SlideShare a Scribd company logo

Scalable Reliable Secure REST

Download as PPT, PDF
G
guestb2ed5f

This document summarizes key principles for building scalable, reliable and secure RESTful services using HTTP. It discusses how to ensure reliability through idempotent operations. It also covers techniques for scaling such as use of ETags, caching, content types and uniform resource locators (URLs). The document concludes with an overview of security considerations and tools that can be used including HTTP authentication, SSL and XML signature/encryption.

Technology
1 of 58
Downloaded 426 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
Scalable, Reliable, and Secure RESTful HTTP A practical guide to building to HTTP based services
Today’s talk Goal: learn how to build services with HTTP in a reliable, secure, and scalable fashion.
What this talk is NOT
What is REST? Representation State Transfer Roy Fielding coined the term for his thesis which sought to provide the architectural basis for HTTP
 
Resources, resources, resources Everything is a resource Resources are addressable via URI s Resources are self descriptive Typically through content types (“application/xml”) and sometimes the resource body (i.e. an XML QName) Resources are stateless Resources are manipulated via verbs and the uniform interface
The Uniform Interface
Hypertext and linkability We don’t want “keys”, we want links! Resources are hypertext Hypertext is just data with links to other resources Data model refers to other application states via links This is possible because of the uniform interface! No need to know different ways to get different types of entities! Client can simply navigate to different resources
REST & HTTP REST defines the architectural style of HTTP We’ll discuss RESTful principles in relation to HTTP specifically as we explore Scalability Reliability Security
Our Starting Point
Reliability through Idempotency
Idempotent Operations
Some Basic Scenarios: Getting resources Deleting resources Updating a resource Creating a resource
Getting a resource GET is SAFE If original GET fails, just try, try again
Updating a resource Server Client
Deleting a resource Server Client
Creating Resources HTTP/1.1 201 Created Date: … Content-Length: 0 Location: http://acme.com/entries/1 … Server Client Client Server HTTP/1.1 200 OK … POST /entries Host: acme.com … PUT /entries/1 Host: acme.com Content-Type: … Content-Length: … Some data…
Creating Resources IDs which are not used can be Ignored Expired Another option: have the client generate a unique ID and PUT to it straight away They’re liable to screw it up though
Problem: Firewalls Many firewalls do not allow PUT, DELETE You might want to allow other ways of specifying a header: Google: X-HTTP-Method-Override: PUT Ruby: ?method=PUT
Scalability ETags, Caching, Content-Types, URLs, and more
Scaling HTTP Statelessness and scalability ETags/LastModified Caching and proxies HEAD “ Expect: 100-continue” Batch operations Transactions & Compensation
Stateless client/server approach All communication is stateless Session state is kept on the Client! Client is responsible for transitioning to new states States are represented by URIs Improves: Visibility Reliability Scalability
ETag Header Resources may return an ETag header when it is accessed On subsequent retrieval of the resource, Client sends this ETag header back If the resource has not changed (i.e. the ETag is the same), an empty response with a 304 code is returned Reduces bandwidth/latency
ETag Example HTTP/1.1 200 OK Date: … ETag: "3e86-410-3596fbbc" Content-Length: 1040 Content-Type: text/html … Server Client Client Server HTTP/1.1 304 Not Modified Date: … ETag: "3e86-410-3596fbbc" Content-Length: 0… GET /feed.atom Host: www.acme.com … GET /feed.atom If-None-Match: "3e86-410-3596fbbc" Host: www.acme.com …
LastModified Example HTTP/1.1 200 OK Date: … Last-Modified: Sat, 29 Oct 1994 19:43:31 GMT Content-Length: 1040 Content-Type: text/html … Client Server HTTP/1.1 304 Not Modified Date: … Last-Modified: Sat, 29 Oct 1994 19:43:31 GMT Content-Length: 0 GET /feed.atom Host: www.acme.com … GET /feed.atom If-Modified-Since: Sat, 29 Oct 1994 19:43:31 GMT Host: www.acme.com …
Scalability through Caching A.k.a. “cache the hell out of it” Reduce latency, network traffic, and server load Types of cache: Browser Proxy Gateway
How Caching Works A resource is eligible for caching if: The HTTP response headers don’t say not to cache it The response is not authenticated or secure No ETag or LastModified header is present The cache representation is fresh From: http://www.mnot.net/cache_docs/
Is your cache fresh? Yes, if: The expiry time has not been exceeded The representation was LastModified a relatively long time ago If its stale, the remote server will be asked to validate if the representation is still fresh
Scalability through URLs and Content-Types Information about where the request is destined is held outside the message: Content-Type application/purchase-order+xml mage/jpeg URL Other headers Allows easy routing to the appropriate server with little overhead
HEAD Allows you to get meta data about a resource without getting the resource itself Identical to GET, except no body is sent Uses: Testing that a resource is available Testing link validity Learning when a resource was last modified
100 Continue Allows client to determine if server is willing to accept a request based on request headers It may be highly inefficient to send the full request if the server will reject it
