Representational State Transfer (REST) and HATEOAS

Representational State Transfer (REST)
and HATEOAS
Service-Oriented Architecture
Computing + Mathematical Sciences
Auckland University of Technology

Image used under Creative Commons from apasciuto http://flickr.com/apasciuto/

REST APIs Example Scenario Pitfalls of REST Design More Leveraging HTTP REST Examples

Outline
1 REST APIs

Identiﬁcation of Resources
Manipulation of Resources
Self-Descriptive Messages
HATEOAS
2 Example Scenario
3 Pitfalls of REST Design
4 More Leveraging HTTP

HTTP Status Codes
ETags & Optimistic Locking
5 REST Examples
Service-Oriented Architecture | Representational State Transfer (REST) and HATEOAS

2/84


Outline
1 REST APIs

HATEOAS
2 Example Scenario

HTTP Status Codes
ETags & Optimistic Locking
5 REST Examples

3/84


Warning before we start!
REST != MVC
Do not think in controllers, IDs, actions, models,
views, plugins, helpers . . .
In fact, do not think about implementation at all!


4/84


What is REST?
Roy Fielding, “Father” of REST

REST is a coordinated set of architectural
constraints that attempts to minimize latency and
network communication while at the same time
maximizing the independence and scalability of
component implementations. This is achieved by
placing constraints on connector semantics where
other styles have focused on component semantics.
REST enables the caching and reuse of
interactions, dynamic substitutability of
components, and processing of actions by
intermediaries, thereby meeting the needs of an
Internet-scale distributed hypermedia system.


5/84


What is REST?

REST is not a standard
REST is not a protocol
REST is an architectural style for networked applications
REST deﬁnes a set of simple principles
(loosely followed by most API implementations)


6/84


What is REST?
Advantages of REST

Cacheable
Stateless
Scalable
Fault-tolerant
Loosely coupled


7/84


What is REST?
Principles of REST

URL identiﬁes a resource
URLs have a hierarchy
Methods perform operations on resources
Operation must be implicit
Hypermedia format to represent data
Link relations to navigate


8/84


What is REST?
The Four Main Principles

1
2
3
4

Identiﬁcation of resources
Manipulation of resources
Self-descriptive messages
HATEOAS


9/84


You are doing it wrong . . . :-(

/index.php?action=getarticleid=5
/default/article/5/4/6/size

Cacheable? Scalable? Readable?


10/84


Readable and Maintainable!

/articles

We want all articles
/articles/5/photos/4/comments/1

We want the first comment of the fourth photo
for the fifth article
/articles/5/photos/4/comments

We want all comments of the fourth photo
for the fifth article

Cacheable! Scalable! Readable!


11/84


Filtering through a Query String, not the URI

/photos/order/size/limit/5

/photos?order=sizelimit=5

/photos/limit/5/order/size

/photos?limit=5order=size


12/84



Create
Retrieve
Update
Delete
But please note: REST != CRUD


13/84


CRUD to HTTP verb mapping

Create = POST
Retrieve = GET
Update = PUT (or
Delete = DELETE

PATCH)


15/84


Creating a Resource

creates a new resource
But the server decides on that resources URI
Examples
POST

WWW: Posting to Web log
→ Server decides URI of posting
and any comments made on that post

Programmatic service: Creating a new employee record


16/84


Safe Methods

Any client should be able to make the request
. . . as many times as necessary
GET, OPTIONS, HEAD


17/84


Idempotent Methods

Guarantees that the client can repeat the request
when it’s not certain
x++ vs. x=4
All methods except “POST”


18/84



Stateless!
All information for processing is available:
How? (method + content-type)
What? (URI)
When? (preconditions)
Who? (authentication)


19/84


How: Method

GET /article/1234 HTTP/1.1
Host: www.mycompany.co.nz
Accept: application/vnd.mycompany.myapp-v1+json
Authorization: OAuth oauth_nonce=123 ...
If-None-Matched: absad12412414


20/84


How: Content-Type



21/84


How: Content-Type

application/vnd.mycompany.myapp-v1+json???

