SlideShare ist ein Scribd-Unternehmen logo

Architecting &Building Scalable Secure Web API

SHAKIL AKHTAR
SHAKIL AKHTAR

Architecting &Building Scalable, Secure Web API

Technologie
1 von 63
SHAKIL AKHTAR Architecting & Building Scalable, Secure Web API
About Me… ²  Oracle Certified Master Java Enterprise Architect ²  TOGAF 9 Certified Enterprise Architect ²  AWS (Amazon Cloud) Certified Solutions Architect ²  Spring Source Certified Enterprise Integration Specialist ²  Apache Phoenix Contributor ²  Member AEA(Association of Enterprise Architects) ²  Cloudera Certified Developer For Hadoop ²  SCJDWS ²  SCWCD ²  SCJP
Agenda ²  Technical approach on designing & developing enterprise scaled reliable  Web API. ²  Discussion on various parameter consideration while architecting robust RESTful services. ²  Q&A
A Quick Rundown ²  API overview ²  API Methodologies ²  Technical Considerations for API ²  Services Scalability ²  Security Methodologies ²  Best practices
What are APIs? ²  API = Application Programming Interface ²  Business Capabilities exposed over internet for applications to use ²  An API is external facing ²  Web Service = API that operates over HTTP ²  In this presentation,API == REST
Why Create an API? ²  Extend your product reach ²  Encourage mashups ²  Expose your data programmatically ²  Connect with developers
API Success Stories ²  Twitter ²  Facebook ²  Amazon Web Services ²  Linked-in ²  Salesforce API ²  -- many more
Discovering and Describing APIs ²  API description to be extremely useful and meaningful ²  APIs need to be published somewhere to be discovered ²  A comprehensive API management platform needs to have at least three main components: a publisher, a store, and a gateway API Management Platform
API Centric Architecture
API Tier Architecture
Popular Methodologies ²  REST ²  SOAP ²  XML RPC
Why REST? ²  Scalability ²  Generality ²  Independence ²  Latency(Caching) ²  Security ²  Encapsulation
Key Design Principles for APIs
Key Design Principles ²  Designing APIs for Specific Audiences §  Designing for Developers §  Designing for Application Users ²  Best Practices for API Design §  DifferentiateYour API §  MakeYour API Easy to Try and Use §  MakeYour API Easy to Understand §  Don’t Do Anything Weird §  Less Is More §  Target a Specific Developer Segment
Technical Consideration for API Design
Technical Considerations for API Design ²  REST §  Pure REST •  follows the dictates of Fielding’s dissertation §  Pragmatic REST •  follow certain REST principles, but not all of them •  Easy to learn and navigate and represent the majority of public APIs §  Pragmatic RESTful Principles •  uses the best parts of the RESTful concept
Example: Designing with Pragmatic REST ²  The wrong way to REST Task Operation URI Insert new item into the cart POST http://api.shopping.com/InsertNewItem Delete item from the cart POST http://api.shopping.com/DeleteItem List everything in the cart GET http://api.shopping.com/ListCart? cartId=X Get an item in the cart GET http://api.shopping.com/ShowItem? cartId=X&itemid=Y Delete the whole cart POST http://api.shopping.com/DeleteCart
Example: ²  Pragmatic RESTful Shopping Cart ²  Something REST needs a Rest ²  XML vs. JSON Task Operation URI Insert new item into the cart POST http://api.shopping.com/cart/cartName Delete item from the cart DELETE http://api.shopping.com/cart/ cartName/item/itemName List everything in the cart GET http://api.shopping.com/cart/cartName Get an item in the cart GET http://api.shopping.com/cart/ cartName/item/itemName Replace an entire item PUT http://api.shopping.com/cart/ cartName/item/itemName Delete the whole cart DELETE http://api.shopping.com/cart/cartName
Versioning and API Design ²  Url §  https://api.mycomp.com/v1 ²  Media Types §  application/json+foo;application&v=1 ²  Having a Mediation Layer ²  Taking the Plunge: GoingVersionless
Designing Infrastructure for APIs ²  Data Center or Cloud? ²  Caching Strategies ²  Controlling API Traffic §  Business-Level Traffic Management •  Quotas •  Throttling §  Operational Traffic Management •  Spike Arresting §  API Gateways •  Approaches to API Gateways in the Cloud
Scalability
Scalability Layers Internet Enterprise infrastructure and integrations Platform Enterprise Server Enterprise Applications •  External Network •  User Devices •  Network and hardware •  Database •  Services •  Operating System •  Cloud Platform •  Web Server •  Application Server •  Application Modules •  APIs
Dimensions of Scalability ²  Load scalability ²  Functional Scalability ²  Integration Scalability ²  Geographic Scalability
Services Scalability ²  Designing Scalable Services §  Granularity of Service §  Services per business process §  Lightweight service §  Stateless nature §  Asynchronous invocation §  RESTful services §  Service layer caching ²  Architecting scalable services infrastructure ²  Clustered server configuration of web services clustered server configuration for services
Distributed Clustered ESB Configuration for Services
Scaling HTTP ²  Statelessness and scalability ²  ETags/LastModified ²  Caching and proxies ²  HEAD ²  “Expect: 100-continue” ²  Batch operations ²  Transactions & Compensation
Stateless client/server approach ²  All communication is stateless ²  Session state is kept on the Client! §  Client is responsible for transitioning to new states §  States are represented by URIs ² Improves: §  Visibility §  Reliability §  Scalability Link state transitions for a coffee order
ETag Header ²  Resources may return an ETag header when it is accessed ²  On subsequent retrieval of the resource, Client sends this ETag header back ²  If the resource has not changed (i.e. the ETag is the same), an empty response with a 304 code is returned ²  Reduces bandwidth/latency
ServerClient Client Server ETag Example HTTP/1.1 200 OK Date: … ETag: "3e86-410-3596fbbc" Content-Length: 1040 Content-Type: text/html … HTTP/1.1 304 Not Modified Date: … ETag: "3e86-410-3596fbbc" Content-Length: 0… GET /feed.atom Host: www.myhost.com … GET /feed.atom If-None-Match: "3e86-410-3596fbbc" Host: www.myhost.com …
Revalidation and Conditional GETs ²  Last-Modified §  Represent timestamp of the data sent by the server §  Do conditional get call using If-Modified-Since HTTP/1.1 200 OK Content-Type: application/xml Cache-Control: max-age=1000 Last-Modified:Tue, 15 May 2009 09:56 EST <customer id="123">...</customer> GET /customers/123 HTTP/1.1 If-Modified-Since:Tue, 15 May 2009 09:56 EST
Client Server LastModified Example HTTP/1.1 200 OK Date: … Last-Modified: Sat, 29 Oct 1994 19:43:31 GMT Content-Length: 1040 Content-Type: text/html … HTTP/1.1 304 Not Modified Date: … Last-Modified: Sat, 29 Oct 1994 19:43:31 GMT Content-Length: 0 GET /feed.atom Host: www.acme.com … GET /feed.atom If-Modified-Since: Sat, 29 Oct 1994 19:43:31 GMT Host: www.myhost.com …