100 Continue
Transactions The web is NOT designed for transactions Client is responsible for committing/rolling back transactions, and client may not fulfill responsibilities Transactions can take too long over the web and tie up important resources In general, it is much better to build in application specific compensation for distributed services See the paper: Life Beyond Transactions by Pat Helland
So you really want transactions… People sometimes use HTTP for transactions Notable example: SVN It is possible to model a resource as a transaction POST – create a new transaction PUT – send “commit” state to transaction DELETE – rollback the transaction
Batch Operations How do we manipulate multiple resource states at the same time? Options: Use HTTP connection pipelining Broken by some firewalls POST GData does this, but has received a very cold reception from the community
Security
Question #1 What are your goals & requirements? Authentication? Authorization? Privacy? Integrity? Single sign on?
Tools at our disposal HTTP Authentication SSL XML Signature & Encryption OpenID Others: SAML, Cardspace…
HTTP Authentication Basics Basic Authentication Username & Password passed in plain text Digest MD5 has of username & password is created Sent with every request Remember – statelessness?
SSL and Public Key Cryptography SSL/TLS defines a process to encrypt/secure transports
How SSL works Client Server Sends random number encrypted with server’s public key.
How SSL works Client Server Server sends random number to client. Can be unencrypted since Client may not have public key.
How SSL works Client Server Server and Client compute a shared secret using the negotiated hash algorithm. 94AB134… 94AB134…
How SSL works Client Server Communication is encrypted using the new shared secret & symmetric cryptography
Client Authentication Server can authenticate the Client using it’s public key as well Requires key distribution Server side must import every client public key into it’s keystore
Limitations of SSL Does not work well with intermediaries If you have a gateway handling SSL, how do you actually get the certificate information? Limited ability for other authentication tokens beyond those of HTTP Auth i.e. SAML Some implementations support NTLM (Commons HTTPClient)
OpenID “ provides a way to prove that an End User owns an Identity URL” An attempt at single sign on. Your identity is your URL Provides no information about who the actual person/entity is
XML Signature & Encryption Provide message level security when needed Limited support across languages Mostly Java & .NET Allows other types of authentication mechanisms beyond just SSL
An XML digital signature < ds:Signature > < ds:SignedInfo > < ds:CanonicalizationMethod Algorithm = &quot;http://www.w3.org/2001/10/xml-exc-c14n#&quot; /> < ds:SignatureMethod Algorithm = &quot;http://www.w3.org/2000/09/xmldsig#rsa-sha1&quot; /> < ds:Reference URI = &quot;#mySignedElement&quot; > < ds:Transforms > < ds:Transform Algorithm = &quot;http://www.w3.org/2001/10/xml-exc-c14n#&quot; /> </ ds:Transforms > < ds:DigestMethod Algorithm = &quot;http://www.w3.org/2000/09/xmldsig#sha1&quot; /> < ds:DigestValue > EULddytSo1... </ ds:DigestValue > </ ds:Reference > </ ds:SignedInfo > < ds:SignatureValue > BL8jdfToEb1l/vXcMZNNjPOV... </ ds:SignatureValue > < ds:KeyInfo > … </ ds:KeyInfo > </ ds:Signature >
HTTP Security Limitations For non XML data, there is no standard way to do Message signing Non repudiation Multifactor authentication Token exchange
Other Thoughts
Consider using Atom Publishing Protocol Atom: a format for syndication Describes “lists of related information” – a.k.a. feeds Feeds are composed of entries User Extensible More generic than just blog stuff
Atom Publishing Protocol RESTful protocol for building services Create, edit, delete entries in a collection Extensible Protocol Paging extensions GData Opensearch Properly uses HTTP so can be scalable, reliable and secure
Why you should use APP for your app Provides ubiquitous elements which have meaning across all contexts You can leverage existing solutions for security HTTP Auth, WSSE, Google Login, XML Sig & Enc Eliminates the need for you to write a lot of server/client code ETags, URLs, etc are all handled for you Integrates seamlessly with non-XML data There are many APP implementations and they are known to work well together
What other tools are available for building RESTful applications? HTTPD of course Java Servlets Restlets Spring MVC CXF Jersey (JSR 311 reference imlementation) Ruby on Rails Python’s Django Javascript’s XMLHttpRequest  Abdera
Limitations HTTP is NOT an RPC or message passing system Not ideal for sending event based messages May have performance constraints for asynchronous messaging that JMS/others may not have Security Standards Most people will just use SSL, but… Exchanging other types of authentication tokens is not possible unless they are custom HTTP headers No standard way to establish trust relationships beside certificate hierarchies/webs
Conclusions HTTP Provides many tools/properties for us to build scalable, reliable, secure systems: Idempotent and safe methods ETags/LastModified Hypertext Caching URLs & Content Types SSL Beyond HTTP Atom Publishing Protocol XML Signatures & Encryption OpenID Much more…
Questions? Blog: http://netzooid.com/blog Email: dan.diephouse@mulesource.com Resources: RFC2616: http://www.faqs.org/rfcs/rfc2616.html RESTful Web Services (Richardson, Ruby, DHH)

