.vdocuments.mx/reader030/viewer/2022012313/5483d992b079591a0c8b49cb/html5/thumbnails/26.jpg)
26
Real World of the Web
Internet
Client
Cache
Router
Firewall
ISP
Proxy Server
Firewall
Web Server
Resources
Firewall
Web Server
Reverse Proxy
Resources
![Page 27: RESTful SOA - 中科院暑期讲座](https://reader030.vdocuments.mx/reader030/viewer/2022012313/5483d992b079591a0c8b49cb/html5/thumbnails/27.jpg)
27
Benefits of REST
Cacheability (HTTP GET)– Unique URI per resource– Stateless interactions; response is not a function of how user reaches the URI
Scaleability (HTTP POST)– Unique URI per resource enables simple partitioning; leverage distributed
dataPOST /foo/{user}/bar – [a-l]* to server1 [m-z]* to server2
“Secureability”– Unique URI per resource; straightforward to set policy on URIs
“Navigability”– Resources can be navigated via hyperlinks
– Think browser clients– E.g. GET on a collection returns a list of member URIs and optional paging links
(next/prev/first/last)
![Page 28: RESTful SOA - 中科院暑期讲座](https://reader030.vdocuments.mx/reader030/viewer/2022012313/5483d992b079591a0c8b49cb/html5/thumbnails/28.jpg)
28
Other Benefits
simplicityevolvabilityextensibilitycustomizabilityconfiguration reusabilityvisibilityportability reliability
![Page 29: RESTful SOA - 中科院暑期讲座](https://reader030.vdocuments.mx/reader030/viewer/2022012313/5483d992b079591a0c8b49cb/html5/thumbnails/29.jpg)
29
Outline
What is Web 2.0 What is REST Characteristics and Benefits of REST The Best Practice of REST What is a RESTful SOA?
![Page 30: RESTful SOA - 中科院暑期讲座](https://reader030.vdocuments.mx/reader030/viewer/2022012313/5483d992b079591a0c8b49cb/html5/thumbnails/30.jpg)
30
REST Recipe
• Find the nouns• Define the formats• Pick the operations• Highlight exceptional status codes
Resource URI
Employee List /employees/
Employee /employees/{employee-id}
![Page 31: RESTful SOA - 中科院暑期讲座](https://reader030.vdocuments.mx/reader030/viewer/2022012313/5483d992b079591a0c8b49cb/html5/thumbnails/31.jpg)
31
REST Recipe
• Find the nouns• Define the formats• Pick the operations• Highlight exceptional status codes
Employee JSON Representation
Employee List JSON Representation
How to choose the proper representation? HTML, XML, JSON, or ATOM feed?
![Page 32: RESTful SOA - 中科院暑期讲座](https://reader030.vdocuments.mx/reader030/viewer/2022012313/5483d992b079591a0c8b49cb/html5/thumbnails/32.jpg)
32
REST Recipe
• Find the nouns• Define the formats• Pick the operations• Highlight exceptional status codes
Resource URI Method Representation Description
Employee List /employees/
GET JSON (emp list) Retrieve the list of employees
POST JSON (employee) Create a new employee
Employee /employees/{employee-id}
GET JSON (employee) Retrieve an employee
PUT JSON (employee) Update an employee
DELETE - Remove an employee
![Page 33: RESTful SOA - 中科院暑期讲座](https://reader030.vdocuments.mx/reader030/viewer/2022012313/5483d992b079591a0c8b49cb/html5/thumbnails/33.jpg)
33
REST Recipe
• Find the nouns• Define the formats• Pick the operations• Highlight exceptional status codes
E.g. Create an employeePOST /employees/
….
201 Created Location /employees/yili
E.g. Delete an employee DELETE /employees/zhangke
404 Not Found
![Page 34: RESTful SOA - 中科院暑期讲座](https://reader030.vdocuments.mx/reader030/viewer/2022012313/5483d992b079591a0c8b49cb/html5/thumbnails/34.jpg)
34
HTTP Status Codes
Success 2xx – request recognized and accepted
– 200 OK– 201 Created– 202 Accepted to be processed later– 204 No content– 206 Partial content (on partial GET)
1xx continue
– 100 Continue – should be ignored– 101 Switching protocols
Redirect 300 Multiple choices– 301 Moved permanently– 302 Found (temporary redirect)– 303 See result elsewhere (using GET)– 307 Temporary redirect– 304 Not modified (on conditional GETs)– Usually client can automatically redirect
• Errors • 400 Bad, malformed request• 401 Unauthorized• 406 Not Acceptable• 407 Proxy authentication required• 404 Not found• 410 Gone• 412 Precondition failed
• Usually client shouldn’t repeat same request without changes.