Scalability through Caching ²  A.k.a. “cache the hell out of it” ²  Reduce latency, network traffic, and server load ²  Types of cache: §  Browser §  Proxy §  Gateway Web Caches
How Caching Works ²  A resource is eligible for caching if: §  The HTTP response headers don’t say not to cache it §  The response is not authenticated or secure §  No ETag or LastModified header is present §  The cache representation is fresh ²  A good post : http://www.mnot.net/cache_docs/
Is your cache fresh? ²  Yes, if: §  The expiry time has not been exceeded §  The representation was LastModified a relatively long time ago ²  If its stale, the remote server will be asked to validate if the representation is still fresh
Concurrency ²  When many client try to updated a resource ²  Conditional PUT or POST A conditional PUT request
Scalability through URLs and Content-Types ²  Information about where the request is destined is held outside the message: §  Content-Type •  application/purchase-order+xml •  image/jpeg §  URL §  Other headers ²  Allows easy routing to the appropriate server with little overhead
HEAD ²  Allows you to get meta data about a resource without getting the resource itself ²  Identical to GET, except no body is sent ²  Uses: §  Testing that a resource is available §  Testing link validity §  Learning when a resource was last modified HEAD /hello.htm HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE5.01;Windows NT) Host: www.mycomp.com Accept-Language: en-us Accept-Encoding: gzip, deflate Connection: Keep-Alive HTTP/1.1 200 OK Date: Mon, 27 Jul 2009 12:28:53 GMT Server:Apache/2.2.14 (Win32) Last-Modified:Wed, 22 Jul 2009 19:15:56 GMT ETag: "34aa387-d-1568eb00" Vary:Authorization,Accept Accept-Ranges: bytes Content-Length: 88 Content-Type: text/html Connection: Closedclient server
100 Continue ²  Allows client to determine if server is willing to accept a request based on request headers ²  It may be highly inefficient to send the full request if the server will reject it
100 Continue Client sends initial headers and: • Expect: 100-continue • nn Server sends: • 100 Continue • n Client sends full message body
Transactions ²  The web is NOT designed for transactions §  Client is responsible for committing/rolling back transactions, and client may not fulfill responsibilities §  Transactions can take too long over the web and tie up important resources ²  In general, it is much better to build in application specific compensation for distributed services
So you really want transactions… ²  People sometimes use HTTP for transactions ²  Notable example: SVN ²  It is possible to model a resource as a transaction §  POST – create a new transaction §  PUT – send “commit” state to transaction §  DELETE – rollback the transaction
Batch Operations ²  How do we manipulate multiple resource states at the same time? ²  Options: §  Use HTTP connection pipelining •  Broken by some firewalls
Scalability Best Practices ²  Stateless session ²  Lightweight design ²  On-demand data loading ²  Resource pooling ²  Using Proven technologies ²  Optimal enterprise integrations
Scalability Best Practices Cont. ²  Scalability by design ²  Latency and throughput optimization ²  Early runtime application analysis ²  Avoid blocked waits ²  Rules engine-based business logic
Security
API Security Architecture
Security By Design ²  Design Challenges §  User Comfort §  Performance §  Weakest Link §  Defense in Depth §  Insider Attacks §  Security by Obscurity ²  Design Principles §  Least Privilege §  Fail-Safe Defaults §  Economy of Mechanism §  Complete Mediation §  Open Design §  Separation of Privilege §  Least Common Mechanism §  Psychological Acceptability
Security By Design ²  CIA §  Confidentiality §  Integrity §  Availability ²  Security Controls §  Authentication §  Authorization §  Nonrepudiation §  Auditing ²  Security Patterns
Securing REST
REST Security ²  None built in ²  Encryption over HTTPS ²  Left to the implementer ²  Error handling left to implementer
Security Mechanism ²  OAuth ²  BasicAuth ²  API Keys
OAuth ²  OAuth description points
BasicAuth ²  Passes a username and password with the request ²  Defined by the HTTP specification ²  BasicAuth Do’s §  SSL is a must •  Username / Password is transmitted in clear text •  Base64 encoded, but not encrypted
BasicAuth Pros & Cons ²  Pros §  Client requests are easy •  Part of nearly every HTTP request library §  Server setup is easy •  Use existing BasicAuth credentials ²  Cons §  Requires a username and password for a user §  Credentials are not, by default, encrypted §  Requires username and password to be embedded in client code
Access Keys ²  Not based on any standard ²  Implementation requirements are up to the service provider ²  Keys -> signatures
Access Key Basics ²  Part of URL http://xyz.com/api?key=23sdbk32 ²  Sign request with key instead of passing it in URL ²  Use params + shared secret as signature
Signed Request Workflow Client Server
Access Keys Pros& Cons ²  Pros §  Easy to generate keys and distribute them §  Typically removes the need to transfer username and password in raw form §  Signed requests prevents altering parameters ²  Cons §  Unsigned •  Must embed them in code •  SSL is not required, so will (by default) transfer in plaintext §  Signed •  Encryption is scary....ish
Best Practices ²  Rate Limiting §  Keeps API access in check §  Authenticated and Unauthenticated calls should be subject to rate limiting §  Have a standard, application wide rate limit §  Allow that limit to be overridden on a per user, per application basis ²  Access Control §  Treat API endpoints just as service endpoints in your application §  Have a standard API access site wide •  Allow override on a per-user, per application basis §  Allows you to roll out features to a select group or user ²  Error Handling §  Set appropriate HTTP headers §  Provide viable, valid error messages §  Log errors for the API too §  Have a standard error response object for all methods, including authentication ²  API Domain ²  API Keys
Best Practices Cont. ²  Identifier ²  Query Injection ²  Redirects and Forwards §  Avoid redirects and forwards if possible §  If used, validate the value and ensure authorized for the current user ²  TLS §  Use TLS for everything §  Cookies: set the ‘secure’ and ‘httpOnly’ flags for secure cookies ²  Configuration ²  Storage
Summary v Architecting Web API v Building API strategies v Scaling API Considerations v Securing your API v Best Practices
ThankYou! © Shakil Akhtar