More Related Content

PDF
Best Practices in Web Service Design
Lorna Mitchell
 
PPT
RESTful services
gouthamrv
 
PPTX
GraphQL Security
Shiu-Fun Poon
 
PPTX
Elegant Rest Design Webinar
Stormpath
 
PDF
Rest api design by george reese
buildacloud
 
PPTX
REST API Design for JAX-RS And Jersey
Stormpath
 
PDF
Kopdar Zimbra-ID , How to use Zimbra SOAP API
Imam Omar Mochtar
 
PPT
Rest services caching
Sperasoft
 
Best Practices in Web Service Design
Lorna Mitchell
 
RESTful services
gouthamrv
 
GraphQL Security
Shiu-Fun Poon
 
Elegant Rest Design Webinar
Stormpath
 
Rest api design by george reese
buildacloud
 
REST API Design for JAX-RS And Jersey
Stormpath
 
Kopdar Zimbra-ID , How to use Zimbra SOAP API
Imam Omar Mochtar
 
Rest services caching
Sperasoft
 

What's hot (20)

PPTX
REST and ASP.NET Web API (Milan)
Jef Claes
 
PPTX
Rest & RESTful WebServices
Prateek Tandon
 
PPTX
REST Easy with AngularJS - ng-grid CRUD EXAMPLE
reneechemel
 
PDF
The never-ending REST API design debate
Restlet
 
PPTX
Architecture Best Practices
AWS Germany
 
PPTX
Overview of RESTful web services
nbuddharaju
 
PPTX
ASP.NET WEB API Training
Chalermpon Areepong
 
PPTX
Implementation advantages of rest
Balamurugan Easwaran
 
PPTX
Web Architecture
sudip pudasaini
 
PPTX
REST & RESTful Web Service
Hoan Vu Tran
 
PPTX
Restful webservices
Luqman Shareef
 
PPTX
REST & RESTful Web Services
Halil Burak Cetinkaya
 
PPTX
Restful web services ppt
OECLIB Odisha Electronics Control Library
 
PPTX
BrightonSEO Sep 2015 - HTTPS | Mark Thomas
Anna Morrison
 
PPTX
The ASP.NET Web API for Beginners
Kevin Hazzard
 
PPTX
Design Beautiful REST + JSON APIs
Stormpath
 
PPTX
Micro Web Service - Slim and JWT
Tuyen Vuong
 
PDF
The never-ending REST API design debate -- Devoxx France 2016
Restlet
 
PPT
Json-based Service Oriented Architecture for the web
kriszyp
 
PPT
Excellent rest using asp.net web api
Maurice De Beijer [MVP]
 
