Upgrade to Pro — share decks privately, control downloads, hide ads and more …

REST API Design for JAX-RS And Jersey

Stormpath
October 03, 2012
Programming
0
58

REST API Design for JAX-RS And Jersey

Designing and building a really clean and intuitive ReST API is no small feat. You have to worry about resources, collections of resources, pagination, query parameters, references to other resources, which HTTP methods to use, HTTP caching, security, and more. And you have to make sure it lasts and doesn’t break clients as you add features over time. Furthermore, although there are many references on creating REST APIs with XML, there are far fewer references on REST + JSON. It is enough to drive you crazy. This session demonstrates how to design and implement an elegant REST API.

Sign up for Stormpath: https://api.stormpath.com/register
More from Stormpath: https://stormpath.com/blog

Stormpath

October 03, 2012
Tweet

More Decks by Stormpath

See All by Stormpath
RESTful API Development for ASP.NET Core
stormpath
0
220
Build a REST API for your Mobile Apps in Node
stormpath
0
56
Secure Your REST API
stormpath
0
190
How to Use Stormpath in Angular.js
stormpath
0
150
Beautiful REST+JSON APIs with Ion
stormpath
0
160
Storing User Files with Express, Stormpath, and Amazon S3
stormpath
0
31
Instant Security & Scalable User Management with Spring Boot
stormpath
0
190
Custom Data Search with Stormpath
stormpath
0
41
Browser Security 101
stormpath
0
47

Other Decks in Programming

See All in Programming
macOS でできる リアルタイム動画像処理
biacco42
9
2.4k
Generative AI Use Cases JP (略称:GenU)奮闘記
hideg
1
300
flutterkaigi_2024.pdf
kyoheig3
0
130
Jakarta EE meets AI
ivargrimstad
0
640
NSOutlineView何もわからん:( 前編 / I Don't Understand About NSOutlineView :( Pt. 1
usagimaru
0
340
LLM生成文章の精度評価自動化とプロンプトチューニングの効率化について
layerx
PRO
2
190
WebフロントエンドにおけるGraphQL(あるいはバックエンドのAPI)との向き合い方 / #241106_plk_frontend
izumin5210
4
1.4k
as(型アサーション)を書く前にできること
marokanatani
10
2.7k
Remix on Hono on Cloudflare Workers
yusukebe
1
290
ヤプリ新卒SREの オンボーディング
masaki12
0
130
TypeScript Graph でコードレビューの心理的障壁を乗り越える
ysk8hori
2
1.1k
『ドメイン駆動設計をはじめよう』のモデリングアプローチ
masuda220
PRO
8
540

Featured

See All Featured
Optimising Largest Contentful Paint
csswizardry
33
2.9k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
169
50k
Git: the NoSQL Database
bkeepers
PRO
427
64k
Done Done
chrislema
181
16k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
31
2.7k
Reflections from 52 weeks, 52 projects
jeffersonlam
346
20k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
8
890
Stop Working from a Prison Cell
hatefulcrawdad
267
20k
Agile that works and the tools we love
rasmusluckow
327
21k
Become a Pro
speakerdeck
PRO
25
5k
GraphQLとの向き合い方2022年版
quramy
43
13k
Building Applications with DynamoDB
mza
90
6.1k

Transcript

  1. REST + JSON APIs with JAX-RS Les Hazlewood CTO, Stormpath

    stormpath.com

  2. .com • Identity Management and Access Control API • Security

    for your applications • User security workflows • Security best practices • Developer tools, SDKs, libraries

  3. Outline • REST Fundamentals • Design: Base URL Versioning Resource

    Format Return Values Content Negotiation References (Linking) Pagination Query Parameters Associations Errors IDs Method Overloading Resource Expansion Partial Responses Caching & Etags Security Multi Tenancy Maintenance • Coding Time! (JAX-RS-based App)

  4. Why REST? • Scalability • Generality • Independence • Latency

    (Caching) • Security • Encapsulation Learn more at Stormpath.com

  5. HATEOAS • Hypermedia • As • The • Engine •

    Of • Application • State Further restriction on REST architectures. Learn more at Stormpath.com

  6. REST Is Easy Learn more at Stormpath.com

  7. REST Is *&@#$! Hard (for providers) Learn more at Stormpath.com

  8. REST can be easy (if you follow some guidelines) Learn

    more at Stormpath.com

  9. Example Domain: Stormpath • Applications • Directories • Accounts •

    Groups • Associations • Workflows

  10. Fundamentals Learn more at Stormpath.com

  11. Resources Nouns, not Verbs Coarse Grained, not Fine Grained Architectural

    style for use-case scalability Learn more at Stormpath.com

  12. /getAccount /createDirectory /updateGroup /verifyAccountEmailAddress What If? Learn more at Stormpath.com

  13. /getAccount /getAllAccounts /searchAccounts /createDirectory /createLdapDirectory /updateGroup /updateGroupName /findGroupsByDirectory /searchGroupsByName /verifyAccountEmailAddress

    /verifyAccountEmailAddressByToken … Smells like bad RPC. DON’T DO THIS. What If? Learn more at Stormpath.com