• Server Errors• 500 Internal server error• 501 Not implemented• 503 Temporarily unavailable• 505 HTTP version not supported
•Usually client may repeat same request later
Understand HTTP Response Codes Do not add semantics that are not implied. Used by network proxies.
![Page 35: RESTful SOA - 中科院暑期讲座](https://reader030.vdocuments.mx/reader030/viewer/2022012313/5483d992b079591a0c8b49cb/html5/thumbnails/35.jpg)
35
REST Recipe (Advanced)For Algorithmic Resources
Verb Collection (/Transfers) Member (E.g. /Transfers/344)
GET Returns a list of all previous transfers
Returns record of specific Transfer
POST Create a new Transfer!! Not Supported
PUT Not Supported Could Change parameters of transfer still in progress. Fails other wise.
DELETE Not Supported Cancel Transfer
Resources can be algorithms– Business Process, Façade, etc…
– Should Follow HTTP Verb semantics like any other resource
– Forces good auditing habits. Example: Consider Resource /Transfer
– Transfers money from one account to another
How to model the printer start to print the document?
![Page 36: RESTful SOA - 中科院暑期讲座](https://reader030.vdocuments.mx/reader030/viewer/2022012313/5483d992b079591a0c8b49cb/html5/thumbnails/36.jpg)
36
URI Patterns
URI Patterns are determined by the type of resources you have.
Categorize your resource types.– Basic Resources
– Simple– Complex
– Collection – Members– Query– Paging– Sorting
– Algorithmic
![Page 37: RESTful SOA - 中科院暑期讲座](https://reader030.vdocuments.mx/reader030/viewer/2022012313/5483d992b079591a0c8b49cb/html5/thumbnails/37.jpg)
37
Basic Resources
Resources can be anything.– e.g. /instructions
Resources can be nested to present subset of data.– e.g. /instructions/Chapter2
![Page 38: RESTful SOA - 中科院暑期讲座](https://reader030.vdocuments.mx/reader030/viewer/2022012313/5483d992b079591a0c8b49cb/html5/thumbnails/38.jpg)
38
CollectionsCollections
Collection Type Resources– Collection resources are made up of one more members.
– list all the member of collection, ex. GET /Account.– Collections can be Ordered or Unordered:
– Ordered: Collections have some order defined by some index. – Sparse ordered collection can be missing certain keys
– Unordered: Collections cannot be ordered by its index.
– Members are identified by ID.– ID can be generated by provider.
– POST member to collection, ex. POST /Account.– Location Response Header is populated with /Account/<newId>
– ID can be created by client.– POST to /Account/<newId>– Need to handle duplicate ID's in this case.
![Page 39: RESTful SOA - 中科院暑期讲座](https://reader030.vdocuments.mx/reader030/viewer/2022012313/5483d992b079591a0c8b49cb/html5/thumbnails/39.jpg)
39
QueryQuery
Define Query Syntax• Examples– /<Collection>?filter = “<logical
expression>”
– Standardize on Expression syntax
– Maybe driven by backend, for example, could be a JPA Query
– /<Collection>?name="test"&age="33"
– Less Flexible.
– Easier for client to formulate.
When to use the filter query string and when to use the URI pattern?
![Page 40: RESTful SOA - 中科院暑期讲座](https://reader030.vdocuments.mx/reader030/viewer/2022012313/5483d992b079591a0c8b49cb/html5/thumbnails/40.jpg)
40
Pagination
Pagination is essential for large collections.– URI Pattern should include notion of paging.
Examples:– Ordered collection can use a common query parameter and the range to
specify. For example, subsequent calls to – /<Collection>?members=[0-9]– /<Collection>?members=[10-19]
– Use the query param of start and count query parameters to accomplish paging. This technique will work with any ordered container-type.