Empfohlen

Clean up this mess - API Gateway & Service Discovery in .NET
Clean up this mess - API Gateway & Service Discovery in .NETClean up this mess - API Gateway & Service Discovery in .NET
Clean up this mess - API Gateway & Service Discovery in .NETMarcin Tyborowski
 
API Security from the DevOps and CSO Perspectives (Webcast)
API Security from the DevOps and CSO Perspectives (Webcast)API Security from the DevOps and CSO Perspectives (Webcast)
API Security from the DevOps and CSO Perspectives (Webcast)Apigee | Google Cloud
 
Building API-Driven Microservices with Amazon API Gateway - AWS Online Tech T...
Building API-Driven Microservices with Amazon API Gateway - AWS Online Tech T...Building API-Driven Microservices with Amazon API Gateway - AWS Online Tech T...
Building API-Driven Microservices with Amazon API Gateway - AWS Online Tech T...Amazon Web Services
 
AWS API Gateway - AJUG August 2018
AWS API Gateway - AJUG August 2018AWS API Gateway - AJUG August 2018
AWS API Gateway - AJUG August 2018Yoel Spotts
 
REST APIs
REST APIsREST APIs
REST APIsArthur De Magalhaes
 
API Design- Best Practices
API Design- Best PracticesAPI Design- Best Practices
API Design- Best PracticesPrakash Bhandari
 
Aws Technical Day 2015 - Amazon API Gateway
Aws Technical Day 2015 - Amazon API GatewayAws Technical Day 2015 - Amazon API Gateway
Aws Technical Day 2015 - Amazon API Gatewayaws-marketing-il
 
Leveraging the Security of AWS's Own APIs for Your App - AWS Serverless Web Day
Leveraging the Security of AWS's Own APIs for Your App - AWS Serverless Web DayLeveraging the Security of AWS's Own APIs for Your App - AWS Serverless Web Day
Leveraging the Security of AWS's Own APIs for Your App - AWS Serverless Web DayAWS Germany
 

Empfohlen

Clean up this mess - API Gateway & Service Discovery in .NET
Clean up this mess - API Gateway & Service Discovery in .NETClean up this mess - API Gateway & Service Discovery in .NET
Clean up this mess - API Gateway & Service Discovery in .NETMarcin Tyborowski
 
API Security from the DevOps and CSO Perspectives (Webcast)
API Security from the DevOps and CSO Perspectives (Webcast)API Security from the DevOps and CSO Perspectives (Webcast)
API Security from the DevOps and CSO Perspectives (Webcast)Apigee | Google Cloud
 
Building API-Driven Microservices with Amazon API Gateway - AWS Online Tech T...
Building API-Driven Microservices with Amazon API Gateway - AWS Online Tech T...Building API-Driven Microservices with Amazon API Gateway - AWS Online Tech T...
Building API-Driven Microservices with Amazon API Gateway - AWS Online Tech T...Amazon Web Services
 
AWS API Gateway - AJUG August 2018
AWS API Gateway - AJUG August 2018AWS API Gateway - AJUG August 2018
AWS API Gateway - AJUG August 2018Yoel Spotts
 
REST APIs
REST APIsREST APIs
REST APIsArthur De Magalhaes
 
API Design- Best Practices
API Design- Best PracticesAPI Design- Best Practices
API Design- Best PracticesPrakash Bhandari
 
Aws Technical Day 2015 - Amazon API Gateway
Aws Technical Day 2015 - Amazon API GatewayAws Technical Day 2015 - Amazon API Gateway
Aws Technical Day 2015 - Amazon API Gatewayaws-marketing-il
 
Leveraging the Security of AWS's Own APIs for Your App - AWS Serverless Web Day
Leveraging the Security of AWS's Own APIs for Your App - AWS Serverless Web DayLeveraging the Security of AWS's Own APIs for Your App - AWS Serverless Web Day
Leveraging the Security of AWS's Own APIs for Your App - AWS Serverless Web DayAWS Germany
 
Api security
Api security Api security
Api security teodorcotruta
 
Build A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON APIBuild A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON APIStormpath
 
Authentication - Alberto Bellotti - ManageIQ Design Summit 2016
Authentication - Alberto Bellotti - ManageIQ Design Summit 2016Authentication - Alberto Bellotti - ManageIQ Design Summit 2016
Authentication - Alberto Bellotti - ManageIQ Design Summit 2016ManageIQ
 
Data Microservices with Spring Cloud
Data Microservices with Spring CloudData Microservices with Spring Cloud
Data Microservices with Spring CloudOrkhan Gasimov
 
SignalR
SignalRSignalR
SignalREyal Vardi
 
Amazon API Gateway
Amazon API GatewayAmazon API Gateway
Amazon API GatewayMark Bate
 
Azure API Manegement Introduction and Integeration with BizTalk
Azure API Manegement Introduction and Integeration with BizTalkAzure API Manegement Introduction and Integeration with BizTalk
Azure API Manegement Introduction and Integeration with BizTalkShailesh Dwivedi
 
Amazon CloudFront Best Practices and Anti-patterns
Amazon CloudFront Best Practices and Anti-patternsAmazon CloudFront Best Practices and Anti-patterns
Amazon CloudFront Best Practices and Anti-patternsAbhishek Tiwari
 
AWS July Webinar Series - Overview Build and Manage your APs with amazon api ...
AWS July Webinar Series - Overview Build and Manage your APs with amazon api ...AWS July Webinar Series - Overview Build and Manage your APs with amazon api ...
AWS July Webinar Series - Overview Build and Manage your APs with amazon api ...Amazon Web Services
 
Spring Cloud: Why? How? What?
Spring Cloud: Why? How? What?Spring Cloud: Why? How? What?
Spring Cloud: Why? How? What?Orkhan Gasimov
 
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIsAmazon Web Services
 
Azure Web Apps Advanced Security
Azure Web Apps Advanced SecurityAzure Web Apps Advanced Security
Azure Web Apps Advanced SecurityUdaiappa Ramachandran
 
Azure Web App services
Azure Web App servicesAzure Web App services
Azure Web App servicesAlexey Bokov
 
Service Mesh With Consul Connect and Nomad 0.10
Service Mesh With Consul Connect and Nomad 0.10Service Mesh With Consul Connect and Nomad 0.10
Service Mesh With Consul Connect and Nomad 0.10Mitchell Pronschinske
 
API Security - Null meet
API Security - Null meetAPI Security - Null meet
API Security - Null meetvinoth kumar
 
Stephen Liedig: Building Serverless Backends with AWS Lambda and API Gateway
Stephen Liedig: Building Serverless Backends with AWS Lambda and API GatewayStephen Liedig: Building Serverless Backends with AWS Lambda and API Gateway
Stephen Liedig: Building Serverless Backends with AWS Lambda and API GatewaySteve Androulakis
 
Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...
Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...
Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...Amazon Web Services
 
apidays LIVE India - REST the Events - REST APIs for Event-Driven Architectur...
apidays LIVE India - REST the Events - REST APIs for Event-Driven Architectur...apidays LIVE India - REST the Events - REST APIs for Event-Driven Architectur...
apidays LIVE India - REST the Events - REST APIs for Event-Driven Architectur...apidays
 
Getting Started with Web Services
Getting Started with Web ServicesGetting Started with Web Services
Getting Started with Web ServicesDataNext Solutions
 
A guide on Aws Security Token Service
A guide on Aws Security Token ServiceA guide on Aws Security Token Service
A guide on Aws Security Token ServiceBlazeclan Technologies Private Limited
 
Scalability, Availability & Stability Patterns
Scalability, Availability & Stability PatternsScalability, Availability & Stability Patterns
Scalability, Availability & Stability PatternsJonas Bonér
 
Scalable Reliable Secure REST
Scalable Reliable Secure RESTScalable Reliable Secure REST
Scalable Reliable Secure RESTguestb2ed5f
 

Weitere ähnliche Inhalte

Was ist angesagt?

