Transcript Building REST Service APIs for Rich Internet Applications

Building REST
Service APIs for
Rich Internet
Applications
Peter Laird
Managing Architect
WebLogic Portal
BEA Systems
BEA Confidential. | 1
About the Speaker
Has 10 years of server side Java development experience
Leads the architecture team for BEA WebLogic Portal, a
leading Java enterprise portal product

Has worked on WebLogic Portal for 7 years as a developer and
architect

WebLogic Portal introduced REST-like APIs in version 10.2
Holds the following certifications

Oracle DBA

Cisco CCNA
Regular contributor to BEA’s developer website

http://dev2dev.bea.com
Peter Laird
Housekeeping
This is a 30 Minute Presentation

A lot to cover, will move very fast

Will focus more on REST, less on RIA development
Assumes you have a basic understanding of:

HTTP

XML

JavaScript

A dynamic web programming technology (Java Servlets, .NET, PHP)
Peter Laird
Agenda
Rich Internet Applications (RIA)
Data Driven Rich Internet Applications
Principles of REST
REST in Practice
Peter Laird
Rich Internet Applications
Attributes of Rich Internet Applications (RIA)

Run in a browser, or do not require a software install

Supported with a server side component which holds application state

HTTP is used to communicate with the server

Client contains some basic processing capabilities

Have an interactive feel like a fat-client application
Technologies used to create RIAs

JavaScript and the XmlHttpRequest (Ajax)

Adobe Flash and Flex

Microsoft Silverlight

Laszlo, JavaFX, XUL, etc etc
Peter Laird
RIA: the New Web Standard
Think of the browser as a virtual machine

Not just a page rendering application

Programmable through JavaScript or plugins

HTTP networking support
RIAs becoming the standard of web applications

Netflix, Google Mail, etc started the trend

Now any noteworthy consumer facing web app is an RIA

Browser support for RIA is very good
Peter Laird
Data Driven Rich Internet Applications
Peter Laird
RIA: Data Driven
RIAs typically request data from a server

Netflix – movie catalog

Gmail – email messages
Often these requests are very fine grained
Requires an efficient mechanism for retrieving that data
RIA technologies universally provide an HTTP client

XmlHttpRequest for Ajax use cases

We will use Ajax in this presentation
Peter Laird
Ajax and XmlHttpRequest Sample
// create a request object
var xhr = new XMLHttpRequest();
// define the request properties
xhr.open("GET", "http://myURL/getJSON.jsp", true);
xhr.onreadystatechange = myHandler;
// define the callback handler
xhr.send(null);
// send the request
function myHandler()
// callback definition
{
if (xhr.readyState == 4)
// response has been received
{
if (xhr.status != 404)
{
var data=eval(‘(’ + xhr.responseText + ‘)’);
// invoke JS to manipulate the response
}
}
}
Peter Laird
WS-*
Web Services (WS-*) Standards are a valid approach

SOAP is an XML format for defining a service request and response
 I will use WS-* notation to refer to SOAP over HTTP
 WS-* also includes a number of subordinate standards
WS-Security
WS-Transaction
Etc
Proper deployment of a WS requires a WSDL to describe it

XML document that describes the Web Service and how to access it
WS-* is not a lightweight approach

Requires a good SOAP stack on the client, or
 Requires client code to create SOAP requests and parse the SOAP
response
Peter Laird
Introducing REST
Yes, there is a better way
REpresentational State Transfer (REST)

A simpler approach to building data services
REST services are implemented using the basics of the web

Service end points are resources http://host/api/content/myfolder

Return payload is usually simple plain text, JSON or XML structures
REST is a general approach for building services, but…

RIA development will likely be the first time you will use REST

Will focus exclusively on RIA use cases for REST in this talk
Peter Laird
REST Example: Search Suggestions
You want to have Google like suggestions in your search box
You have wired the search box with a JavaScript event
handler that uses an XmlHttpRequest to call the data service
The XmlHttpRequest callback expects a list of search
keywords in return