– /<Collection>?start=0&count=10– /<Collection>?start=10&count=10
– Accept-Range, Content-Range, and Range Headers?– HTTP Spec defines Range headers but these headers are more
traditionally used for communicating ranges in terms of bytes of data, used by routers, proxies, and networks to do efficient transfer.
![Page 41: RESTful SOA - 中科院暑期讲座](https://reader030.vdocuments.mx/reader030/viewer/2022012313/5483d992b079591a0c8b49cb/html5/thumbnails/41.jpg)
41
Sorting
Collections need to be sorted.– Sorting can be done in the client using Grid Widgets like those in Dojo?– Sorting can be done by resource providers.
Order collections can make use of a single parameter. Example: sort parameter to get ascending or descending order of
resources sorted by some default key. – /<Collection>?sort=ascending (Ascending based on the id of the field.)– /<Collection>?sort=ascending (Ascending based on the id of the field.)
You can have a specialized parameter to indicate sort. The sortBy parameter can be used to sort by any field.
– When you specify the sortyBy query parameter alone, ascending is assumed.– /<Collection>?sortBy="field1"– /<Collection>?sortBy="field2,field7"
– You can use both the sort and sortBy column to specify order of sort and column. – /<Collection>?sortBy="field1" &sort=ascending– /<Collection>?sortBy="field2,field7"&
sort=descending – /<Collection>?sortBy=“+field2,-field7"
![Page 42: RESTful SOA - 中科院暑期讲座](https://reader030.vdocuments.mx/reader030/viewer/2022012313/5483d992b079591a0c8b49cb/html5/thumbnails/42.jpg)
42
Content NegotiationContent Negotiation
Resources can have multiple representations. – Content negotiation is the idea that a single resource can have
multiple data representations.
Sometimes done informally through URI parameters:– Using a <dot Notation>, like this:
– /document.html and /document.json.
– Using a query parameter, like this: /myResource?format=json
![Page 43: RESTful SOA - 中科院暑期讲座](https://reader030.vdocuments.mx/reader030/viewer/2022012313/5483d992b079591a0c8b49cb/html5/thumbnails/43.jpg)
43
Content Negotiation using Accept HeaderContent Negotiation using Accept Header
Content more than Format:– Accept
– Accept-Charset
– Accept-Encoding– Accept-Language:
Flow:– Client issues request with Accept Header populated with
one ore more acceptable types.
– If No Accept Header is provided, then provider is free to serve default.
– Provider checks list and provides best option.– If none is found, 406 Not Acceptable is returned.
Precedents are determined by order and profiles.
– Accept: text/*, text/html, text/html;level=1, */*
– have the following precedence:– 1) text/html;level=1– 2) text/html– 3) text/*– 4) */*
![Page 44: RESTful SOA - 中科院暑期讲座](https://reader030.vdocuments.mx/reader030/viewer/2022012313/5483d992b079591a0c8b49cb/html5/thumbnails/44.jpg)
44
http://tomayko.com/writings/things-caches-do
Cache Example 1
![Page 45: RESTful SOA - 中科院暑期讲座](https://reader030.vdocuments.mx/reader030/viewer/2022012313/5483d992b079591a0c8b49cb/html5/thumbnails/45.jpg)
45
Cache Example 1 (Cont.)Cache Example 1 (Cont.)
![Page 46: RESTful SOA - 中科院暑期讲座](https://reader030.vdocuments.mx/reader030/viewer/2022012313/5483d992b079591a0c8b49cb/html5/thumbnails/46.jpg)
46
Cache Example 1 (Cont.)Cache Example 1 (Cont.)
![Page 47: RESTful SOA - 中科院暑期讲座](https://reader030.vdocuments.mx/reader030/viewer/2022012313/5483d992b079591a0c8b49cb/html5/thumbnails/47.jpg)
47
Cache Example 2Cache Example 2
![Page 48: RESTful SOA - 中科院暑期讲座](https://reader030.vdocuments.mx/reader030/viewer/2022012313/5483d992b079591a0c8b49cb/html5/thumbnails/48.jpg)
48
Cache Example 2 (Cont.)Cache Example 2 (Cont.)