The vnd name space is for proprietary media types
(as opposed to the IANA registered ones)
We want to “talk” JSON, not XML or others
We wnat to “play” with API version 1.0 (not any other)
General notes:
Interpret requests generously
Be strict with responses


22/84


What



23/84


When



24/84


Who



25/84


Self-Descriptive Messages?
Encoding

Google Trends chart: “XML API vs JSON API”
(http://ur1.ca/ey5o6)

JSON feels more self-descriptive, too . . .


26/84


WADL?

We can describe RESTful XML Web Services
(similar to WSDL)
Web Application Description Language (WADL)
(another XML grammar to describe HTTP-based web
applications)
But we don’t need a static contract description
→ We want self-descriptive messages, dammit!


27/84


HATEOAS
HATEOAS to the rescue!

HATEOAS
=
Hypermedia As The Engine Of Application State
→ Magic awesome sauce to improve REST!


28/84


HATEOAS

This is the hardest and of course,
most important part of REST
. . . But it makes the API “explorable”!


29/84

Image used under Creative Commons from oliverkendal http://flickr.com/oliverkendal/


Links

Use links to allow clients to
discover locations and operations
Link relations are used to express options
Clients do not need to know URLs
This controls the state


31/84


Links

Links contain (adapted from Atom format’s link deﬁnition):
The target (href, mandatory)
A short relationship indication (rel, mandatory)
(e. g. “details”, “payment”, “cancel”)
The content type needed for the request (type, optional)
The HTTP method (method, optional)
See also:
http://www.subbu.org/blog/2008/10/generalized-linking


32/84


Outline
1 REST APIs

HATEOAS
2 Example Scenario

HTTP Status Codes
ETags Optimistic Locking
5 REST Examples

33/84


Flight Booking API
State inside your REST API

The HATEOAS links indicate state transitions


34/84


Search for Speciﬁed Flights

POST /search?order=pricelimit=5 HTTP/1.1
{ destination: LAX,
date: 2013-09-24,
type: firstclass
}

Note:
This is an operation on a non-CRUD controller resource


35/84


Returns a Collection of Flights
HTTP/1.1 200 OK
Content-type: application/vnd.mycompany.myapp-v1.0+json
{ flights: [
{ flightno: NZ1234, time: 4:20,
links: [
{ href: /flight/15263, method: GET,
rel: details, type: application/vnd.mycompany.myapp+json
{ href: /booking, method: POST,
rel: confirm, type: application/vnd.mycompany.myapp+json
]
},
{ flightno: EH123, time: 3:55,
links: [
]
}
]
}

},
},

},
},

36/84


Returns a Collection of Flights
HTTP/1.1 200 OK
{ flights: [
{ flightno: NZ1234, time: 4:20,
links: [
]
},
{ flightno: EH123, time: 3:55,
links: [
]
}
]
}

},
},

},
},

37/84


Conﬁrm a Speciﬁc Flight

POST /booking HTTP/1.1
{ flight: /flight/15263,
seat: 42A,
meal: vegetarian
}
HTTP/1.1 401 Authentication required


38/84


Conﬁrm a Speciﬁc Flight
. . . with more info

POST /booking HTTP/1.1
Authorization: OAuth ...
{ flight: /flight/15263,
seat: 42A,
meal: vegetarian
}
HTTP/1.1 201 Created
Location: /booking/1616163


39/84


What can we do with our booking?

OPTIONS /booking/1616163 HTTP/1.1
HTTP/1.1 200 OK
Allow: GET, PUT, DELETE


40/84


Cancel our booking!