Build A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON APIBuild A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON APIStormpath
 
Authentication - Alberto Bellotti - ManageIQ Design Summit 2016
Authentication - Alberto Bellotti - ManageIQ Design Summit 2016Authentication - Alberto Bellotti - ManageIQ Design Summit 2016
Authentication - Alberto Bellotti - ManageIQ Design Summit 2016ManageIQ
 
Data Microservices with Spring Cloud
Data Microservices with Spring CloudData Microservices with Spring Cloud
Data Microservices with Spring CloudOrkhan Gasimov
 
Amazon API Gateway
Amazon API GatewayAmazon API Gateway
Amazon API GatewayMark Bate
 
Azure API Manegement Introduction and Integeration with BizTalk
Azure API Manegement Introduction and Integeration with BizTalkAzure API Manegement Introduction and Integeration with BizTalk
Azure API Manegement Introduction and Integeration with BizTalkShailesh Dwivedi
 
Amazon CloudFront Best Practices and Anti-patterns
Amazon CloudFront Best Practices and Anti-patternsAmazon CloudFront Best Practices and Anti-patterns
Amazon CloudFront Best Practices and Anti-patternsAbhishek Tiwari
 
AWS July Webinar Series - Overview Build and Manage your APs with amazon api ...
AWS July Webinar Series - Overview Build and Manage your APs with amazon api ...AWS July Webinar Series - Overview Build and Manage your APs with amazon api ...
AWS July Webinar Series - Overview Build and Manage your APs with amazon api ...Amazon Web Services
 
Spring Cloud: Why? How? What?
Spring Cloud: Why? How? What?Spring Cloud: Why? How? What?
Spring Cloud: Why? How? What?Orkhan Gasimov
 
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIsAmazon Web Services
 
Azure Web App services
Azure Web App servicesAzure Web App services
Azure Web App servicesAlexey Bokov
 
Service Mesh With Consul Connect and Nomad 0.10
Service Mesh With Consul Connect and Nomad 0.10Service Mesh With Consul Connect and Nomad 0.10
Service Mesh With Consul Connect and Nomad 0.10Mitchell Pronschinske
 
API Security - Null meet
API Security - Null meetAPI Security - Null meet
API Security - Null meetvinoth kumar
 
Stephen Liedig: Building Serverless Backends with AWS Lambda and API Gateway
Stephen Liedig: Building Serverless Backends with AWS Lambda and API GatewayStephen Liedig: Building Serverless Backends with AWS Lambda and API Gateway
Stephen Liedig: Building Serverless Backends with AWS Lambda and API GatewaySteve Androulakis
 
Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...
Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...
Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...Amazon Web Services
 
apidays LIVE India - REST the Events - REST APIs for Event-Driven Architectur...
apidays LIVE India - REST the Events - REST APIs for Event-Driven Architectur...apidays LIVE India - REST the Events - REST APIs for Event-Driven Architectur...
apidays LIVE India - REST the Events - REST APIs for Event-Driven Architectur...apidays
 
Getting Started with Web Services
Getting Started with Web ServicesGetting Started with Web Services
Getting Started with Web ServicesDataNext Solutions
 

Was ist angesagt? (20)

Api security
Api security Api security
Api security
 
Build A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON APIBuild A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON API
 
Authentication - Alberto Bellotti - ManageIQ Design Summit 2016
Authentication - Alberto Bellotti - ManageIQ Design Summit 2016Authentication - Alberto Bellotti - ManageIQ Design Summit 2016
Authentication - Alberto Bellotti - ManageIQ Design Summit 2016
 
Data Microservices with Spring Cloud
Data Microservices with Spring CloudData Microservices with Spring Cloud
Data Microservices with Spring Cloud
 
SignalR
SignalRSignalR
SignalR
 
Amazon API Gateway
Amazon API GatewayAmazon API Gateway
Amazon API Gateway
 
Azure API Manegement Introduction and Integeration with BizTalk
Azure API Manegement Introduction and Integeration with BizTalkAzure API Manegement Introduction and Integeration with BizTalk
Azure API Manegement Introduction and Integeration with BizTalk
 
Amazon CloudFront Best Practices and Anti-patterns
Amazon CloudFront Best Practices and Anti-patternsAmazon CloudFront Best Practices and Anti-patterns
Amazon CloudFront Best Practices and Anti-patterns
 
AWS July Webinar Series - Overview Build and Manage your APs with amazon api ...
AWS July Webinar Series - Overview Build and Manage your APs with amazon api ...AWS July Webinar Series - Overview Build and Manage your APs with amazon api ...
AWS July Webinar Series - Overview Build and Manage your APs with amazon api ...
 
Spring Cloud: Why? How? What?
Spring Cloud: Why? How? What?Spring Cloud: Why? How? What?
Spring Cloud: Why? How? What?
 
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs
 
Azure Web Apps Advanced Security
Azure Web Apps Advanced SecurityAzure Web Apps Advanced Security
Azure Web Apps Advanced Security
 
Azure Web App services
Azure Web App servicesAzure Web App services
Azure Web App services
 
Service Mesh With Consul Connect and Nomad 0.10
Service Mesh With Consul Connect and Nomad 0.10Service Mesh With Consul Connect and Nomad 0.10
Service Mesh With Consul Connect and Nomad 0.10
 
API Security - Null meet
API Security - Null meetAPI Security - Null meet
API Security - Null meet
 
Stephen Liedig: Building Serverless Backends with AWS Lambda and API Gateway
Stephen Liedig: Building Serverless Backends with AWS Lambda and API GatewayStephen Liedig: Building Serverless Backends with AWS Lambda and API Gateway
Stephen Liedig: Building Serverless Backends with AWS Lambda and API Gateway
 
Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...
Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...
Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...
 
apidays LIVE India - REST the Events - REST APIs for Event-Driven Architectur...
apidays LIVE India - REST the Events - REST APIs for Event-Driven Architectur...apidays LIVE India - REST the Events - REST APIs for Event-Driven Architectur...
apidays LIVE India - REST the Events - REST APIs for Event-Driven Architectur...
 