JavaScript populates the suggestion dropdown
How do you implement the REST service?
Peter Laird
REST Example: Search Suggestions Impl
Create a REST service on the server

Java: easily implemented using a Servlet or JSP
URLs used by Ajax will look like

http://host/searchengine/suggestions?text=“am”

Where “am” is the text the user has typed into the box
The service will respond with an HTTP response with the
following body:
amigo
america
ammunition
The JavaScript parses that list and populates the drop-down
Peter Laird
REST Real World: WebLogic Portal
Author was involved in a REST implementation for WebLogic
Portal (WLP)
WLP needed to implement dynamic UI features

Move portlets around on a page using drag and drop

Retrieve the list of portlets that can be added to a page

Choose from a list of available branding schemes for a page
JavaScript+XmlHttpRequest was the RIA technology chosen
WLP implemented a set of REST-like APIs

Not 100% REST compliant, but pretty close
Peter Laird
REST Real World: WebLogic Portal
Peter Laird
REST Principles
Peter Laird
Two REST References
Roy Fielding Dissertation

Origin of the idea

Focus on Chapter 5
RESTful Web Services book

Leonard Richardson and Sam Ruby

Recommended as a pragmatic guide

Not loved by all, search the internet to learn what the community thinks
about this book

Explains why the REST principles are important to follow
Peter Laird
Beware of the REST Nerd Wars
REST similar to Object Oriented design

Common to see arguments between pragmatists and purists

We had some of this during our WebLogic Portal implementation
Purists are known as the RESTafarians

Joke: Are RESTafarians clean? No, they don’t use any SOAP.
As with OO, there are some core principles but also a lot of
opinion and style

You will need to formulate your own style
Peter Laird
URL Represents a Noun, not a Verb
REST services are based on Resources not Operations

Use Case: URL for a service that returns a list of addresses

Good: http://host/cities/colorado/denver/

Bad:
http://host/addresses/getlist?city=denver

Bad:
http://host/addresses?op=getlist&city=denver
Guidelines:

URLs should express a noun, not a verb

URL path should illustrate a logical structure of the resources

URL parameters are used to feed modifiers into an algorithm
Peter Laird
HTTP Verb Matters
REST services should honor the HTTP method (verb)

GET –reads the state of a resource described by the URL

PUT – adds the resource described by the URL

DELETE – deletes the resource described by the URL

POST – updates the resource described by the URL
Guidelines:

Do not embed the verb in the URL path or query parameters

GET must not alter the state of the server

GET, PUT and DELETE must be idempotent
Peter Laird
HTTP Response Codes
REST services should use the proper HTTP response codes

200 – request was properly understood, the operation succeeded

400 – the client sent an invalid request

500 – internal server error, there is a problem on the server

404 – the URL does not map to a valid resource

401 – not authorized
Guidelines:

Anti-pattern is to always return 200, and embed the result of the
operation in the response body
Peter Laird
REST in Practice
Peter Laird
JSON as the Return Payload
XML is a safe format to return from the REST service

But not the easiest when the client is JavaScript
JavaScript Object Notation (JSON) is usually a better
alternative when the client will always be JavaScript
One line reconstitutes the returned structure into a native
JavaScript object

var payload = eval(‘(’ + xhr.responseText + ‘)’);
Peter Laird
Authenticaton
Many REST services will require authentication
Usually “just works” for Ajax RIA applications

User logs into the application

XmlHttpRequests carry the session cookies to the server

REST services will recognize the user session
Two easy solutions for explicit authentication for REST

HTTP Basic authentication

Custom authentication REST service

Make sure HTTPS is used for transport!
Two harder solutions for explicity authentication

Digest

WSSE
Peter Laird
Single Origin Policy
This issue affects any XmlHttpRequest
XmlHttpRequest cannot target a network domain different
from the outer page
This is a security feature, but will affect how you deploy your
REST services
Example:

Outer page: http://mygoodhost.com/theAjaxPage.jsp

XmlHttpRequest: http://evil.com/stealCookies.jsp

That XHR will fail
Peter Laird
Thank You
Peter Laird