REST and ASP.NET Web API (Milan)
Jef Claes
 
Rest & RESTful WebServices
Prateek Tandon
 
REST Easy with AngularJS - ng-grid CRUD EXAMPLE
reneechemel
 
The never-ending REST API design debate
Restlet
 
Architecture Best Practices
AWS Germany
 
Overview of RESTful web services
nbuddharaju
 
ASP.NET WEB API Training
Chalermpon Areepong
 
Implementation advantages of rest
Balamurugan Easwaran
 
Web Architecture
sudip pudasaini
 
REST & RESTful Web Service
Hoan Vu Tran
 
Restful webservices
Luqman Shareef
 
REST & RESTful Web Services
Halil Burak Cetinkaya
 
Restful web services ppt
OECLIB Odisha Electronics Control Library
 
BrightonSEO Sep 2015 - HTTPS | Mark Thomas
Anna Morrison
 
The ASP.NET Web API for Beginners
Kevin Hazzard
 
Design Beautiful REST + JSON APIs
Stormpath
 
Micro Web Service - Slim and JWT
Tuyen Vuong
 
The never-ending REST API design debate -- Devoxx France 2016
Restlet
 
Json-based Service Oriented Architecture for the web
kriszyp
 
Excellent rest using asp.net web api
Maurice De Beijer [MVP]
 
Ad

Viewers also liked (15)

PDF
Understanding REST-Based Services: Simple, Scalable, and Platform Independent
Charles Knight
 
PDF
CrimsonHacks Keynote Presentation March 2017
Charles Knight
 
PDF
API Reliability Guide
Nick DeNardis
 
PDF
Architecting &Building Scalable Secure Web API
SHAKIL AKHTAR
 
PDF
REST vs SOAP
Juan Luis Pérez
 
PPTX
API Security from the DevOps and CSO Perspectives (Webcast)
Apigee | Google Cloud
 
PDF
Mari Memahami PSR (PHP Standards Recommendation)
Mizan Riqzia
 
PDF
SOAP vs REST
Mário Almeida
 
PDF
REST vs. SOAP
Murat Çakal
 
PPTX
Scalability and Reliability in the Cloud
gmthomps
 
PDF
Spring Web Services: SOAP vs. REST
Sam Brannen
 
KEY
Open Standards for the Semantic Web: XML / RDF(S) / OWL / SOAP
Pieter De Leenheer
 
PDF
29 Essential AngularJS Interview Questions
Arc & Codementor
 
PPTX
Secure Your REST API (The Right Way)
Stormpath
 
PPTX
Webservices Overview : XML RPC, SOAP and REST
Pradeep Kumar
 
Understanding REST-Based Services: Simple, Scalable, and Platform Independent
Charles Knight
 
CrimsonHacks Keynote Presentation March 2017
Charles Knight
 
API Reliability Guide
Nick DeNardis
 
Architecting &Building Scalable Secure Web API
SHAKIL AKHTAR
 
REST vs SOAP
Juan Luis Pérez
 
API Security from the DevOps and CSO Perspectives (Webcast)
Apigee | Google Cloud
 
Mari Memahami PSR (PHP Standards Recommendation)
Mizan Riqzia
 
SOAP vs REST
Mário Almeida
 
REST vs. SOAP
Murat Çakal
 
Scalability and Reliability in the Cloud
gmthomps
 
Spring Web Services: SOAP vs. REST
Sam Brannen
 
Open Standards for the Semantic Web: XML / RDF(S) / OWL / SOAP
Pieter De Leenheer
 
29 Essential AngularJS Interview Questions
Arc & Codementor
 
Secure Your REST API (The Right Way)
Stormpath
 
Webservices Overview : XML RPC, SOAP and REST
Pradeep Kumar
 
Ad

Similar to Scalable Reliable Secure REST (20)

