HTTP: Digested (ConFoo 2010)

Embed

Start on current slide

Slide 1

Slide 1 text

HTTP: Digested Part 1 Ben Ramsey 12 March 2010

Slide 2

Slide 2 text

Hi, I’m Ben …

Slide 3

Slide 3 text

Why HTTP?

Slide 4

Slide 4 text

Because you are a web developer.

Slide 5

Slide 5 text

HTTP is the Web.

Slide 6

Slide 6 text

• HTTP Basics • Advanced HTTP

Slide 7

Slide 7 text

HTTP Basics

Slide 8

Slide 8 text

Some properties of HTTP …

Slide 9

Slide 9 text

• A client-server architecture • Atomic • Cacheable • A uniform interface • Layered • Code on demand

Slide 10

Slide 10 text

Now, what does that sound like?

Slide 11

Slide 11 text

REST!

Slide 12

Slide 12 text

First, a word about semantics.

Slide 13

Slide 13 text

1 User requests a page above their authorization level.

Slide 14

Slide 14 text

2 User is redirected to a login page   where they are prompted to   increase their authorization level.

Slide 15

Slide 15 text

GET /protected/content/1234 HTTP/1.1 Host: example.org HTTP/1.1 302 Found Date: Tue, 05 Nov 2009 17:34:24 GMT Server: Apache/2.2.14 (Unix) PHP/5.3.0 X-Powered-By: PHP/5.3.0 Location: /login Content-Length: 0 Content-Type: text/html; charset=utf-8

Slide 16

Slide 16 text

The resource requested is found at another location?

Slide 17

Slide 17 text

The semantics are all wrong.

Slide 18

Slide 18 text

Tools

Slide 19

Slide 19 text

Language extensions and libraries • Ruby: net/http • Python: httplib (http.client in 3.0) • Java: java.net.HttpURLConnection • .NET: ??? • PHP: cURL, fopen wrappers, sockets, pecl/pecl_http, header()

Slide 20

Slide 20 text

HTTP Inspectors: FireBug

Slide 21

Slide 21 text

HTTP Inspectors: Chrome

Slide 22

Slide 22 text

HTTP Inspectors: Charles

Slide 23

Slide 23 text

Telnet

Slide 24

Slide 24 text

HTTP Methods

Slide 25

Slide 25 text

GET • You know GET • Retrieval of information • Think about it as copy operation • Copies a representation of a resource from the server to the client • Safe & idempotent

Slide 26

Slide 26 text

GET /user/ramsey HTTP/1.1 Host: atom.example.org HTTP/1.1 200 OK Date: Tue, 22 Sep 2009 17:28:14 GMT Server: Apache/2.2.11 (Unix) DAV/2 PHP/5.3.0 X-Powered-By: PHP/5.3.0 Content-Length: 594 Content-Type: application/atom+xml;type=entry ramsey ...

Slide 27

Slide 27 text

POST • You know POST • The body content should be accepted as a new subordinate of the resource • Think about it as a paste after operation • Transfers a representation of the resource from the client to the server, pasting it after the resource on the server • Not safe or idempotent

Slide 28

Slide 28 text

POST /user HTTP/1.1 Host: atom.example.org Content-Type: application/atom+xml;type=entry Content-Length: 474 ramsey ...

Slide 29

Slide 29 text

HTTP/1.1 201 Created Date: Tue, 22 Sep 2009 17:39:06 GMT Server: Apache/2.2.11 (Unix) DAV/2 PHP/5.3.0 X-Powered-By: PHP/5.3.0 Location: http://atom.example.org/user/ramsey Content-Length: 133 Content-Type: text/html; charset=utf-8

The content was created at the location http://atom.example.org/user/ramsey

Slide 30

Slide 30 text

HEAD • Identical to GET, except… • Returns only the headers, not the body • Useful for getting details about a resource representation before retrieving the full representation • Safe & idempotent

