JDD2014: What you won't read in books about implementing REST services - Jakub Kubryński

The thin line between RESTful and AWful
Jakub Kubrynski
jk@devskiller.com / @jkubrynski 1 / 48

"The Code is more what you'd call guidelines than actual rules. Welcome
aboard the Black Pearl, Miss Turner"
-- Cpt. Hector Barbossa to Elizabeth Swann
RT Ben Hale

Formal REST constraints
Client-Server
Stateless
Cache
Interface / Uniform Contract
Layered System

Richardson maturity model
http://martinfowler.com/articles/richardsonMaturityModel.html

POST vs PUT

POST vs PUT
POST creates new resources

POST vs PUT
POST creates new resources
PUT updates existing resources
PUT can create resource if ID is already known

Maybe PATCH?
no "out of the box" support

Maybe PATCH?
no "out of the box" support
partial update
@RequestMapping(value = "/{id}", method = PATCH)
public void updateArticle(HttpServletRequest request, @PathVariable("id") String id) {
Article currentArticle = repository.findOne(id);
Article updatedArticle = objectMapper.readerForUpdating(currentArticle)
.readValue(request.getReader());
repository.save(updatedArticle);
}

Caching
be aware - especially IE caches aggressively

Caching
be aware - especially IE caches aggressively
disable caching
@Configuration
public class RestConfig extends WebMvcConfigurerAdapter {
@Override
public void addInterceptors(InterceptorRegistry registry) {
WebContentInterceptor webContentInterceptor = new WebContentInterceptor();
webContentInterceptor.setCacheSeconds(0);
registry.addInterceptor(webContentInterceptor);
}
}

Cache headers
cache-control: public, max-age=0, no-cache
public / private
no-cache
no-store
max-age
s-maxage

Cache headers
cache-control: public, max-age=0, no-cache
public / private
no-cache
no-store
max-age
s-maxage
ETag
If-None-Match: "0d41d8cd98f00b204e9800998ecf8427e"
Spring brings ShallowEtagHeaderFilter

Compression
reduces response size dramatically
in Tomcat extend Connector with
compression="on"
compressionMinSize="2048"
noCompressionUserAgents="gozilla, traviata"
compressableMimeType="text/html,text/xml"

HATEOAS
self-descriptive
client understands hypermedia
{
"name": "Alice",
"links": [
{ "rel": "self", "href": "/customers/1213" },
{ "rel": "parent", "href": "/customers/14" },
{ "rel": "currentOrder", "href": "/orders/14312" }
]
}
HTTP/1.1 201 Created
Location: http://api.mydomain.com/orders/1234

HATEOAS in Spring
public class Customer extends ResourceSupport { ... }
// or wrap entity into Resource object

HATEOAS in Spring
public class Customer extends ResourceSupport { ... }
// or wrap entity into Resource object
import static org.springframework.hateoas.mvc.ControllerLinkBuilder.*;
public HttpEntity<Customer> get(@PathVariable("id") String customerId) {
Customer customer = repository.findOne(customerId);
String pId = customer.getBoss();
String oId = customer.currentOrderId();
customer.add(linkTo(methodOn(CustomerController.class).get(customerId)).withSelfRel());
customer.add(linkTo(methodOn(CustomerController.class).get(pId)).withRel("parent"));
customer.add(linkTo(methodOn(OrderController.class).get(oId)).withRel("currentOrder"));
return new ResponseEntity<Customer>(customer, HttpStatus.OK);
}
public ResponseEntity create(@RequestBody Customer customer) {
String id = repository.save(customer);
return ResponseEntity.created(linkTo(CustomerController.class).slash(id).toUri())
.build();
}

@DanaDanger HTTP codes classification
20x: cool
30x: ask that dude over there
40x: you fucked up
50x: we fucked up

Exceptions
include detailed information
{
"status": 400,
"code": 40483,
"message": "Incorrect body signature",
"moreInfo": "http://www.mycompany.com/errors/40483"
}

Exceptions
include detailed information
{
"status": 400,
"code": 40483,
"message": "Incorrect body signature",
"moreInfo": "http://www.mycompany.com/errors/40483"
}
hide stacktrace

Handling Spring MVC exceptions
@ControllerAdvice
public class MyExceptionHandler extends ResponseEntityExceptionHandler {
/* Handling framework exceptions */
@Override
protected ResponseEntity<Object> handleExceptionInternal(Exception ex, Object body,
HttpHeaders headers, HttpStatus status, WebRequest request) {
LOG.error("Spring MVC exception occurred", ex);
return super.handleExceptionInternal(ex, body, headers, status, request);
}
/* Handling application exceptions */
@ResponseStatus(value = HttpStatus.NOT_FOUND)
@ExceptionHandler(ResourceNotFoundException.class)
public void handleResourceNotFound() {
}
}

API Versioning
don't even think about
api.domain.com/v2/orders
URIs to the same resources should be fixed between
versions

API Versioning
don't even think about
api.domain.com/v2/orders
URIs to the same resources should be fixed between
versions
use Content-Type
1 version: application/vnd.domain+json
2 version: application/vnd.domain.v2+json

Filtering and sorting
GET /reviews?rating=5
GET /reviews?rating=5&sortAsc=author

Dynamic queries are easier in POST body

Dynamic queries are easier in POST body
POST /reviews/searches
GET /reviews/searches/23?page=2

Documentation
runnable with examples
Swagger

Stateless or not?
password hashing cost
session replication
load-balancing

Stateless or not?
password hashing cost
session replication
load-balancing
...
stateless session?