PPT
HTTP
spacecharge
 
PPT
Pentesting web applications
Satish b
 
PPT
HTTP Basics
sanjoysanyal
 
PDF
HTTP Basics Demo
InMobi Technology
 
PPTX
Http_Protocol.pptx
Abshar Fatima
 
PPT
UserCentric Identity based Service Invocation
guestd5dde6
 
PPTX
01. http basics v27
Eoin Keary
 
PPT
Implementation of ssl injava
tanujagrawal
 
PPT
Lecture17
Châu Thanh Chương
 
ODP
Starting With Php
Harit Kothari
 
PPT
Securing RESTful API
Muhammad Zbeedat
 
PPTX
Introduction to SSL and How to Exploit & Secure
Brian Ritchie
 
ODP
PHP Training: Module 1
hussulinux
 
PPT
KMUTNB - Internet Programming 2/7
phuphax
 
PPTX
JoomlaDay Austria 2016 - Presentation Why and how to use HTTPS on your website!
Wilco Alsemgeest
 
PPT
Webbasics
patinijava
 
PPTX
Http Vs Https .
simplyharshad
 
PPTX
Http
NITT, KAMK
 
PDF
Oauth Nightmares Abstract OAuth Nightmares
Nino Ho
 
PPTX
SOAP vs REST
Nadia Boumaza
 
HTTP
spacecharge
 
Pentesting web applications
Satish b
 
HTTP Basics
sanjoysanyal
 
HTTP Basics Demo
InMobi Technology
 
Http_Protocol.pptx
Abshar Fatima
 
UserCentric Identity based Service Invocation
guestd5dde6
 
01. http basics v27
Eoin Keary
 
Implementation of ssl injava
tanujagrawal
 
Lecture17
Châu Thanh Chương
 
Starting With Php
Harit Kothari
 
Securing RESTful API
Muhammad Zbeedat
 
Introduction to SSL and How to Exploit & Secure
Brian Ritchie
 
PHP Training: Module 1
hussulinux
 
KMUTNB - Internet Programming 2/7
phuphax
 
JoomlaDay Austria 2016 - Presentation Why and how to use HTTPS on your website!
Wilco Alsemgeest
 
Webbasics
patinijava
 
Http Vs Https .
simplyharshad
 
Http
NITT, KAMK
 
Oauth Nightmares Abstract OAuth Nightmares
Nino Ho
 
SOAP vs REST
Nadia Boumaza
 

Recently uploaded (20)

PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PPT
Teaching material agriculture food technology
LiaRayya
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Encapsulation theory and applications.pdf
gurumoop
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Teaching material agriculture food technology
LiaRayya
 

