Weitere ähnliche Inhalte
Ähnlich wie Api manager preconference (20)
Mehr von ColdFusionConference (10)
Kürzlich hochgeladen (20)
Api manager preconference
- 1. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Developing and Managing API with Adobe ColdFusion and API
Manager
Kevin, Mayur, Pavan
- 2. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Agenda
Use Case
Designing your API
API Manager Actors
Onboarding of the API
Building Blocks
Security
SLA
Analytics
- 3. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
API
API Manager
M
E
R
C
H
A
N
T
STORE ADMINISTRATOR
C
U
S
T
O
M
E
R
- 4. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
E-commerce Store APIs
1. Product
2. Merchants
3. Order
4. Promotion
5. Payment Gateway
- 5. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Product API
Endpoints:
Add a product
(POST /products/v1 )
Get all products
(GET /products/v1 )
Add/Update Brand
(PUT /products/v1 )
Search product
(GET /products/v1/search?searchid=123)
- 6. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Merchant API
Endpoints:
Add a product
(POST /merchant/v1/products/<merchant_id>)
Update Product Price
(PUT merchant/v1/products/<merchant_id>?product_id=101965 )
Update Product quantity
(PUT merchant/v1/products/<merchant_id>?product_id=101965 )
Delete a product under merchant store
(DELETE /merchant/v1/products/<merchant_id>? product_id=101965)
- 7. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Order API
Endpoints:
Place a new Order
( POST /order/v1)
Retrieve List of All Orders
(GET /orders/v1/<customerId>)
Update an Order
(PUT /orders/v1/<orderid>)
Delete a Single Order
(DELETE /orders/v1/ /<customerId>/<orderid>)
- 8. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Promotion API
Endpoints:
Create a promotion type
(POST /promotion/v1)
Create a discount code
(POST /promotion/discount)
Invalidate a discount code
(PUT /promotion/discount/invalidate/<discount_code>)
Retrieve List of promotions
(GET /promotion/v1)
8
- 9. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Payment Gateways
Endpoints:
Get all registered gateways
(GET /gateway/v1)
Disable a Gateway
(PUT /gateway/v1/<gateway_id>)
Enable a Gateway
(PUT /promotion/v1/<gateway_id>)
9
- 10. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Building API’s in ColdFusion
You can create REST services by defining certain attributes in the tags cfcomponent, cffunction, and cfargument and publish
as REST resources. Script can also be used.
• Follows HTTP request-response model: Beyond having HTTP as a medium, the service lets you follow all HTTP norms. The
components published as REST services can be consumed over HTTP/HTTPS request. The REST services are identified with
URI (Uniform Resource Identifier) and can be accessed from a web page as well as by specifying the URI in the browser's
address bar.
• Supports all HTTP methods : The REST enabled CFCs support the following HTTP methods: GET, POST, PUT, DELETE, HEAD,
and OPTIONS.
• Implicit handling of serialization/deserialization: ColdFusion natively supports JSON and XML serialization/deserialization. So
client applications can consume REST services by issuing HTTP/HTTPS request. The response can either be serialized to
XML or JSON format.
• Publish web service as both REST service and WSDL service: You can create and publish the same ColdFusion component as
a REST service and WSDL service.
10
- 11. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
<cfcomponent>
Two arguments for the <cfcomponent> tag:
rest (true/false) – if true, the cfc is REST enabled.
restPath – path used to access the REST service.
Example:
<cfcomponent rest="true" restpath="/person">
11
Sample URI:
http://localhost:8500/rest/restTest/restService
URL Component Description
http://localhost:8500 Base URL which includes the IP address and port of the ColdFusion server.If
you deploy ColdFusion as a JEE application, the URL will contain a context
root, for example,
http://localhost:8500*/cfusion*
rest Implies that the request sent is a REST request.This default value can be
renamed by revising the context path in web.xml available at
cfusion/wwroot/WEB-INF and update the same mapping in
uriworkermap.properties file found at configwsconfig1.
restTest Application name or service mapping that you have used while registering
the service in ColdFusion Administrator. If you do not specify a service
mapping in the ColdFusion Administrator, then the application name is
taken from Application.cfc.
restService Rest path you defined in the service. That is, the value of the attribute
restPath in the tag cfcomponent.
- 12. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
<cffunction>
<cffunction>
restPath – specify to use a sub-resource path for the CFC.
httpMethod – the HTTP method to use
GET, POST, PUT, DELETE, HEAD, OPTIONS
Example:
<cffunction name="getPerson” returntype="string” access="remote” httpmethod="GET”
restPath=“/person/{personID}” produces="application/json”>
12
- 13. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
<cfargument>
<cfargument>
restArgSource – Where to find the value of the argument
path,query,form,cookie,header,matrix
restArgName – The name that can be mapped to the argument name.
Example:
<cfargument name=”personID" required="true" type="numeric" restargsource="path" />
13
- 14. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Registering an application with the REST service
After you create the CFC you want to REST-enable, specify the folder for registering as web
service either using the autoRegister Application setting, the function restInitAplication() or in
the ColdFusion Administrator or using the ColdFusion Admin API.
If you are in a shared environment:
<cfset this.restsettings.autoregister = true />
restInitApplication(rootPath[,serviceMapping[,options]])
These options not require administrator privileges.
14
- 15. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
REST Responses
15
Default Response Description
200 OK Sent if the response has a body.
204 No Content Sent if the response doesn’t have a body.
Default Response Description
404 Not Found Request URL is not valid
406 Not Acceptable No function in the REST service can produce the MIME type
requested by the client
415 Unsupported Media Type A resource is unable to consume the MIME type of the client
request
405 Method not allowed If the client invokes an HTTP method on a valid URI to which
the request HTTP method is not bound.