Avoiding session creation in Spring
@EnableWebSecurity
public class SpringSecurity extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.antMatchers("/secure/**").fullyAuthenticated()
.and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.NEVER)
.and()
.httpBasic();
}
}

Security
SQL Injection
XSS
CSRF
XXE

HQL Injection
List<Product> products = em.createQuery(
"SELECT p FROM Product p where p.category = '" + categ + "'", Product.class)
.getResultList();

HQL Injection
.getResultList();
categ = ' OR '1'='1

HQL Injection
.getResultList();
categ = ' OR '1'='1
SELECT __fields__ FROM products WHERE category = '' OR '1'='1'

HQL Injection
.getResultList();
categ = ' OR '1'='1
"SELECT p FROM Product p where p.category = :categ", Product.class)
.setParameter("categ", categ)
.getResultList();

HQL Injection
.getResultList();
categ = ' OR '1'='1
"SELECT p FROM Product p where p.category = :categ", Product.class)
.setParameter("categ", categ)
.getResultList();
SELECT __fields__ FROM products WHERE category = ' OR ''1''=''1'''

CSRF - Cross-site request forgery
<img src="https://api.mybank.com/transfers/from/1233/to/1234/amount/5000">
<form action="https://api.mybank.com/transfers" method="POST">
<input type="hidden" name="from" value="1233"/>
<input type="hidden" name="to" value="1234"/>
<input type="hidden" name=amount" value="5000"/>
<input type="submit" value="Celebrity Nude Photos!"/>
</form>

CSRF - Cross-site request forgery
<img src="https://api.mybank.com/transfers/from/1233/to/1234/amount/5000">
<form action="https://api.mybank.com/transfers" method="POST">
<input type="hidden" name="from" value="1233"/>
<input type="hidden" name="to" value="1234"/>
<input type="hidden" name=amount" value="5000"/>
<input type="submit" value="Celebrity Nude Photos!"/>
</form>
One time request tokens
Correct CORS headers

CORS - Cross Origin Requests Sharing
Preflight request
OPTIONS /cors HTTP/1.1
Origin: http://www.domain.com
Access-Control-Request-Method: PUT
Access-Control-Request-Headers: X-Custom-Header
Host: api.mydomain.org
Accept-Language: en-US
Connection: keep-alive
User-Agent: Mozilla/5.0...
Preflight response
Access-Control-Allow-Origin: http://www.domain.com
Access-Control-Allow-Methods: GET, POST, PUT
Access-Control-Allow-Headers: X-Custom-Header
Content-Type: text/html; charset=utf-8

XML External Entity
<?xml version="1.0" encoding="utf-8"?>
<comment>
<text>Yeah! I like it!</text>
</comment>

XML External Entity
<comment>
<text>Yeah! I like it!</text>
</comment>
<!DOCTYPE myentity [ <!ENTITY a "Yeah! I like it!"> ]>
<comment>
<text>&a;</text>
</comment>

XML External Entity
<!DOCTYPE myentity [ <!ENTITY a SYSTEM "/etc/passwd"> ]>
<comment>
<text>&a;</text>
</comment>

XML External Entity
<!DOCTYPE myentity [ <!ENTITY a SYSTEM "/etc/passwd"> ]>
<comment>
<text>&a;</text>
</comment>
<comment>
<text>root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
.....
</text>
</comment>

XML External Entity
<!DOCTYPE myentity [
<!ENTITY a "abcdefghij1234567890" >
<!ENTITY b "&a;&a;&a;&a;&a;&a;&a;&a;&a;&a" >
<!ENTITY c "&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;" >
<!ENTITY d "&c;&c;&c;&c;&c;&c;&c;&c;&c;&c;" >
...
<!ENTITY h "&g;&g;&g;&g;&g;&g;&g;&g;&g;&g;" >
]>
<comment>
<text>&h;</text>
</comment>

http://knowyourmeme.com/photos/531557 thx to @mihn

Thanks!

JDD2014: What you won't read in books about implementing REST services - Jakub Kubryński

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Andere mochten auch

Andere mochten auch (20)

Ähnlich wie JDD2014: What you won't read in books about implementing REST services - Jakub Kubryński

Ähnlich wie JDD2014: What you won't read in books about implementing REST services - Jakub Kubryński (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

JDD2014: What you won't read in books about implementing REST services - Jakub Kubryński