Getting Started with Web Services
Getting Started with Web ServicesGetting Started with Web Services
Getting Started with Web Services
 
A guide on Aws Security Token Service
A guide on Aws Security Token ServiceA guide on Aws Security Token Service
A guide on Aws Security Token Service
 

Andere mochten auch

Scalability, Availability & Stability Patterns
Scalability, Availability & Stability PatternsScalability, Availability & Stability Patterns
Scalability, Availability & Stability PatternsJonas Bonér
 
Scalable Reliable Secure REST
Scalable Reliable Secure RESTScalable Reliable Secure REST
Scalable Reliable Secure RESTguestb2ed5f
 
Green Buildings and the Environment or how to Behave Sustainable
Green Buildings and the Environment or how to Behave SustainableGreen Buildings and the Environment or how to Behave Sustainable
Green Buildings and the Environment or how to Behave SustainableUNDP Eurasia
 
DevOps & Security from an Enterprise Toolsmith's Perspective
DevOps & Security from an Enterprise Toolsmith's PerspectiveDevOps & Security from an Enterprise Toolsmith's Perspective
DevOps & Security from an Enterprise Toolsmith's Perspectivedev2ops
 
Towards a Federated Cloud Ecosystem
Towards a Federated Cloud EcosystemTowards a Federated Cloud Ecosystem
Towards a Federated Cloud EcosystemClovis Chapman
 
Web api scalability and performance
Web api scalability and performanceWeb api scalability and performance
Web api scalability and performanceHimanshu Desai
 
API Security and Management Best Practices
API Security and Management Best PracticesAPI Security and Management Best Practices
API Security and Management Best PracticesCA API Management
 
7 Stages of Scaling Web Applications
7 Stages of Scaling Web Applications7 Stages of Scaling Web Applications
7 Stages of Scaling Web ApplicationsDavid Mitzenmacher
 
Cassandra Explained
Cassandra ExplainedCassandra Explained
Cassandra ExplainedEric Evans
 
Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Stormpath
 

Andere mochten auch (11)

Scalability, Availability & Stability Patterns
Scalability, Availability & Stability PatternsScalability, Availability & Stability Patterns
Scalability, Availability & Stability Patterns
 
Scalable Reliable Secure REST
Scalable Reliable Secure RESTScalable Reliable Secure REST
Scalable Reliable Secure REST
 
Green Buildings and the Environment or how to Behave Sustainable
Green Buildings and the Environment or how to Behave SustainableGreen Buildings and the Environment or how to Behave Sustainable
Green Buildings and the Environment or how to Behave Sustainable
 
Building Web APIs that Scale
Building Web APIs that ScaleBuilding Web APIs that Scale
Building Web APIs that Scale
 
DevOps & Security from an Enterprise Toolsmith's Perspective
DevOps & Security from an Enterprise Toolsmith's PerspectiveDevOps & Security from an Enterprise Toolsmith's Perspective
DevOps & Security from an Enterprise Toolsmith's Perspective
 
Towards a Federated Cloud Ecosystem
Towards a Federated Cloud EcosystemTowards a Federated Cloud Ecosystem
Towards a Federated Cloud Ecosystem
 
Web api scalability and performance
Web api scalability and performanceWeb api scalability and performance
Web api scalability and performance
 
API Security and Management Best Practices
API Security and Management Best PracticesAPI Security and Management Best Practices
API Security and Management Best Practices
 
7 Stages of Scaling Web Applications
7 Stages of Scaling Web Applications7 Stages of Scaling Web Applications
7 Stages of Scaling Web Applications
 
Cassandra Explained
Cassandra ExplainedCassandra Explained
Cassandra Explained
 
Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)
 

Ähnlich wie Architecting &Building Scalable Secure Web API

REST API 20.2 - Appworks Gateway Integration.pptx
REST API 20.2 - Appworks Gateway Integration.pptxREST API 20.2 - Appworks Gateway Integration.pptx
REST API 20.2 - Appworks Gateway Integration.pptxJason452803
 
Delivering High Performance Websites with NGINX
Delivering High Performance Websites with NGINXDelivering High Performance Websites with NGINX
Delivering High Performance Websites with NGINXNGINX, Inc.
 
Nginx A High Performance Load Balancer, Web Server & Reverse Proxy
Nginx A High Performance Load Balancer, Web Server & Reverse ProxyNginx A High Performance Load Balancer, Web Server & Reverse Proxy
Nginx A High Performance Load Balancer, Web Server & Reverse ProxyAmit Aggarwal
 
cross-platform-assets-based-front-end-architecture
cross-platform-assets-based-front-end-architecturecross-platform-assets-based-front-end-architecture
cross-platform-assets-based-front-end-architectureOleksandr Tserkovnyi
 
Secure Content Delivery Using Amazon CloudFront
Secure Content Delivery Using Amazon CloudFrontSecure Content Delivery Using Amazon CloudFront
Secure Content Delivery Using Amazon CloudFrontAmazon Web Services
 
SRV418 Deep Dive on Accelerating Content, APIs, and Applications with Amazon ...
SRV418 Deep Dive on Accelerating Content, APIs, and Applications with Amazon ...SRV418 Deep Dive on Accelerating Content, APIs, and Applications with Amazon ...
SRV418 Deep Dive on Accelerating Content, APIs, and Applications with Amazon ...Amazon Web Services
 
Using communication and messaging API in the HTML5 world - GIl Fink, sparXsys
Using communication and messaging API in the HTML5 world - GIl Fink, sparXsysUsing communication and messaging API in the HTML5 world - GIl Fink, sparXsys
Using communication and messaging API in the HTML5 world - GIl Fink, sparXsysCodemotion Tel Aviv
 
Dynamic Content Acceleration: Lightning Fast Web Apps with Amazon CloudFront ...
Dynamic Content Acceleration: Lightning Fast Web Apps with Amazon CloudFront ...Dynamic Content Acceleration: Lightning Fast Web Apps with Amazon CloudFront ...
Dynamic Content Acceleration: Lightning Fast Web Apps with Amazon CloudFront ...Amazon Web Services
 
WebSocket Perspectives and Vision for the Future
WebSocket Perspectives and Vision for the FutureWebSocket Perspectives and Vision for the Future
WebSocket Perspectives and Vision for the FutureFrank Greco
 
[DSBW Spring 2009] Unit 02: Web Technologies (2/2)
[DSBW Spring 2009] Unit 02: Web Technologies (2/2)[DSBW Spring 2009] Unit 02: Web Technologies (2/2)
[DSBW Spring 2009] Unit 02: Web Technologies (2/2)Carles Farré
 