Slide 31

Slide 31 text

HEAD /content/1234.mp4 HTTP/1.1 Host: atom.example.org HTTP/1.1 200 OK Date: Tue, 22 Sep 2009 17:28:14 GMT Server: Apache/2.2.11 (Unix) DAV/2 PHP/5.3.0 X-Powered-By: PHP/5.3.0 Content-Length: 12334753 Content-Type: application/mp4

Slide 32

Slide 32 text

PUT • Opposite of GET • Storage of information • Think of it as a paste over operation • Transfers a representation of a resource from the client to the server and pastes over the resource that is on the server • Not safe • Idempotent

Slide 33

Slide 33 text

PUT /user/ramsey HTTP/1.1 Host: atom.example.org Content-Type: application/atom+xml;type=entry Content-Length: 594 ramsey ...

Slide 34

Slide 34 text

DELETE • Think of it as a cut operation • Requests that the resource identified be cut (removed from public access) • Not safe • Idempotent

Slide 35

Slide 35 text

DELETE /content/1234 HTTP/1.1 Host: example.org HTTP/1.1 204 No Content Date: Tue, 22 Sep 2009 18:06:37 GMT Server: Apache/2.2.11 (Unix) DAV/2 PHP/5.3.0 X-Powered-By: PHP/5.3.0 Content-Length: 0

Slide 36

Slide 36 text

What the hell are safe & idempotent methods?

Slide 37

Slide 37 text

Safe methods • GET & HEAD should not take action other than retrieval • These are considered safe • Allows agents to represent POST, PUT, & DELETE in a special way

Slide 38

Slide 38 text

Idempotence • Side-effects of N > 0 identical requests is the same as for a single request • GET, HEAD, PUT and DELETE share this property • OPTIONS and TRACE are inherently idempotent

Slide 39

Slide 39 text

HTTP Status Codes

Slide 40

Slide 40 text

• Informational (1xx) • Successful (2xx) • Redirection (3xx) • Client error (4xx) • Server error (5xx)

Slide 41

Slide 41 text

You’re familiar with 200, 404, and 302.

Slide 42

Slide 42 text

Advanced HTTP

Slide 43

Slide 43 text

The created at another location response

Slide 44

Slide 44 text

1 POST /content/videos HTTP/1.1 Host: example.org Content-Type: video/mp4 Content-Length: 115910000 Authorization: Basic bWFkZTp5b3VfbG9vaw== {binary video data}

Slide 45

Slide 45 text

2 HTTP/1.x 201 Created Date: Thu, 21 May 2009 23:05:34 GMT Server: Apache/2.2.11 (Unix) DAV/2 PHP/5.3.0 X-Powered-By: PHP/5.3.0 Content-Length: 120 Content-Type: text/html Location: http://example.org/content/videos/1234

Video uploaded! Go here to see it.

Slide 46

Slide 46 text

The “it’s not you it’s me” response

Slide 47

Slide 47 text

i.e. I’ve accepted it but might have to do more processing

Slide 48

Slide 48 text

2 HTTP/1.x 202 Accepted Date: Thu, 21 May 2009 23:05:34 GMT Server: Apache/2.2.11 (Unix) DAV/2 PHP/5.3.0 X-Powered-By: PHP/5.3.0 Content-Length: 137 Content-Type: text/html Location: http://example.org/content/videos/1234/status

Video processing! Check here for the status.

Slide 49

Slide 49 text

The “I have nothing to say to you” response …

Slide 50

Slide 50 text

… but you were still successful

Slide 51

Slide 51 text

1 DELETE /content/videos/1234 HTTP/1.1 Host: example.org Authorization: Basic bWFkZTp5b3VfbG9vaw==

Slide 52

Slide 52 text

2 HTTP/1.x 204 No Content Date: Thu, 21 May 2009 23:28:34 GMT

Slide 53

Slide 53 text

The ranged request

Slide 54

Slide 54 text

• Used when requests are made for ranges of bytes from a resource • Determine whether a server supports range requests by checking for the Accept-Ranges header with HEAD