Scalable Reliable Secure REST

  • 1. Scalable, Reliable, and Secure RESTful HTTP A practical guide to building to HTTP based services
  • 2. Today’s talk Goal: learn how to build services with HTTP in a reliable, secure, and scalable fashion.
  • 3. What this talk is NOT
  • 4. What is REST? Representation State Transfer Roy Fielding coined the term for his thesis which sought to provide the architectural basis for HTTP
  • 5.  
  • 6. Resources, resources, resources Everything is a resource Resources are addressable via URI s Resources are self descriptive Typically through content types (“application/xml”) and sometimes the resource body (i.e. an XML QName) Resources are stateless Resources are manipulated via verbs and the uniform interface
  • 8. Hypertext and linkability We don’t want “keys”, we want links! Resources are hypertext Hypertext is just data with links to other resources Data model refers to other application states via links This is possible because of the uniform interface! No need to know different ways to get different types of entities! Client can simply navigate to different resources
  • 9. REST & HTTP REST defines the architectural style of HTTP We’ll discuss RESTful principles in relation to HTTP specifically as we explore Scalability Reliability Security
  • 13. Some Basic Scenarios: Getting resources Deleting resources Updating a resource Creating a resource
  • 14. Getting a resource GET is SAFE If original GET fails, just try, try again
  • 15. Updating a resource Server Client
  • 16. Deleting a resource Server Client
  • 17. Creating Resources HTTP/1.1 201 Created Date: … Content-Length: 0 Location: http://acme.com/entries/1 … Server Client Client Server HTTP/1.1 200 OK … POST /entries Host: acme.com … PUT /entries/1 Host: acme.com Content-Type: … Content-Length: … Some data…
  • 18. Creating Resources IDs which are not used can be Ignored Expired Another option: have the client generate a unique ID and PUT to it straight away They’re liable to screw it up though
  • 19. Problem: Firewalls Many firewalls do not allow PUT, DELETE You might want to allow other ways of specifying a header: Google: X-HTTP-Method-Override: PUT Ruby: ?method=PUT
  • 20. Scalability ETags, Caching, Content-Types, URLs, and more
  • 21. Scaling HTTP Statelessness and scalability ETags/LastModified Caching and proxies HEAD “ Expect: 100-continue” Batch operations Transactions & Compensation
  • 22. Stateless client/server approach All communication is stateless Session state is kept on the Client! Client is responsible for transitioning to new states States are represented by URIs Improves: Visibility Reliability Scalability
  • 23. ETag Header Resources may return an ETag header when it is accessed On subsequent retrieval of the resource, Client sends this ETag header back If the resource has not changed (i.e. the ETag is the same), an empty response with a 304 code is returned Reduces bandwidth/latency
  • 24. ETag Example HTTP/1.1 200 OK Date: … ETag: &quot;3e86-410-3596fbbc&quot; Content-Length: 1040 Content-Type: text/html … Server Client Client Server HTTP/1.1 304 Not Modified Date: … ETag: &quot;3e86-410-3596fbbc&quot; Content-Length: 0… GET /feed.atom Host: www.acme.com … GET /feed.atom If-None-Match: &quot;3e86-410-3596fbbc&quot; Host: www.acme.com …
  • 25. LastModified Example HTTP/1.1 200 OK Date: … Last-Modified: Sat, 29 Oct 1994 19:43:31 GMT Content-Length: 1040 Content-Type: text/html … Client Server HTTP/1.1 304 Not Modified Date: … Last-Modified: Sat, 29 Oct 1994 19:43:31 GMT Content-Length: 0 GET /feed.atom Host: www.acme.com … GET /feed.atom If-Modified-Since: Sat, 29 Oct 1994 19:43:31 GMT Host: www.acme.com …
  • 26. Scalability through Caching A.k.a. “cache the hell out of it” Reduce latency, network traffic, and server load Types of cache: Browser Proxy Gateway
  • 27. How Caching Works A resource is eligible for caching if: The HTTP response headers don’t say not to cache it The response is not authenticated or secure No ETag or LastModified header is present The cache representation is fresh From: http://www.mnot.net/cache_docs/
  • 28. Is your cache fresh? Yes, if: The expiry time has not been exceeded The representation was LastModified a relatively long time ago If its stale, the remote server will be asked to validate if the representation is still fresh
  • 29. Scalability through URLs and Content-Types Information about where the request is destined is held outside the message: Content-Type application/purchase-order+xml mage/jpeg URL Other headers Allows easy routing to the appropriate server with little overhead
  • 30. HEAD Allows you to get meta data about a resource without getting the resource itself Identical to GET, except no body is sent Uses: Testing that a resource is available Testing link validity Learning when a resource was last modified
  • 31. 100 Continue Allows client to determine if server is willing to accept a request based on request headers It may be highly inefficient to send the full request if the server will reject it
  • 33. Transactions The web is NOT designed for transactions Client is responsible for committing/rolling back transactions, and client may not fulfill responsibilities Transactions can take too long over the web and tie up important resources In general, it is much better to build in application specific compensation for distributed services See the paper: Life Beyond Transactions by Pat Helland