AWS re:Invent 2016: Amazon CloudFront Flash Talks: Best Practices on Configur...
AWS re:Invent 2016: Amazon CloudFront Flash Talks: Best Practices on Configur...AWS re:Invent 2016: Amazon CloudFront Flash Talks: Best Practices on Configur...
AWS re:Invent 2016: Amazon CloudFront Flash Talks: Best Practices on Configur...Amazon Web Services
 
APIs, STOP Polling, lets go Streaming
APIs, STOP Polling, lets go StreamingAPIs, STOP Polling, lets go Streaming
APIs, STOP Polling, lets go StreamingPhil Wilkins
 
SRV418 Deep Dive on Accelerating Content, APIs, and Applications with Amazon ...
SRV418 Deep Dive on Accelerating Content, APIs, and Applications with Amazon ...SRV418 Deep Dive on Accelerating Content, APIs, and Applications with Amazon ...
SRV418 Deep Dive on Accelerating Content, APIs, and Applications with Amazon ...Amazon Web Services
 
AWS Summit London 2014 | Dynamic Content Acceleration (300)
AWS Summit London 2014 | Dynamic Content Acceleration (300)AWS Summit London 2014 | Dynamic Content Acceleration (300)
AWS Summit London 2014 | Dynamic Content Acceleration (300)Amazon Web Services
 
The Good, the Bad and the Ugly of Migrating Hundreds of Legacy Applications ...
The Good, the Bad and the Ugly of Migrating Hundreds of Legacy Applications ... The Good, the Bad and the Ugly of Migrating Hundreds of Legacy Applications ...
The Good, the Bad and the Ugly of Migrating Hundreds of Legacy Applications ...Josef Adersberger
 

Ähnlich wie Architecting &Building Scalable Secure Web API (20)

5-WebServers.ppt
5-WebServers.ppt5-WebServers.ppt
5-WebServers.ppt
 
REST API 20.2 - Appworks Gateway Integration.pptx
REST API 20.2 - Appworks Gateway Integration.pptxREST API 20.2 - Appworks Gateway Integration.pptx
REST API 20.2 - Appworks Gateway Integration.pptx
 
Delivering High Performance Websites with NGINX
Delivering High Performance Websites with NGINXDelivering High Performance Websites with NGINX
Delivering High Performance Websites with NGINX
 
Nginx A High Performance Load Balancer, Web Server & Reverse Proxy
Nginx A High Performance Load Balancer, Web Server & Reverse ProxyNginx A High Performance Load Balancer, Web Server & Reverse Proxy
Nginx A High Performance Load Balancer, Web Server & Reverse Proxy
 
cross-platform-assets-based-front-end-architecture
cross-platform-assets-based-front-end-architecturecross-platform-assets-based-front-end-architecture
cross-platform-assets-based-front-end-architecture
 
Secure Content Delivery Using Amazon CloudFront
Secure Content Delivery Using Amazon CloudFrontSecure Content Delivery Using Amazon CloudFront
Secure Content Delivery Using Amazon CloudFront
 
SRV418 Deep Dive on Accelerating Content, APIs, and Applications with Amazon ...
SRV418 Deep Dive on Accelerating Content, APIs, and Applications with Amazon ...SRV418 Deep Dive on Accelerating Content, APIs, and Applications with Amazon ...
SRV418 Deep Dive on Accelerating Content, APIs, and Applications with Amazon ...
 
Cloud APIs Overview Tucker
Cloud APIs Overview TuckerCloud APIs Overview Tucker
Cloud APIs Overview Tucker
 
Using communication and messaging API in the HTML5 world - GIl Fink, sparXsys
Using communication and messaging API in the HTML5 world - GIl Fink, sparXsysUsing communication and messaging API in the HTML5 world - GIl Fink, sparXsys
Using communication and messaging API in the HTML5 world - GIl Fink, sparXsys
 
introduction to web application development
introduction to web application developmentintroduction to web application development
introduction to web application development
 
Dynamic Content Acceleration: Lightning Fast Web Apps with Amazon CloudFront ...
Dynamic Content Acceleration: Lightning Fast Web Apps with Amazon CloudFront ...Dynamic Content Acceleration: Lightning Fast Web Apps with Amazon CloudFront ...
Dynamic Content Acceleration: Lightning Fast Web Apps with Amazon CloudFront ...
 
WebSocket Perspectives and Vision for the Future
WebSocket Perspectives and Vision for the FutureWebSocket Perspectives and Vision for the Future
WebSocket Perspectives and Vision for the Future
 
[DSBW Spring 2009] Unit 02: Web Technologies (2/2)
[DSBW Spring 2009] Unit 02: Web Technologies (2/2)[DSBW Spring 2009] Unit 02: Web Technologies (2/2)
[DSBW Spring 2009] Unit 02: Web Technologies (2/2)
 
AWS re:Invent 2016: Amazon CloudFront Flash Talks: Best Practices on Configur...
AWS re:Invent 2016: Amazon CloudFront Flash Talks: Best Practices on Configur...AWS re:Invent 2016: Amazon CloudFront Flash Talks: Best Practices on Configur...
AWS re:Invent 2016: Amazon CloudFront Flash Talks: Best Practices on Configur...
 
APIs, STOP Polling, lets go Streaming
APIs, STOP Polling, lets go StreamingAPIs, STOP Polling, lets go Streaming
APIs, STOP Polling, lets go Streaming
 
SRV418 Deep Dive on Accelerating Content, APIs, and Applications with Amazon ...
SRV418 Deep Dive on Accelerating Content, APIs, and Applications with Amazon ...SRV418 Deep Dive on Accelerating Content, APIs, and Applications with Amazon ...
SRV418 Deep Dive on Accelerating Content, APIs, and Applications with Amazon ...
 
Server architecture
Server architectureServer architecture
Server architecture
 
AWS Summit London 2014 | Dynamic Content Acceleration (300)
AWS Summit London 2014 | Dynamic Content Acceleration (300)AWS Summit London 2014 | Dynamic Content Acceleration (300)
AWS Summit London 2014 | Dynamic Content Acceleration (300)
 
EVOLVE'14 | Enhance | Anshul Chhabra & Akhil Aggrawal | Cisco - AEM High Avai...
EVOLVE'14 | Enhance | Anshul Chhabra & Akhil Aggrawal | Cisco - AEM High Avai...EVOLVE'14 | Enhance | Anshul Chhabra & Akhil Aggrawal | Cisco - AEM High Avai...
EVOLVE'14 | Enhance | Anshul Chhabra & Akhil Aggrawal | Cisco - AEM High Avai...
 
The Good, the Bad and the Ugly of Migrating Hundreds of Legacy Applications ...
The Good, the Bad and the Ugly of Migrating Hundreds of Legacy Applications ... The Good, the Bad and the Ugly of Migrating Hundreds of Legacy Applications ...
The Good, the Bad and the Ugly of Migrating Hundreds of Legacy Applications ...
 