Slide 55

Slide 55 text

1 HEAD /2390/2253727548_a413c88ab3_s.jpg HTTP/1.1 Host: farm3.static.flickr.com

Slide 56

Slide 56 text

2 HTTP/1.0 200 OK Date: Mon, 05 May 2008 00:33:14 GMT Server: Apache/2.0.52 (Red Hat) Accept-Ranges: bytes Content-Length: 3980 Content-Type: image/jpeg

Slide 57

Slide 57 text

3 GET /2390/2253727548_a413c88ab3_s.jpg HTTP/1.1 Host: farm3.static.flickr.com Range: bytes=0-999

Slide 58

Slide 58 text

4 HTTP/1.0 206 Partial Content Date: Mon, 05 May 2008 00:36:57 GMT Server: Apache/2.0.52 (Red Hat) Accept-Ranges: bytes Content-Length: 1000 Content-Range: bytes 0-999/3980 Content-Type: image/jpeg {binary data}

Slide 59

Slide 59 text

End of Part 1

Slide 60

Slide 60 text

Please, turn the record over to listen to side B.

Slide 61

Slide 61 text

Thank you! Ben Ramsey benramsey.com Twitter: @ramsey Rate this talk: joind.in/1395

Slide 62

Slide 62 text

HTTP: Digested Part 2 Ben Ramsey 12 March 2010

Slide 63

Slide 63 text

Picking up where we left off …

Slide 64

Slide 64 text

The GET me from another location response

Slide 65

Slide 65 text

• 303 See Other • The response to your request can be found at another URL identified by the Location header • The client should make a GET request on that URL • The Location is not a substitute for this URL

Slide 66

Slide 66 text

1 POST /contact HTTP/1.1 Host: example.org Content-Type: application/x-www-form-urlencoded Content-Length: 1234 {url-encoded form values from a contact form}

Slide 67

Slide 67 text

2 HTTP/1.1 303 See Other Date: Tue, 22 Sep 2009 23:41:33 GMT Server: Apache/2.2.11 (Unix) DAV/2 PHP/5.3.0 X-Powered-By: PHP/5.3.0 Location: http://example.org/thankyou Content-Length: 0

Slide 68

Slide 68 text

The find me temporarily at this place response

Slide 69

Slide 69 text

• 307 Temporary Redirect • The resource resides temporarily at the URL identified by the Location • The Location may change, so don’t update your links • If the request is not GET or HEAD, then you must allow the user to confirm the action

Slide 70

Slide 70 text

The permanent forwarding address response

Slide 71

Slide 71 text

• 301 Moved Permanently • The resource has moved permanently to the URL indicated by the Location header • You should update your links accordingly • Great for forcing search engines, etc. to index the new URL instead of this one

Slide 72

Slide 72 text

But what about just finding the resource at another location?

Slide 73

Slide 73 text

• 302 Found • The resource has been found at another URL identified by the Location header • The new URL might be temporary, so the client should continue to use this URL • Redirections SHOULD be confirmed by the user (in practice, browsers don’t respect this)

Slide 74

Slide 74 text

The login required response

Slide 75

Slide 75 text

GET /protected/content/1234 HTTP/1.1 Host: example.org Remember this? 1 User requests a page above their authorization level.

Slide 76

Slide 76 text

2 User is redirected to a login page where they are prompted to increase their authorization level. HTTP/1.1 302 Found Date: Tue, 05 Nov 2009 17:34:24 GMT Server: Apache/2.2.14 (Unix) PHP/5.3.0 X-Powered-By: PHP/5.3.0 Location: /login Content-Length: 0 Content-Type: text/html; charset=utf-8 Remember this?

