Scanning the Internet for External Cloud Exposures via SSL Certs
Representational State Transfer (REST)
1. Representational State Transfer (REST)
Representational State Transfer (REST) is a style of software
architecture for distributed systems such as the World Wide Web. REST has emerged as a
predominant Web service design model.
Key goals
Key goals of REST include:
Scalability of component interactions
Generality of interfaces
Independent deployment of components
Intermediary components to reduce latency, enforce security and encapsulate legacy
systems
REST has been applied to describe the desired web architecture, to help identify existing
problems, to compare alternative solutions, and to ensure that protocol extensions would not
violate the core constraints that make the Web successful.
Constraints
The REST architectural style describes the following six constraints applied to the architecture,
while leaving the implementation of the individual components free to design:
Client–server
A uniform interface separates clients from servers. This separation of concerns means
that, for example, clients are not concerned with data storage, which remains internal to
each server, so that the portability of client code is improved. Servers are not concerned
with the user interface or user state, so that servers can be simpler and more scalable.
Servers and clients may also be replaced and developed independently, as long as the
interface between them is not altered.
Stateless
The client–server communication is further constrained by no client context being stored
on the server between requests. Each request from any client contains all of the
information necessary to service the request, and any session state is held in the client.
Cacheable
As on the World Wide Web, clients can cache responses. Responses must therefore,
implicitly or explicitly, define themselves as cacheable, or not, to prevent clients reusing
stale or inappropriate data in response to further requests. Well-managed caching
2. partially or completely eliminates some client–server interactions, further improving
scalability and performance.
Layered system
A client cannot ordinarily tell whether it is connected directly to the end server, or to an
intermediary along the way. Intermediary servers may improve system scalability by
enabling load-balancing and by providing shared caches. They may also enforce security
policies.
Code on demand (optional)
Servers are able temporarily to extend or customize the functionality of a client by the
transfer of executable code. Examples of this may include compiled components such
as Java applets and client-side scripts such as JavaScript.
Uniform interface
The uniform interface between clients and servers, discussed below, simplifies and
decouples the architecture, which enables each part to evolve independently. The four
guiding principles of this interface are detailed below.
The only optional constraint of REST architecture is code on demand. If a service violates any
other constraint, it cannot strictly be considered RESTful.
Central principle
An important concept in REST is the existence of resources (sources of specific information),
each of which is referenced with a global identifier (e.g., a URI in HTTP). In order to manipulate
these resources, components of the network (user agents and origin servers) communicate via a
standardized interface (e.g., HTTP) and exchange representations of these resources (the actual
documents conveying the information). For example, a resource that represents a circle (as a
logical object) may accept and return a representation that specifies a center point and radius,
formatted in SVG, but may also accept and return a representation that specifies any three
distinct points along the curve (since this also uniquely identifies a circle) as a comma-separated
list.
Any number of connectors (e.g., clients, servers, caches, tunnels, etc.) can mediate the request,
but each does so without "seeing past" its own request (referred to as "layering," another
constraint of REST and a common principle in many other parts of information and networking
architecture). Thus, an application can interact with a resource by knowing two things: the
identifier of the resource and the action required—it does not need to know whether there are
caches, proxies, gateways, firewalls, tunnels, or anything else between it and the server actually
holding the information. The application does, however, need to understand the format of the
information (representation) returned, which is typically an HTML, XML or JSON document of
some kind, although it may be an image, plain text, or any other content.
3. RESTful web services
A RESTful web service (also called a RESTful web API) is a web service implemented using HTTP
and the principles of REST. It is a collection of resources, with four defined aspects: the base URI
for the web service, such as http://example.com/resources/
The Internet media type of the data supported by the web service. This is often XML but can
be any other valid Internet media type providing that it is a valid hypertext standard.
The set of operations supported by the web service using HTTP methods (e.g., GET, PUT,
POST, or DELETE).
The API must be hypertext driven.
The following table shows how the HTTP methods are typically used to implement a web
service.
RESTful Web Service HTTP methods
Resource GET PUT POST DELETE
Create a new
entry in the
collection. The
List the URIs and
Replace the new entry's
Collection URI, such perhaps other Delete
entire collection URL is
ashttp://example.com/re details of the the entire
with another assigned
sources/ collection's collection.
collection. automatically
members.
and is usually
returned by
the operation.
Not generally
Retrieve a
used. Treat
representation of Replace the Delete
the addressed
the addressed addressed the
Element URI, such member as a
member of the member of the addressed
ashttp://example.com/re collection in its
collection, collection, or if member
sources/item17 own right
expressed in an it doesn't exist, of the
and create a
appropriate Internet create it. collection.
new entry in
media type.
it.