Kürzlich hochgeladen

Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 

Kürzlich hochgeladen (20)

Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 

Architecting &Building Scalable Secure Web API

  • 1. SHAKIL AKHTAR Architecting & Building Scalable, Secure Web API
  • 2. About Me… ²  Oracle Certified Master Java Enterprise Architect ²  TOGAF 9 Certified Enterprise Architect ²  AWS (Amazon Cloud) Certified Solutions Architect ²  Spring Source Certified Enterprise Integration Specialist ²  Apache Phoenix Contributor ²  Member AEA(Association of Enterprise Architects) ²  Cloudera Certified Developer For Hadoop ²  SCJDWS ²  SCWCD ²  SCJP
  • 3. Agenda ²  Technical approach on designing & developing enterprise scaled reliable  Web API. ²  Discussion on various parameter consideration while architecting robust RESTful services. ²  Q&A
  • 4. A Quick Rundown ²  API overview ²  API Methodologies ²  Technical Considerations for API ²  Services Scalability ²  Security Methodologies ²  Best practices
  • 5. What are APIs? ²  API = Application Programming Interface ²  Business Capabilities exposed over internet for applications to use ²  An API is external facing ²  Web Service = API that operates over HTTP ²  In this presentation,API == REST
  • 6. Why Create an API? ²  Extend your product reach ²  Encourage mashups ²  Expose your data programmatically ²  Connect with developers
  • 7. API Success Stories ²  Twitter ²  Facebook ²  Amazon Web Services ²  Linked-in ²  Salesforce API ²  -- many more
  • 8. Discovering and Describing APIs ²  API description to be extremely useful and meaningful ²  APIs need to be published somewhere to be discovered ²  A comprehensive API management platform needs to have at least three main components: a publisher, a store, and a gateway API Management Platform
  • 12. Why REST? ²  Scalability ²  Generality ²  Independence ²  Latency(Caching) ²  Security ²  Encapsulation
  • 14. Key Design Principles ²  Designing APIs for Specific Audiences §  Designing for Developers §  Designing for Application Users ²  Best Practices for API Design §  DifferentiateYour API §  MakeYour API Easy to Try and Use §  MakeYour API Easy to Understand §  Don’t Do Anything Weird §  Less Is More §  Target a Specific Developer Segment
  • 16. Technical Considerations for API Design ²  REST §  Pure REST •  follows the dictates of Fielding’s dissertation §  Pragmatic REST •  follow certain REST principles, but not all of them •  Easy to learn and navigate and represent the majority of public APIs §  Pragmatic RESTful Principles •  uses the best parts of the RESTful concept
  • 17. Example: Designing with Pragmatic REST ²  The wrong way to REST Task Operation URI Insert new item into the cart POST http://api.shopping.com/InsertNewItem Delete item from the cart POST http://api.shopping.com/DeleteItem List everything in the cart GET http://api.shopping.com/ListCart? cartId=X Get an item in the cart GET http://api.shopping.com/ShowItem? cartId=X&itemid=Y Delete the whole cart POST http://api.shopping.com/DeleteCart
  • 18. Example: ²  Pragmatic RESTful Shopping Cart ²  Something REST needs a Rest ²  XML vs. JSON Task Operation URI Insert new item into the cart POST http://api.shopping.com/cart/cartName Delete item from the cart DELETE http://api.shopping.com/cart/ cartName/item/itemName List everything in the cart GET http://api.shopping.com/cart/cartName Get an item in the cart GET http://api.shopping.com/cart/ cartName/item/itemName Replace an entire item PUT http://api.shopping.com/cart/ cartName/item/itemName Delete the whole cart DELETE http://api.shopping.com/cart/cartName
  • 19. Versioning and API Design ²  Url §  https://api.mycomp.com/v1 ²  Media Types §  application/json+foo;application&v=1 ²  Having a Mediation Layer ²  Taking the Plunge: GoingVersionless
  • 20. Designing Infrastructure for APIs ²  Data Center or Cloud? ²  Caching Strategies ²  Controlling API Traffic §  Business-Level Traffic Management •  Quotas •  Throttling §  Operational Traffic Management •  Spike Arresting §  API Gateways •  Approaches to API Gateways in the Cloud
  • 22. Scalability Layers Internet Enterprise infrastructure and integrations Platform Enterprise Server Enterprise Applications •  External Network •  User Devices •  Network and hardware •  Database •  Services •  Operating System •  Cloud Platform •  Web Server •  Application Server •  Application Modules •  APIs
  • 23. Dimensions of Scalability ²  Load scalability ²  Functional Scalability ²  Integration Scalability ²  Geographic Scalability
  • 24. Services Scalability ²  Designing Scalable Services §  Granularity of Service §  Services per business process §  Lightweight service §  Stateless nature §  Asynchronous invocation §  RESTful services §  Service layer caching ²  Architecting scalable services infrastructure ²  Clustered server configuration of web services clustered server configuration for services
  • 25. Distributed Clustered ESB Configuration for Services
  • 26. Scaling HTTP ²  Statelessness and scalability ²  ETags/LastModified ²  Caching and proxies ²  HEAD ²  “Expect: 100-continue” ²  Batch operations ²  Transactions & Compensation
  • 27. Stateless client/server approach ²  All communication is stateless ²  Session state is kept on the Client! §  Client is responsible for transitioning to new states §  States are represented by URIs ² Improves: §  Visibility §  Reliability §  Scalability Link state transitions for a coffee order
  • 28. ETag Header ²  Resources may return an ETag header when it is accessed ²  On subsequent retrieval of the resource, Client sends this ETag header back ²  If the resource has not changed (i.e. the ETag is the same), an empty response with a 304 code is returned ²  Reduces bandwidth/latency
  • 29. ServerClient Client Server ETag Example HTTP/1.1 200 OK Date: … ETag: "3e86-410-3596fbbc" Content-Length: 1040 Content-Type: text/html … HTTP/1.1 304 Not Modified Date: … ETag: "3e86-410-3596fbbc" Content-Length: 0… GET /feed.atom Host: www.myhost.com … GET /feed.atom If-None-Match: "3e86-410-3596fbbc" Host: www.myhost.com …
  • 30. Revalidation and Conditional GETs ²  Last-Modified §  Represent timestamp of the data sent by the server §  Do conditional get call using If-Modified-Since HTTP/1.1 200 OK Content-Type: application/xml Cache-Control: max-age=1000 Last-Modified:Tue, 15 May 2009 09:56 EST <customer id="123">...</customer> GET /customers/123 HTTP/1.1 If-Modified-Since:Tue, 15 May 2009 09:56 EST
  • 31. Client Server LastModified Example HTTP/1.1 200 OK Date: … Last-Modified: Sat, 29 Oct 1994 19:43:31 GMT Content-Length: 1040 Content-Type: text/html … HTTP/1.1 304 Not Modified Date: … Last-Modified: Sat, 29 Oct 1994 19:43:31 GMT Content-Length: 0 GET /feed.atom Host: www.acme.com … GET /feed.atom If-Modified-Since: Sat, 29 Oct 1994 19:43:31 GMT Host: www.myhost.com …