  • 34. So you really want transactions… People sometimes use HTTP for transactions Notable example: SVN It is possible to model a resource as a transaction POST – create a new transaction PUT – send “commit” state to transaction DELETE – rollback the transaction
  • 35. Batch Operations How do we manipulate multiple resource states at the same time? Options: Use HTTP connection pipelining Broken by some firewalls POST GData does this, but has received a very cold reception from the community
  • 37. Question #1 What are your goals & requirements? Authentication? Authorization? Privacy? Integrity? Single sign on?
  • 38. Tools at our disposal HTTP Authentication SSL XML Signature & Encryption OpenID Others: SAML, Cardspace…
  • 39. HTTP Authentication Basics Basic Authentication Username & Password passed in plain text Digest MD5 has of username & password is created Sent with every request Remember – statelessness?
  • 40. SSL and Public Key Cryptography SSL/TLS defines a process to encrypt/secure transports
  • 41. How SSL works Client Server Sends random number encrypted with server’s public key.
  • 42. How SSL works Client Server Server sends random number to client. Can be unencrypted since Client may not have public key.
  • 43. How SSL works Client Server Server and Client compute a shared secret using the negotiated hash algorithm. 94AB134… 94AB134…
  • 44. How SSL works Client Server Communication is encrypted using the new shared secret & symmetric cryptography
  • 45. Client Authentication Server can authenticate the Client using it’s public key as well Requires key distribution Server side must import every client public key into it’s keystore
  • 46. Limitations of SSL Does not work well with intermediaries If you have a gateway handling SSL, how do you actually get the certificate information? Limited ability for other authentication tokens beyond those of HTTP Auth i.e. SAML Some implementations support NTLM (Commons HTTPClient)
  • 47. OpenID “ provides a way to prove that an End User owns an Identity URL” An attempt at single sign on. Your identity is your URL Provides no information about who the actual person/entity is
  • 48. XML Signature & Encryption Provide message level security when needed Limited support across languages Mostly Java & .NET Allows other types of authentication mechanisms beyond just SSL
  • 49. An XML digital signature < ds:Signature > < ds:SignedInfo > < ds:CanonicalizationMethod Algorithm = &quot;http://www.w3.org/2001/10/xml-exc-c14n#&quot; /> < ds:SignatureMethod Algorithm = &quot;http://www.w3.org/2000/09/xmldsig#rsa-sha1&quot; /> < ds:Reference URI = &quot;#mySignedElement&quot; > < ds:Transforms > < ds:Transform Algorithm = &quot;http://www.w3.org/2001/10/xml-exc-c14n#&quot; /> </ ds:Transforms > < ds:DigestMethod Algorithm = &quot;http://www.w3.org/2000/09/xmldsig#sha1&quot; /> < ds:DigestValue > EULddytSo1... </ ds:DigestValue > </ ds:Reference > </ ds:SignedInfo > < ds:SignatureValue > BL8jdfToEb1l/vXcMZNNjPOV... </ ds:SignatureValue > < ds:KeyInfo > … </ ds:KeyInfo > </ ds:Signature >
  • 50. HTTP Security Limitations For non XML data, there is no standard way to do Message signing Non repudiation Multifactor authentication Token exchange
  • 52. Consider using Atom Publishing Protocol Atom: a format for syndication Describes “lists of related information” – a.k.a. feeds Feeds are composed of entries User Extensible More generic than just blog stuff
  • 53. Atom Publishing Protocol RESTful protocol for building services Create, edit, delete entries in a collection Extensible Protocol Paging extensions GData Opensearch Properly uses HTTP so can be scalable, reliable and secure
  • 54. Why you should use APP for your app Provides ubiquitous elements which have meaning across all contexts You can leverage existing solutions for security HTTP Auth, WSSE, Google Login, XML Sig & Enc Eliminates the need for you to write a lot of server/client code ETags, URLs, etc are all handled for you Integrates seamlessly with non-XML data There are many APP implementations and they are known to work well together
  • 55. What other tools are available for building RESTful applications? HTTPD of course Java Servlets Restlets Spring MVC CXF Jersey (JSR 311 reference imlementation) Ruby on Rails Python’s Django Javascript’s XMLHttpRequest  Abdera
  • 56. Limitations HTTP is NOT an RPC or message passing system Not ideal for sending event based messages May have performance constraints for asynchronous messaging that JMS/others may not have Security Standards Most people will just use SSL, but… Exchanging other types of authentication tokens is not possible unless they are custom HTTP headers No standard way to establish trust relationships beside certificate hierarchies/webs
  • 57. Conclusions HTTP Provides many tools/properties for us to build scalable, reliable, secure systems: Idempotent and safe methods ETags/LastModified Hypertext Caching URLs & Content Types SSL Beyond HTTP Atom Publishing Protocol XML Signatures & Encryption OpenID Much more…
  • 58. Questions? Blog: http://netzooid.com/blog Email: dan.diephouse@mulesource.com Resources: RFC2616: http://www.faqs.org/rfcs/rfc2616.html RESTful Web Services (Richardson, Ruby, DHH)

Editor's Notes

  • #2: - Intro to self - Ask questions! 10 mins for questions at the end (may be a bit much, I know you norwegians are a talkative bunch)