Modern web application network architecture
2 likes1,816 views
The document outlines the evolution from traditional presentation layers to modern data-centric service layers in web architecture, detailing HTTP requests/responses, RESTful methods, and cross-origin resource sharing (CORS) configurations. It discusses the implementation of authentication methods such as Basic and Form authentication, including examples and considerations for security. Additionally, WADL (Web Application Description Language) is mentioned to describe API resources and associated methods.
![BASIC AUTHENTICATION
curl -X GET --verbose --insecure https://localhost:8181/baas/api/todo
> GET /baas/api/todo HTTP/1.1
...
<
<
<
<
<
<
<
<
<
<
<
HTTP/1.1 401 Unauthorized
X-Powered-By: Servlet/3.0 JSP/2.2 [...]
Server: GlassFish Server Open Source Edition 3.1.2.2
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 01:00:00 CET
WWW-Authenticate: Basic realm="file"
Content-Type: text/html
Content-Length: 1073
Date: Wed, 14 Aug 2013 23:33:48 GMT
Dienstag, 11. Februar 14](https://image.slidesharecdn.com/05-architecture-140211135756-phpapp01/85/Modern-web-application-network-architecture-17-320.jpg)
Modern web application network architecture
- 2. FROM PRESENTATION TO SERVICE LAYER Dienstag, 11. Februar 14
- 3. OLD STYLE PRESENTATION LAYER Server Browser GET /index.html HTTP/1.1 200/OK (HTML) GET /contacts-table.html HTTP/1.1 render markup 200/OK (HTML) POST /servlet/contacts HTTP/1.1 200/OK (HTML) Dienstag, 11. Februar 14 render markup
- 4. DATA CENTRIC SERVICE LAYER Browser Server GET /index.html HTTP/1.1 200/OK (HTML) GET /api/contacts HTTP/1.1 render markup 200/OK (JSON) PUT /api/contacts/12 HTTP/1.1 render markup Dienstag, 11. Februar 14 200/OK (JSON)
- 5. WHERE ARE WE HEADING TO ? Browser Server GET /index.html HTTP/1.1 200/OK (HTML) GET /contacts-table.html HTTP/1.1 200/OK (HTML) ts ! cke o ws://future.now/ws S eb W render markup Dienstag, 11. Februar 14 PUT /api/contacts/12 HTTP/1.1 200/OK (JSON) render markup
- 6. REST AND CRUD Dienstag, 11. Februar 14
- 7. JAX-RS @GET @Produces("application/json") public Collection<ToDo> getAll() throws ServiceException { ... } @GET @Path("/{uuid}") @Produces("application/json") public ToDo get(@PathParam("uuid")String id) throws ServiceException { ... } @PUT @Consumes("application/json") @Produces("application/json") public ToDo createToDo(ToDo toDo) throws ServiceException { ... } Dienstag, 11. Februar 14
- 8. CORS CROSS ORIGIN RESOURCE SHARING Dienstag, 11. Februar 14
- 9. PREFLIGHT REQUEST curl -X OPTIONS --verbose --insecure https://localhost:8181/baas/api/todo > OPTIONS /baas/api/todo HTTP/1.1 ... < HTTP/1.1 200 OK < X-Powered-By: Servlet/3.0 JSP/2.2 (GlassFish Server Open Source Edition 3.1.2.2 Java/Apple Inc./1.6) < Server: GlassFish Server Open Source Edition 3.1.2.2 < Allow: OPTIONS,GET,HEAD,PUT < Last-modified: Do, 15 Aug 2013 00:26:54 MESZ < Access-Control-Allow-Origin: * < Access-Control-Allow-Methods: GET, POST, PUT, DELETE < Access-Control-Allow-Headers: content-type,authorization,x-requested-with < Access-Control-Max-Age: 1728000 < Content-Type: application/vnd.sun.wadl+xml < Content-Length: 1642 < Date: Wed, 14 Aug 2013 22:44:55 GMT < <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <application xmlns="http://wadl.dev.java.net/2009/02"> ... </application> Dienstag, 11. Februar 14
- 10. CORS Browser Server of origin Service provider GET /index.html HTTP/1.1 200/OK (HTML) ! est qu pr ht re eflig OPTIONS /api/contacts HTTP/1.1 200/OK (WADL) GET /api/contacts HTTP/1.1 render markup Dienstag, 11. Februar 14 200/OK (JSON)
- 11. SETTING CORS HEADERS JEE WebFilter (Glassfish 4.0) @WebFilter(filterName = "CorsFilter", urlPatterns = {"/*"}) public class CorsFilter implements Filter { private void doBeforeProcessing(ServletRequest request, ServletResponse response) throws IOException, ServletException { final HttpServletResponse httpResponse = (HttpServletResponse)response; httpResponse.addHeader("Access-Control-Allow-Origin", "*"); httpResponse.addHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS"); httpResponse.addHeader("Access-Control-Allow-Headers", "x-requested-with, accept, origin, authorization"); httpResponse.addHeader("Access-Control-Max-Age", "1728000"); } } ... // netbeans default Filter pattern Dienstag, 11. Februar 14