  14. Keep It Simple Learn more at Stormpath.com

  15. The Answer Fundamentally two types of resources: Collection Resource Instance

    Resource Learn more at Stormpath.com

  16. Collection Resource /applications Learn more at Stormpath.com

  17. Instance Resource /applications/a1b2c3 Learn more at Stormpath.com

  18. Behavior • GET • PUT • POST • DELETE •

    HEAD Learn more at Stormpath.com

  19. Behavior POST, GET, PUT, DELETE ≠ 1:1 Create, Read, Update,

    Delete Learn more at Stormpath.com

  20. Behavior As you would expect: GET = Read DELETE =

    Delete HEAD = Headers, no Body Learn more at Stormpath.com

  21. Behavior Not so obvious: PUT and POST can both be

    used for Create and Update Learn more at Stormpath.com

  22. PUT for Create Identifier is known by the client: PUT

    /applications/clientSpecifiedId { … } Learn more at Stormpath.com

  23. PUT for Update Full Replacement PUT /applications/existingId { “name”: “Best

    App Ever”, “description”: “Awesomeness” } Learn more at Stormpath.com

  24. PUT Idempotent Learn more at Stormpath.com

  25. POST as Create On a parent resource POST /applications {

    “name”: “Best App Ever” } Response: 201 Created Location: https://api.stormpath.com/applications/a1b2c3 Learn more at Stormpath.com

  26. POST as Update On instance resource POST /applications/a1b2c3 { “name”:

    “Best App Ever. Srsly.” } Response: 200 OK Learn more at Stormpath.com

  27. POST NOT Idempotent Learn more at Stormpath.com

  28. Media Types • Format Specification + Parsing Rules • Request:

    Accept header • Response: Content-Type header • application/json • application/foo+json • application/foo+json;application • … Learn more at Stormpath.com

  29. Design Time! Learn more at Stormpath.com

  30. Base URL Learn more at Stormpath.com

  31. http(s)://api.foo.com vs http://www.foo.com/dev/service/api/r est Learn more at Stormpath.com

  32. http(s)://api.foo.com Rest Client vs Browser Learn more at Stormpath.com

  33. Versioning Learn more at Stormpath.com

  34. URL https://api.stormpath.com/v1 vs. Media-Type application/json+foo;application&v=1 Learn more at Stormpath.com

  35. Resource Format Learn more at Stormpath.com

  36. Media Type Content-Type: application/json When time allows: application/foo+json application/foo+json;bar=baz&v=1 …

    Learn more at Stormpath.com

  37. camelCase ‘JS’ in ‘JSON’ = JavaScript myArray.forEach Not myArray.for_each account.givenName

    Not account.given_name Underscores for property/function names are unconventional for JS. Stay consistent. Learn more at Stormpath.com

  38. Date/Time/Timestamp There’s already a standard. Use it: ISO 8601 Example:

    { …, “createdTimestamp”: “2012-07-10T18:02:24.343Z” } Use UTC! Learn more at Stormpath.com

  39. HREF • Distributed Hypermedia is paramount! • Every accessible Resource

    has a unique URL. • Replaces IDs (IDs exist, but are opaque). { “href”: https://api.stormpath.com/v1/accounts/x7y8z9”, … } Critical for linking, as we’ll soon see Learn more at Stormpath.com

  40. Response Body Learn more at Stormpath.com

  41. GET obvious What about POST? Return the representation in the

    response when feasible. Add override (?_body=false) for control Learn more at Stormpath.com

  42. Content Negotiation Learn more at Stormpath.com

  43. Header • Accept header • Header values comma delimited in

    order of preference GET /applications/a1b2c3 Accept: application/json, text/plain Learn more at Stormpath.com

  44. Resource Extension /applications/a1b2c3.json /applications/a1b2c3.csv … Conventionally overrides Accept header Learn

    more at Stormpath.com

  45. Resource References aka ‘Linking’ Learn more at Stormpath.com

  46. • Hypermedia is paramount. • Linking is fundamental to scalability.

    • Tricky in JSON • XML has it (XLink), JSON doesn’t • How do we do it? Learn more at Stormpath.com

  47. Instance Reference GET /accounts/x7y8z9 200 OK { “href”: “https://api.stormpath.com/v1/accounts/x7y8z9”, “givenName”:

    “Tony”, “surname”: “Stark”, …, “directory”: ???? } Learn more at Stormpath.com

  48. Instance Reference GET /accounts/x7y8z9 200 OK { “href”: “https://api.stormpath.com/v1/accounts/x7y8z9”, “givenName”:

    “Tony”, “surname”: “Stark”, …, “directory”: { “href”: “https://api.stormpath.com/v1/directories/g4h5i6” } } Learn more at Stormpath.com

  49. Collection Reference GET /accounts/x7y8z9 200 OK { “href”: “https://api.stormpath.com/v1/accounts/x7y8z9”, “givenName”:

    “Tony”, “surname”: “Stark”, …, “groups”: { “href”: “https://api.stormpath.com/v1/accounts/x7y8z9/groups” } } Learn more at Stormpath.com