![Page 49: RESTful SOA - 中科院暑期讲座](https://reader030.vdocuments.mx/reader030/viewer/2022012313/5483d992b079591a0c8b49cb/html5/thumbnails/49.jpg)
49
Caching TipsCaching Tips
Caching directives should only be used on GET – since the are idempotent
HTTP caches are typical in user environment– so nothing special needs to be set up/configured assuming users
define information correctly Understand your resources
(and whether information can be cached – and how long) Calculation of Entity tags isn’t easy (for dynamic data)
– Seehttp://bitworking.org/news/150/REST-Tip-Deep-etags-give-you-more-benefits
– Static files from a web server use iNode, last-modified, and file size to indicate uniqueness
– One technique is to concatenate values of key pieces and hash that string– Databases may have unique fields (i.e. database triggers on modification)
that can store revision identifiers
![Page 50: RESTful SOA - 中科院暑期讲座](https://reader030.vdocuments.mx/reader030/viewer/2022012313/5483d992b079591a0c8b49cb/html5/thumbnails/50.jpg)
50
Optimistic ConcurrencyOptimistic Concurrency
Resource Exchange.– Holding database locks bad idea.
Optimistic concurrency.– Back end physical resources should have a version number, version column,
timestamp, etc…– Example: JPA @Version annotation– Client and servers exchange these version
Options– Communicate as part of payload.
– Consumers and Producers only.– Use Standard HTTP Headers.
– Proxies, routers, caches… can take advantage.
![Page 51: RESTful SOA - 中科院暑期讲座](https://reader030.vdocuments.mx/reader030/viewer/2022012313/5483d992b079591a0c8b49cb/html5/thumbnails/51.jpg)
51
Optimistic Concurrency using HTTP HeadersOptimistic Concurrency using HTTP Headers
Consumer executes GET. Provider returns version/timestamp in E-Tag
Header. ETag: 874733827
Consumer executes update through HTTP PUT
Populates I If-Match: 874733827
Provider reads If-Match header, queries version from back end
Updates and returns appropriate HTTP success code if match is made.
Returns 412: Precondition failed
Consumer may decide later to check if data is stale using If-Modified-Since.
Used for Conditional GET. Conditional Updates us If-None-Match
![Page 52: RESTful SOA - 中科院暑期讲座](https://reader030.vdocuments.mx/reader030/viewer/2022012313/5483d992b079591a0c8b49cb/html5/thumbnails/52.jpg)
52
Links
Links to resources is considered a best practice
However patterns are emerging to discuss when (and how often) to return links to data (vs. the data itself).
Chattyness of requests increases network traffic and latency is increased
– Prior examples of distributed computing complained about
– “chatty-ness”– e.g. IIOP and distributed RPC
– SOA is about coarse-grained services (loosely coupled)
Reducing network calls– Special parameter
– http://host/service.svc/Orders?expand=OrderLines/Product,Customer,Customer/Address
– /Order?loadRelated=LineItems– Very quickly starts becoming RPC
– Headers and Schemas (Better)– Accept: application/atom+xml
52
![Page 53: RESTful SOA - 中科院暑期讲座](https://reader030.vdocuments.mx/reader030/viewer/2022012313/5483d992b079591a0c8b49cb/html5/thumbnails/53.jpg)
53
REST and Security - Still the Same !!!
REST is about HTTP Exploitation.– Use Standard Authentication Mechanism you would for web pages.
– Basic Auth / Form Auth / Tokens.– LTPA, Open ID, etc…
– Use SSL For secure data like you would a web page. Fixed Encryption Model - (HTTPS).
– Authorization URI Based.– Apply Security rules to URLS and Verbs like you would to web pages.
– Examples:– Servlet URI Constraints.– Web Server ACL's
– Follow Keys Security Lectures for Application Hardening !!– Unvalidated Input (Validate all input !!!)– Broken Access Control– Broken Authentication and State Management– XSS Scripting– Buffer Overflows– Injection Flaws– Inproper Error Handling– Insecure Storage– Denial of Service– Insecure configuration management
![Page 54: RESTful SOA - 中科院暑期讲座](https://reader030.vdocuments.mx/reader030/viewer/2022012313/5483d992b079591a0c8b49cb/html5/thumbnails/54.jpg)
54
REST and Security - Consumer usage REST and Security - Consumer usage
REST Used in Mashup Behavior.• Because REST Services are often used in Mashups, extra concerns should be taken
in this scenario.