- 12. CORS curl -X OPTIONS --verbose --insecure https://localhost:8181/baas/api/todo < HTTP/1.1 200 OK < X-Powered-By: Servlet/3.0 JSP/2.2 (GlassFish Server Open Source Edition 3.1.2.2 Java/Apple Inc./1.6) < Server: GlassFish Server Open Source Edition 3.1.2.2 < Allow: OPTIONS,GET,HEAD,PUT < Last-modified: Do, 15 Aug 2013 00:26:54 MESZ < Access-Control-Allow-Origin: * < Access-Control-Allow-Methods: GET, POST, PUT, DELETE < Access-Control-Allow-Headers: content-type,authorization,x-requested-with < Access-Control-Max-Age: 1728000 < Content-Type: application/vnd.sun.wadl+xml < Content-Length: 1642 < Date: Wed, 14 Aug 2013 22:44:55 GMT < <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <application xmlns="http://wadl.dev.java.net/2009/02"> ... </application> Dienstag, 11. Februar 14
- 13. WADL <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <application xmlns="http://wadl.dev.java.net/2009/02"> <resources base="https://localhost:8181/baas/api/"> <resource path="todo"> <method id="createToDo" name="PUT"> <request> <representation mediaType="application/json"/> </request> <response> <representation mediaType="application/json"/> </response> </method> ... </resource> </resources> </application> Dienstag, 11. Februar 14
- 15. WEB.XML <security-constraint> <display-name>REST API</display-name> <web-resource-collection> <web-resource-name>web-api</web-resource-name> <url-pattern>/api/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> <http-method>PUT</http-method> <http-method>DELETE</http-method> </web-resource-collection> <auth-constraint> <role-name>user</role-name> </auth-constraint> <user-data-constraint> S <transport-guarantee>CONFIDENTIAL</transport-guarantee> HTTP </user-data-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> uth a <realm-name>file</realm-name>basic </login-config> <security-role> <role-name>user</role-name> </security-role> Dienstag, 11. Februar 14
- 16. HTTPS AND BASIC AUTH • + easy to implement • - password is sent on every request • (- browser stores credentials for session) • (- browser may store creds permanently) • corporate proxies • not for really sensitive data Dienstag, 11. Februar 14
- 17. BASIC AUTHENTICATION curl -X GET --verbose --insecure https://localhost:8181/baas/api/todo > GET /baas/api/todo HTTP/1.1 ... < < < < < < < < < < < HTTP/1.1 401 Unauthorized X-Powered-By: Servlet/3.0 JSP/2.2 [...] Server: GlassFish Server Open Source Edition 3.1.2.2 Pragma: No-cache Cache-Control: no-cache Expires: Thu, 01 Jan 1970 01:00:00 CET WWW-Authenticate: Basic realm="file" Content-Type: text/html Content-Length: 1073 Date: Wed, 14 Aug 2013 23:33:48 GMT Dienstag, 11. Februar 14
- 18. BASIC AUTHENTICATION curl -X GET --verbose --insecure -u marc:geheim https://localhost:8181/baas/api/todo > > > > > > GET /baas/api/todo HTTP/1.1 Authorization: Basic bWFyYzpnZWhlaW0= User-Agent: ... Host: localhost:8181 Accept: */* < HTTP/1.1 200 OK Dienstag, 11. Februar 14
- 19. EXERCISES ecture/baas-gf ~/ws/05-Archit ~/ws/05-Architecture/jquery-rest Dienstag, 11. Februar 14
- 20. HTTPS AND FORM AUTH • auth method form in web.xml • credential sent only once (+) • SSO (+) • corporate proxies (-) Dienstag, 11. Februar 14
- 21. SETTING CORS HEADERS Jersey (eg. Jersey/Tomcat) public class CrossOriginResourceSharingFilter implements ContainerResponseFilter { @Override public ContainerResponse filter( ContainerRequest request, ContainerResponse response) { } } Dienstag, 11. Februar 14 response.getHttpHeaders().putSingle( "Access-Control-Allow-Origin", "*"); response.getHttpHeaders().putSingle( "Access-Control-Allow-Methods", "GET, POST, PUT, DELETE"); response.getHttpHeaders().putSingle( "Access-Control-Allow-Headers", "content-type,authorization,x-requested-with"); response.getHttpHeaders().putSingle( "Access-Control-Max-Age", "3600"); return response;