  • 32. Scalability through Caching ²  A.k.a. “cache the hell out of it” ²  Reduce latency, network traffic, and server load ²  Types of cache: §  Browser §  Proxy §  Gateway Web Caches
  • 33. How Caching Works ²  A resource is eligible for caching if: §  The HTTP response headers don’t say not to cache it §  The response is not authenticated or secure §  No ETag or LastModified header is present §  The cache representation is fresh ²  A good post : http://www.mnot.net/cache_docs/
  • 34. Is your cache fresh? ²  Yes, if: §  The expiry time has not been exceeded §  The representation was LastModified a relatively long time ago ²  If its stale, the remote server will be asked to validate if the representation is still fresh
  • 35. Concurrency ²  When many client try to updated a resource ²  Conditional PUT or POST A conditional PUT request
  • 36. Scalability through URLs and Content-Types ²  Information about where the request is destined is held outside the message: §  Content-Type •  application/purchase-order+xml •  image/jpeg §  URL §  Other headers ²  Allows easy routing to the appropriate server with little overhead
  • 37. HEAD ²  Allows you to get meta data about a resource without getting the resource itself ²  Identical to GET, except no body is sent ²  Uses: §  Testing that a resource is available §  Testing link validity §  Learning when a resource was last modified HEAD /hello.htm HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE5.01;Windows NT) Host: www.mycomp.com Accept-Language: en-us Accept-Encoding: gzip, deflate Connection: Keep-Alive HTTP/1.1 200 OK Date: Mon, 27 Jul 2009 12:28:53 GMT Server:Apache/2.2.14 (Win32) Last-Modified:Wed, 22 Jul 2009 19:15:56 GMT ETag: "34aa387-d-1568eb00" Vary:Authorization,Accept Accept-Ranges: bytes Content-Length: 88 Content-Type: text/html Connection: Closedclient server
  • 38. 100 Continue ²  Allows client to determine if server is willing to accept a request based on request headers ²  It may be highly inefficient to send the full request if the server will reject it
  • 39. 100 Continue Client sends initial headers and: • Expect: 100-continue • nn Server sends: • 100 Continue • n Client sends full message body
  • 40. Transactions ²  The web is NOT designed for transactions §  Client is responsible for committing/rolling back transactions, and client may not fulfill responsibilities §  Transactions can take too long over the web and tie up important resources ²  In general, it is much better to build in application specific compensation for distributed services
  • 41. So you really want transactions… ²  People sometimes use HTTP for transactions ²  Notable example: SVN ²  It is possible to model a resource as a transaction §  POST – create a new transaction §  PUT – send “commit” state to transaction §  DELETE – rollback the transaction
  • 42. Batch Operations ²  How do we manipulate multiple resource states at the same time? ²  Options: §  Use HTTP connection pipelining •  Broken by some firewalls
  • 43. Scalability Best Practices ²  Stateless session ²  Lightweight design ²  On-demand data loading ²  Resource pooling ²  Using Proven technologies ²  Optimal enterprise integrations
  • 44. Scalability Best Practices Cont. ²  Scalability by design ²  Latency and throughput optimization ²  Early runtime application analysis ²  Avoid blocked waits ²  Rules engine-based business logic
  • 47. Security By Design ²  Design Challenges §  User Comfort §  Performance §  Weakest Link §  Defense in Depth §  Insider Attacks §  Security by Obscurity ²  Design Principles §  Least Privilege §  Fail-Safe Defaults §  Economy of Mechanism §  Complete Mediation §  Open Design §  Separation of Privilege §  Least Common Mechanism §  Psychological Acceptability
  • 48. Security By Design ²  CIA §  Confidentiality §  Integrity §  Availability ²  Security Controls §  Authentication §  Authorization §  Nonrepudiation §  Auditing ²  Security Patterns
  • 50. REST Security ²  None built in ²  Encryption over HTTPS ²  Left to the implementer ²  Error handling left to implementer
  • 51. Security Mechanism ²  OAuth ²  BasicAuth ²  API Keys
  • 53. BasicAuth ²  Passes a username and password with the request ²  Defined by the HTTP specification ²  BasicAuth Do’s §  SSL is a must •  Username / Password is transmitted in clear text •  Base64 encoded, but not encrypted
  • 54. BasicAuth Pros & Cons ²  Pros §  Client requests are easy •  Part of nearly every HTTP request library §  Server setup is easy •  Use existing BasicAuth credentials ²  Cons §  Requires a username and password for a user §  Credentials are not, by default, encrypted §  Requires username and password to be embedded in client code
  • 55. Access Keys ²  Not based on any standard ²  Implementation requirements are up to the service provider ²  Keys -> signatures
  • 56. Access Key Basics ²  Part of URL http://xyz.com/api?key=23sdbk32 ²  Sign request with key instead of passing it in URL ²  Use params + shared secret as signature
  • 58. Access Keys Pros& Cons ²  Pros §  Easy to generate keys and distribute them §  Typically removes the need to transfer username and password in raw form §  Signed requests prevents altering parameters ²  Cons §  Unsigned •  Must embed them in code •  SSL is not required, so will (by default) transfer in plaintext §  Signed •  Encryption is scary....ish
  • 59. Best Practices ²  Rate Limiting §  Keeps API access in check §  Authenticated and Unauthenticated calls should be subject to rate limiting §  Have a standard, application wide rate limit §  Allow that limit to be overridden on a per user, per application basis ²  Access Control §  Treat API endpoints just as service endpoints in your application §  Have a standard API access site wide •  Allow override on a per-user, per application basis §  Allows you to roll out features to a select group or user ²  Error Handling §  Set appropriate HTTP headers §  Provide viable, valid error messages §  Log errors for the API too §  Have a standard error response object for all methods, including authentication ²  API Domain ²  API Keys
  • 60. Best Practices Cont. ²  Identifier ²  Query Injection ²  Redirects and Forwards §  Avoid redirects and forwards if possible §  If used, validate the value and ensure authorized for the current user ²  TLS §  Use TLS for everything §  Cookies: set the ‘secure’ and ‘httpOnly’ flags for secure cookies ²  Configuration ²  Storage
  • 61. Summary v Architecting Web API v Building API strategies v Scaling API Considerations v Securing your API v Best Practices
  • 62.