– Use Server Ajax Proxy to Black List untrusted site.– Identity propagation and translation across domains might be needed.
• Support open standard like OpenID• Do identity translation at Server Proxy Level.
• Example, DataPower may do identity switching between toek types.
– Inspect third party content for malicious JavaScript.• Clients should parse JSON from untrusted sources instead
of doing a direct eval.
![Page 55: RESTful SOA - 中科院暑期讲座](https://reader030.vdocuments.mx/reader030/viewer/2022012313/5483d992b079591a0c8b49cb/html5/thumbnails/55.jpg)
55
Is the WS-* Dead?
Developers prefer REST– “Amazon has both SOAP and REST
interfaces to their web services, and 85% of their usage is of the REST interface.” — Tim O’Reilly
And even WS-Advocates agree– “For applications that require Internet
scalability (e.g., mass consumer-oriented services), plain old XML (POX) is a much better solution than WS-*.” —Anne Thomas Mannes
WS-*
![Page 56: RESTful SOA - 中科院暑期讲座](https://reader030.vdocuments.mx/reader030/viewer/2022012313/5483d992b079591a0c8b49cb/html5/thumbnails/56.jpg)
56
使用 Web 2.0 拓展 SOA – RESTful SOA
Web 2.0 是 SOA 的扩展,二者相辅相成。 RESTful SOA 是符合 SOA 原理和设计理念的面向互联网的服务架构。它从技术角度具有以下特征:– 充分利用现有互联网技术和基础设施– 主要使用 REST 来表示和访问服务
– 采用 JSON 、 XML 或 ATOM Feed 等简单数据格式– 配合使用 AJAX 技术实现丰富的用户体验。
RESTful SOA 的主要优点:– 简单:
– 使用有限的、简单和广泛接受的技术。比如:采用 HTTP/HTTPS 作为传输协议。– 易用:
– 采用简单的编程模型– 无所不在:
– 基于广泛接受的的技术,可以在互联网上搜索到大量的示例。– 可伸缩性:
– 充分利用被验证的互联网基础设施,比如缓存等,实现大规模分布式计算系统。
![Page 57: RESTful SOA - 中科院暑期讲座](https://reader030.vdocuments.mx/reader030/viewer/2022012313/5483d992b079591a0c8b49cb/html5/thumbnails/57.jpg)
57
将企业 SOA 和 RESTful SOA 相结合 企业 SOA 和 WS* 技术更加关注异构系统之间的的互操作性:比如
– WS-Security 可以在分布式系统中实现端到端的安全服务– WS-Addressing 提供了传输协议无关的端点描述能力– WS-I 标准可以保证不同 Web 服务框架之间的互操作性。
RESTful SOA 更加关注服务可访问性和可消费性。可以将企业 SOA 中的核心服务和信息资产扩展到 Web ,并将业务流程扩展到商务社区之中,更好地提升 SOA 的价值。Web
Enterprise
RESTJSON
XML RSS
ATOM
DB2LegacyCICSIMS
J2EE
App ServerWAS, CE, Tomcat
WPS, ESB, Portal
SOAPWS-* JMSMOMREST
![Page 58: RESTful SOA - 中科院暑期讲座](https://reader030.vdocuments.mx/reader030/viewer/2022012313/5483d992b079591a0c8b49cb/html5/thumbnails/58.jpg)
58
From Open API to Next Generation Open Business Model
![Page 59: RESTful SOA - 中科院暑期讲座](https://reader030.vdocuments.mx/reader030/viewer/2022012313/5483d992b079591a0c8b49cb/html5/thumbnails/59.jpg)
59
Reference
Architectural Styles and the Design of Network-based Software Architectures
How I Explained REST to My Wife
http://www.infoq.com/cn/articles/webber-rest-workflow
http://www.china-pub.com/39902&ref=ps
![Page 60: RESTful SOA - 中科院暑期讲座](https://reader030.vdocuments.mx/reader030/viewer/2022012313/5483d992b079591a0c8b49cb/html5/thumbnails/60.jpg)
60
Caching
Resources on web caching– http://www.mnot.net/cache_docs/– http://tomayko.com/writings/things-caches-do– http://www.peej.co.uk/articles/http-caching.html