Slide 77

Slide 77 text

A more semantic way 1 GET /protected/content/1234 HTTP/1.1 Host: example.org

Slide 78

Slide 78 text

A more semantic way 2 HTTP/1.1 401 Unauthorized Date: Tue, 05 Nov 2009 18:31:33 GMT Server: Apache/2.2.14 (Unix) PHP/5.3.0 X-Powered-By: PHP/5.3.0 WWW-Authenticate: HTML form="login" Content-Length: 421 Content-Type: text/html; charset=utf-8

Slide 79

Slide 79 text

You must log in Username Password A more semantic way

Slide 80

Slide 80 text

• Doesn’t imply the resource exists at another location • Tells clients the resource requires authorization • Clearly tells crawlers they can’t access the resource • Was originally in HTML5:  http://blog.whatwg.org/this-week-in- html-5-episode-14 • No longer in HTML5, but it works

Slide 81

Slide 81 text

Slide 82

Slide 82 text

• Defined in RFC 2109 and RFC 2965 • Most clients just follow the old Netscape specification • To set, the server sends a Set-Cookie response header • The client sends the cookie back in the Cookie request header

Slide 83

Slide 83 text

PHP example: setting a cookie setcookie('foo', 'bar', time() + 3600, '/~ramsey/http', 'localhost', false, true); PHP: header('Set-Cookie: foo=bar; expires=Fri, 12- Mar-2010 07:01:21 GMT; path=/~ramsey/http; domain=localhost; httponly'); PHP (also): Set-Cookie: foo=bar; expires=Fri, 12-Mar-2010 07:01:21 GMT; path=/~ramsey/http; domain=localhost; httponly HTTP response header:

Slide 84

Slide 84 text

PHP example: reading a cookie $clean['foo'] = null; if (passesValidation($_COOKIE['foo'])) { $clean['foo'] = $_COOKIE['foo']; } PHP: Cookie: foo=bar HTTP request header:

Slide 85

Slide 85 text

Caching

Slide 86

Slide 86 text

• Cache expiration • Cache validation

Slide 87

Slide 87 text

• Cache-Control response header • Tells the client when the content expires Cache expiration

Slide 88

Slide 88 text

Cache validation • Allows the client to determine whether the copy it has is still fresh • If-Match • If-Modified-Since • If-None-Match • If-Range • If-Unmodified-Since

Slide 89

Slide 89 text

Content Negotiation

Slide 90

Slide 90 text

• Server-driven negotiation • Agent-driven negotiation

Slide 91

Slide 91 text

• The server makes a best guess • The client may send headers to help the server guess: Accept, Accept-Language, Accept-Encoding, Accept-Charset, and User-Agent • The server can use other factors • Since it’s a guess, the server algorithm to determine this could send a different representation on a second identical request Server-driven negotiation

Slide 92

Slide 92 text

Agent-driven negotiation • Requires two requests from the client • First request results in a response listing available representations either in the headers or in the entity body • Second request is either automatic (client chooses) or manual (user chooses) for the desired representation • First response should be a 300 Multiple Choices response

Slide 93

Slide 93 text

Ben’s suggested negotiation • Use a single base URI for all resource requests, i.e. /user/username • Use the Accept-* headers to perform server-driven negotiation as best you can • Use a 303 See Other response with a Location header to the appropriate representation: /user/username.html  /user/username.xml  /user/username.json

Slide 94

Slide 94 text

Authentication

Slide 95

Slide 95 text

• Respond with 401 Unauthorized • Include the WWW-Authenticate header • WWW-Authenticate must contain the authentication challenge required by the server • Multiple challenges or multiple WWW- Authenticate headers may be present Resource requires authentication

Slide 96

Slide 96 text

WWW-Authenticate challenges • Basic • Digest • OAuth • WSSE • HTML?

Slide 97

Slide 97 text

Authorization request • The request includes the Authorization header • The Authorization header includes the requested challenge

Slide 98

Slide 98 text

Basic authentication POST /content/videos HTTP/1.1 Host: example.org Content-Type: video/mp4 Content-Length: 115910000 Authorization: Basic bWFkZTp5b3VfbG9vaw== {binary video data}

Slide 99

Slide 99 text

We’ve come so far …

Slide 100

Slide 100 text

… yet we have so far left to go.

Slide 101

Slide 101 text

It’s your turn, now.

Slide 102

Slide 102 text

Thank you! Ben Ramsey benramsey.com Twitter: @ramsey Rate this talk: joind.in/1395