  50. Reference Expansion (aka Entity Expansion, Link Expansion) Learn more at

    Stormpath.com

  51. Account and its Directory? Learn more at Stormpath.com

  52. GET /accounts/x7y8z9?expand=directory 200 OK { “href”: “https://api.stormpath.com/v1/accounts/x7y8z9”, “givenName”: “Tony”, “surname”:

    “Stark”, …, “directory”: { “href”: “https://api.stormpath.com/v1/directories/g4h5i6”, “name”: “Avengers”, “creationDate”: “2012-07-01T14:22:18.029Z”, … } } Learn more at Stormpath.com

  53. Partial Representations Learn more at Stormpath.com

  54. GET /accounts/x7y8z9?fields=givenName,surname, directory(name) Learn more at Stormpath.com

  55. Pagination Learn more at Stormpath.com

  56. Collection Resource supports query params: • Offset • Limit …/applications?offset=50&limit=25

    Learn more at Stormpath.com

  57. GET /accounts/x7y8z9/groups 200 OK { “href”: “…/accounts/x7y8z9/groups”, “offset”: 0, “limit”:

    25, “first”: { “href”: “…/accounts/x7y8z9/groups?offset=0” }, “previous”: null, “next”: { “href”: “…/accounts/x7y8z9/groups?offset=25” }, “last”: { “href”: “…”}, “items”: [ { “href”: “…” }, { “href”: “…” }, … ] } Learn more at Stormpath.com

  58. Many To Many Learn more at Stormpath.com

  59. Group to Account • A group can have many accounts

    • An account can be in many groups • Each mapping is a resource: GroupMembership Learn more at Stormpath.com

  60. GET /groupMemberships/23lk3j2j3 200 OK { “href”: “…/groupMemberships/23lk3j2j3”, “account”: { “href”:

    “…” }, “group”: { “href”: “…” }, … } Learn more at Stormpath.com

  61. GET /accounts/x7y8z9 200 OK { “href”: “…/accounts/x7y8z9”, “givenName”: “Tony”, “surname”:

    “Stark”, …, “groups”: { “href”: “…/accounts/x7y8z9/groups” }, “groupMemberships”: { “href”: “…/groupMemberships?accountId=x7y8z9” } } Learn more at Stormpath.com

  62. Errors Learn more at Stormpath.com

  63. • As descriptive as possible • As much information as

    possible • Developers are your customers Learn more at Stormpath.com

  64. POST /directories 409 Conflict { “status”: 409, “code”: 40924, “property”:

    “name”, “message”: “A Directory named ‘Avengers’ already exists.”, “developerMessage”: “A directory named ‘Avengers’ already exists. If you have a stale local cache, please expire it now.”, “moreInfo”: “https://www.stormpath.com/docs/api/errors/4092 4” } Learn more at Stormpath.com

  65. Security Learn more at Stormpath.com

  66. Avoid sessions when possible Authenticate every request if necessary Stateless

    Authorize based on resource content, NOT URL! Use Existing Protocol: Oauth 1.0a, Oauth2, Basic over SSL only Custom Authentication Scheme: Only if you provide client code / SDK Only if you really, really know what you’re doing Use API Keys instead of Username/Passwords Learn more at Stormpath.com

  67. HTTP Authentication Schemes • Server response to issue challenge: WWW-Authenticate:

    <scheme name> realm=“Application Name” • Client request to submit credentials: Authorization: <scheme name> <data> Learn more at Stormpath.com

  68. 401 vs 403 • 401 “Unauthorized” really means Unauthenticated “You

    need valid credentials for me to respond to this request” • 403 “Forbidden” really means Unauthorized “I understood your credentials, but so sorry, you’re not allowed!” Learn more at Stormpath.com

  69. API Keys • Entropy • Password Reset • Independence •

    Speed • Limited Exposure • Traceability Learn more at Stormpath.com

  70. IDs Learn more at Stormpath.com

  71. • IDs should be opaque • Should be globally unique

    • Avoid sequential numbers (contention, fusking) • Good candidates: UUIDs, ‘Url64’ Learn more at Stormpath.com

  72. HTTP Method Overrides Learn more at Stormpath.com

  73. POST /accounts/x7y8z9?_method=DELETE Learn more at Stormpath.com

  74. Caching & Concurrency Control Learn more at Stormpath.com

  75. Server (initial response): ETag: "686897696a7c876b7e” Client (later request): If-None-Match: "686897696a7c876b7e”

    Server (later response): 304 Not Modified Learn more at Stormpath.com

  76. Maintenance Learn more at Stormpath.com

  77. Use HTTP Redirects Create abstraction layer / endpoints when migrating

    Use well defined custom Media Types Learn more at Stormpath.com

  78. IT’S CODING TIME!!! • Let’s build a JAX-RS REST App!

    • git clone https://github.com/stormpath/todos- jersey.git Learn more at Stormpath.com

  79. .com • Free for any application • Eliminate months of

    development • Automatic security best practices Sign Up Now: Stormpath.com Les Hazlewood | @lhazlewood