Custom responses can be created using the restSetResponse method for
success or <cfthrow type=“RestError”> for errors.
- 16. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Areas I look into:
Web Services (SOAP, REST) , PDF, Spreadsheet
API Manager
Hobbies:
Working on DIY projects
Of course watching TV Series (GOT !!! )
Adobe ColdFusion TeamI AM AN ENGINEER
- 17. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
API
API Manager
M
E
R
C
H
A
N
T
STORE ADMINISTRATOR
C
U
S
T
O
M
E
R
- 18. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
E-commerce Store APIs
1. Product
2. Merchants
3. Order
4. Promotion
5. Payment Gateway
- 19. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
API Manager Actors
19
ADMINISTRATOR PUBLISHER
API Developer
SUBSCRIBER
APP Creator
- 20. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Onboarding the API
Manual API Creation
CF Discovery
Swagger Import
Soap to Rest
Soap Pass Through
- 21. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 21
- 22. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
API Manager Building Blocks
API Visibility
API Versioning
API Life cycle
Security
SLA
Caching
Analytics
- 23. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
API Visibility
Public
Partner
Intranet
- 24. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
API Versioning
Upgrade APIs without worrying about
backward compatibility by managing
multiple versions using a single platform.
- 25. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
API Life cycle
Draft
Published
Deprecate
Retire
25
- 26. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Caching
26
During experiments, Many bird
species store peanuts in a cache
for later retrieval. In the wild,
these birds store acorns and
insects.
Wikipedia
- 27. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
About me
Developer & Security Evangelist at Adobe
Previously Security Consultant at RSA Security
Movie Buff
Email: sanniset@adobe.com
- 28. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
API Security
28
Identity Authentication Authorization
- 29. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
User Store and API Security
API Security
API Key
Basic
OAuth2 and OAuth2 with SAML
User Store
LDAP
Data Base
SAML
- 30. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
API/APP Key Authentication
Suitable for Business to Business Sharing
Application Identification
30
- 31. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Authentication (Who say you are)
31
How to Bring in the Users ? (User Stores)
LDAP
DATABASE
SAML
Administrator can configure user stores.
- 32. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Sample User Store: Database
32
- 33. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
BASIC Authentication
Simplest & Standard form of authenticating
Auth happens via username & password.
Pass Username & password in each request
Requires HTTPS
Application Should securely store the password
33
- 34. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
When it is not Enough!!!!
Password Anti Pattern
Trust Issues – Third Party Apps
Can’t Revoke Application
No Selective Data Sharing
34
- 35. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
An open protocol to allow secureauthorization
in a simple and standard method from web,
mobile and desktop applications.
Introducing
- 36. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Resource Owner: the person or theapplication
that holds the data to be shared.
Resource Server: the application that holdsthe
protected resources.
Authorization Server: the application that
verifies the identity of the users.
Client: the application that makes requests to
RS on behalf of RO.
OAuth 2.0: Actors
- 37. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Resource Owner: the person or the application
that holds the data to be shared.
Resource Server: the application that holdsthe
protected resources.
Authorization Server: the application that
verifies the identity of the users.
Client: the application that makes requests to
RS on behalf of RO.
OAuth 2.0: Actors
- 38. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Resource Owner: the person or the application
that holds the data to be shared.
Resource Server: the application that holds the
protected resources.
Authorization Server: the application that
verifies the identity of the users.
Client: the application that makes requests to
RS on behalf of RO.
OAuth 2.0: Actors
- 39. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Resource Owner: the person or the application
that holds the data to be shared.
Resource Server: the application that holds the
protected resources.
Authorization Server: the application that
verifies the identity of the users.
Client: the application that makes requests to
RS on behalf of RO.
OAuth 2.0: Actors
- 40. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
I want to see a list of games
Protocol Flow
- 41. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Hey, API Manager, could you please
give me a list of games?
Protocol Flow
- 42. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Protocol Flow
Sorry Pal, This is a secured API. Provide me an
Access Token.
- 43. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Protocol Flow
@alvaro_sanchez
- 44. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Protocol Flow
@alvaro_sanchez
- 45. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Protocol Flow
Hi, Could you provide me your
username & password ?
- 46. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Here you go. My username is
sanniset@adobe.com and password is top-
secret
Protocol Flow
- 47. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Protocol Flow
@alvaro_sanchez
- 48. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Hi API Manager, here is my token:
7ee85874dde4c7235b6c3afc82e3fb
Protocol Flow
- 49. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Protocol Flow
Hi, I have been given the token
7ee85874dde4c7235b6c3afc82e3fb. Is it
Legitimate ?
- 50. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Protocol Flow
Of Course. The Token is valid & it
belongs to sanniset@adobe.com
- 51. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
All Well!!. Here is the list of games
Protocol Flow
- 52. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Here you are the list of games. Have a
goodday!
Protocol Flow
- 53. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
OAuth 2.0 isa delegation protocol, as this
guy has no idea about the credentials of
this guy
Protocol Flow
- 54. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
SLA
SLA Plans
Rate Limiting
Throttling
HARD and SOFT Limit
- 55. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 55
- 56. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Analytics
Administrator Analytics
Publisher Analytics
Subscriber Analytics
- 57. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Recap - APIs – From concept to Go-To-Market
Step 1
Define your business
objectives
58
Step 2
Design your API
Step 3
On-board your API
Step 4
Manage your API
Step 5
Secure your API
Step 6
Engage Customers
Step 7
Measure impact
- 58. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 59