Implementing RESTful Services With WCF 3.5 SP1Security, Scalability and Controlling the URI (Part 2 of 2)

Session Objectives And Takeaways

Go a level deeper than we did in Part 1Describe how optional HTTP features like caching and conditional GET impact scalabilityExplain how you can fully control the URIConsider options for securing RESTful servicesLearn about the updates to WCF in 3.5 SP1

Agenda

What is REST and Why should I care?How will resources be addressed?How will resources be formatted?How do I insure scalability?How do I secure my service?

SOAP RESTWCF Test Client Notepad

Internet Explorer

Why REST?

REST is an architectural style for implementing services with the simple and open model of the webSOAP is a protocol that delivers a rich messaging model independent of the transport

5 HTTP Messages18,604 bytes“You entered: 1”

Agenda

What is REST and Why should I care?How will resources be addressed?How will resources be formatted?How do I insure scalability?How do I secure my service?

Information ArchitectureURI Verb Collection Action

/wine POST Wine Create

/wine/{wineId} GET Wine Read

/wine/{wineId} PUT Customers Update

/wine/{wineId} DELETE Customers Delete

/wine/series/{seriesId} GET Wine Series Read

/wine/{wineId}/reviews GET Wine Reviews Read

/wine/{wineId}/reviews POST Wine Reviews Create

Default WCF Web URI

http://localhost/service.svc/method?arg1=1

Authority

.svc File path Method

nameQuery

Arguments

Scheme

WCF 3.5 UriTemplates

UriTemplate allows you to override the defaultArguments are bound by name

[OperationContract][WebGet(UriTemplate="Wine/{wineId})]WineData GetWine(string wineId);

http://localhost/service.svc/Wine/1

New in WCF 3.5 SP1

Default Values for template items Cannot be used for query string values

[OperationContract][WebGet(UriTemplate="Wine/{wineID=17})]WineData GetWine(string wineID);

New in WCF 3.5 SP1

Compound Template Segments

[OperationContract][WebGet(UriTemplate=“wine({wineID})]WineData GetWine(string wineID);

http://localhost/service.svc/wine(17)

Full URI Control

Scott GuthrieTip/Trick: Url Rewriting with ASP.NET

Jon Flanders (MVP) Using WCF WebHttpBinding and WebGet with nicer Urls

IIS7 Use/Build an HttpModuleIIS7 Team Recently Released a URL Rewrite Module

IIS 5/6 Use an ISAPI filter

DemoControlling the URI

Agenda

What is REST and Why should I care?How will resources be addressed?How will resources be formatted?How do I insure scalability?How do I secure my service?

Message Schema

Option 1: Basic Atom FeedStandardized syndication schemaWCF 3.5 SP1 Supports All Atom Publishing Protocol types

Option 2: Custom Service SchemaYou create your own schema for messages using DataContracts or XSDSee Part 1 session for examples

microformats

Standards for common human readable data in (X)HTMLhCard, hCalendar, etc.

<div id="" class="vcard"> <a class="url fn n" href="http://www.cohowinery.net"> <div class="org">Coho Winery</div></a><a class="email" href="mailto:greatwine@cohowinery.net">greatwine@cohowinery.net</a> <div class="adr"> <div class="street-address">555 Wine Lane</div> <span class="locality">Napa</span> <span class="region">CA</span> <span class="postal-code">94558</span> <span class="country-name">USA</span></div> <div class="tel">800-555-1212</div></div>

DemoBasic Atom Feed

Content Negotiation

Allow the client to ask for the format they wantAccept HeaderExtension Query String

Fixed Content FormatAttribute your WCF service

DemoContent Negotiation

Agenda

What is REST and Why should I care?How will resources be addressed?How will resources be formatted?How do I insure scalability?How do I secure my service?

Caching

Client SideControlled by HTTP HeadersCache-Control

Instructions to client side cacheExpires

Server SideHttpRuntime.Cache“Velocity” Distributed Cache

CTP1 Now Available

Conditional Get

GET this data if...If-Modified-Since: (Date)

Return the data only if it has been modified since (Date)

If-None-Match: (Etag)Return the data only if there isn't one with this Etag

Saves Bandwidth by not transmitting old dataResponse.SuppressEntityBody

DemoCaching / Conditional Get

Agenda

What is REST and Why should I care?How will resources be addressed?How will resources be formatted?How do I insure scalability?How do I secure my service?

Security Scenarios

Developer / App AuthorizationAuthorizes an application to access RESTful services

Third Party AccessApplication or site accessing a protected resource on behalf of another

Human RIA UserAccessing a protected resource from an Ajax or Silverlight web page using a cookie

Developer / App Authorization

Control access to public servicesAllows you to revoke access if necessary

Developer is issued a token or application ID (or both)Verify email and acceptance of licenseEach request requires the token to be sent

URI may also include a signature to prevent request tamperingTokens may be sent in the URI or Authorization header

OAuth (Open Authentication)

An open protocol to allow secure API authentication in a simple and standard method from desktop and web applications.

OAuth.netAllows users to grant access to protected resources without having to give credentials to third partiesMySpace WCF Implementation

RestChess.com

Human RIA User

AuthenticationAjax authentication service is enabledHuman signs in to web site with script that calls Sys.Services.AuthenticationService.LoginAuthorization token returned in cookieClient side script accesses protected resources using cookie

AuthorizationServer authorizes client requests by placing a web.config file in the folder with the resource

DemoHuman RIA Security

Summary

RESTful Services work the way the Web worksSharing your data with the world works

Focus on simple and open ideas firstChoose broad adoption over elegant design

Embrace the protocol of the web HTTPUnderstand its semanticsUse it as designed

appendix

WCF Test Client

Fiddler Proxy

Yahoo Web Search Service back

Notepad Service Client?

Adventure Works Customer Get