4. The PUT and DELETE methods are idempotent methods. The GET method is a safe method (or
nullipotent), meaning that calling it produces no side-effects.
Unlike SOAP-based web services, there is no "official" standard for RESTful web services. This is
because REST is an architectural style, unlike SOAP, which is a protocol. Even though REST is not
a standard, a RESTful implementation such as the Web can use standards like HTTP, URI, XML,
etc.
Why is it called Representational State Transfer?
The Web is comprised of resources. A resource is any item of interest. For example, the
Boeing Aircraft Corp may define a 747 resource. Clients may access that resource with this
URL:
http://www.boeing.com/aircraft/747
A representation of the resource is returned (e.g., Boeing747.html). The representation
places the client application in a state. The result of the client traversing a hyperlink in
Boeing747.html is another resource is accessed. The new representation places the client
application into yet another state. Thus, the client application changes (transfers) state
with each resource representation --> Representational State Transfer!
Here is Roy Fielding's explanation of the meaning of Representational State Transfer:
"Representational State Transfer is intended to evoke an image of how a well-designed Web
application behaves: a network of web pages (a virtual state-machine), where the user
progresses through an application by selecting links (state transitions), resulting in the next
page (representing the next state of the application) being transferred to the user and
rendered for their use."
REST - An Architectural Style, Not a Standard
REST is not a standard. You will not see the W3C putting out a REST specification. You will
not see IBM or Microsoft or Sun selling a REST developer's toolkit. Why? Because REST is
just an architectural style. You can't bottle up that style. You can only understand it, and
design your Web services in that style. (Analogous to the client-server architectural style.
There is no client-server standard.)
While REST is not a standard, it does use standards:
HTTP
URL
XML/HTML/GIF/JPEG/etc (Resource Representations)
text/xml, text/html, image/gif, image/jpeg, etc (MIME Types)
5. REST Web Services Characteristics
Here are the characteristics of REST:
Client-Server: a pull-based interaction style: consuming components pull
representations.
Stateless: each request from client to server must contain all the information
necessary to understand the request, and cannot take advantage of any stored
context on the server.
Cache: to improve network efficiency responses must be capable of being labeled as
cacheable or non-cacheable.
Uniform interface: all resources are accessed with a generic interface (e.g., HTTP
GET, POST, PUT, DELETE).
Named resources - the system is comprised of resources which are named using a
URL.
Interconnected resource representations - the representations of the resources are
interconnected using URLs, thereby enabling a client to progress from one state to
another.
Layered components - intermediaries, such as proxy servers, cache servers,
gateways, etc, can be inserted between clients and resources to support
performance, security, etc.
Principles of REST Web Service Design
1. The key to creating Web Services in a REST network (i.e., the Web) is to identify all of
the conceptual entities that you wish to expose as services. Above we saw some examples
of resources: parts list, detailed part data, purchase order.
2. Create a URL to each resource. The resources should be nouns, not verbs. For example,
do not use this:
http://www.parts-depot.com/parts/getPart?id=00345
Note the verb, getPart. Instead, use a noun:
http://www.parts-depot.com/parts/00345
3. Categorize your resources according to whether clients can just receive a representation
of the resource, or whether clients can modify (add to) the resource. For the former, make
those resources accessible using an HTTP GET. For the later, make those resources
accessible using HTTP POST, PUT, and/or DELETE.
4. All resources accessible via HTTP GET should be side-effect free. That is, the resource
should just return a representation of the resource. Invoking the resource should not result
in modifying the resource.
5. No man/woman is an island. Likewise, no representation should be an island. In other
words, put hyperlinks within resource representations to enable clients to drill down for
more information, and/or to obtain related information.
6. Design to reveal data gradually. Don't reveal everything in a single response document.
Provide hyperlinks to obtain more details.
6. 7. Specify the format of response data using a schema (DTD, W3C Schema, RelaxNG, or
Schematron). For those services that require a POST or PUT to it, also provide a schema to
specify the format of the response.
8. Describe how your services are to be invoked using either a WSDL document, or simply
an HTML document.
Summary
This article described REST as an architectural style. In fact, it's the architectural style of
the Web. REST describes what makes the Web work well. Adhering to the REST principles
will make your services work well in the context of the Web.
References
1. http://www.ics.uci.edu/~fielding/pubs/dissertation/top.htm
2. http://www.wikipedia.org/