DELETE /booking/1616163 HTTP/1.1
HTTP/1.1 204 No content


41/84


Still need to Pay for the Flight
GET /booking/1616163 HTTP/1.1
HTTP/1.1 200 OK
{ flight: {
flightno: NZ1234, time: 4:20,
links: [
rel: details, type: application/vnd.mycompany.myapp+json } ]
},
payment: {
status: Not paid,
links: [
{ href: /payment/booking/1616163, method: GET,
rel: details, type: application/vnd.mycompany.myapp+json },
{ href: /payment/booking, method: POST,
rel: pay, type: application/vnd.mycompany.myapp+json },
{ href: /booking/1616163, method: DELETE,
rel: cancel, type: application/vnd.mycompany.myapp+json },
]
}
}


42/84


Pay through another resource
POST /payment/booking HTTP/1.1
{ booking: /booking/1616163,
cardno: 4111-1111-1111-1111,
expires: 04/2014,
name: Guy Kloss,
amount: { currency: NZD,
value: 1414.00 }
}
Location: /payment/booking/54321


43/84


Can’t delete booking (already paid)

OPTIONS /booking/1616163 HTTP/1.1
HTTP/1.1 200 OK
Allow: GET


44/84


We can fetch our e-Ticket now
GET /booking/1616163 HTTP/1.1
HTTP/1.1 200 OK
{ flight: {
flightno: NZ1234,
time: 4:20,
links: [ { href: /flight/15263, method: GET,
},
payment: {
status: Paid in full
links: [ { href: /payment/booking/54321, method: GET,
},
links: [ { href: /eticket/12415156261616, method: GET,
rel: eticket, type: application/pdf } ]
}

45/84


Outline
1 REST APIs

HATEOAS
2 Example Scenario

HTTP Status Codes
5 REST Examples

46/84


(Common) Pitfalls of REST Design

Versioning
Methods in URI
One URI per resource
Controller resources non-CRUD


47/84


Versioning

/api/v1.1/article/1234/photos
/api/v1.2/article/1234/photos

Diﬀerent resources?


48/84


Versioning
OK:
GET /api/article/1234/photos HTTP/1.1
Accept: application/vnd.mycompany.myapp+json ; version = 1.0

Better:
Accept: application/vnd.mycompany.myapp-v1.1+json
Accept: application/vnd.mycompany.myapp-v5.0.4a+json


49/84


Versioning

Why? It doesn’t break the resource’s URI
→ Same resource
→ Easier to evolve!

See also:
http://barelyenough.org/blog/2008/05/versioning-rest-web-services/


50/84


Methods in URI

/api/get/articles/1234/photos
/api/articles/new
/api/articles/list

Don’t use verbs in REST URIs!


51/84


One URI per Resource

/api/article/1234
/api/article/red+teddybear

Diﬀerent resources!?!


52/84


One URI per Resource

If you must . . .
GET /api/article/red+teddybear HTTP/1.1
HTTP/1.1 302 Found
Location: /api/article/1234


53/84


Controller Resources Non-CRUD

Outside the CRUD?
Multiple operations simultaneously?


54/84


POST /distance HTTP/1.1
Accept: application/json
Content-type: application/json;charset=UTF-8
{ from: Auckland, NZL,
to: Hamilton, NZL
}

or:
GET /distance?from=...to=... HTTP/1.1
Accept: application/json
HTTP/1.1 200 OK
Content-length: 123
Content-type: application/json
{ km: 127.5,
miles: 78.9
}

55/84



POST /user/gkloss/address_merge HTTP/1.1
Content-type: application/csv;charset=UTF-8
John Doe, 1 Main Street, Seattle, WA
Jane Doe, 100 North Street, Los Angeles, CA
HTTP/1.1 303 See other
Location: /user/gkloss/addressbook


56/84


Outline
1 REST APIs

HATEOAS
2 Example Scenario

HTTP Status Codes
5 REST Examples

57/84


More Important Stuﬀ

HTTP Status codes
ETags


58/84


HTTP Status Codes

Status codes are important
They represent the result of your actions
See: http://en.wikipedia.org/wiki/Http_status_codes


59/84


HTTP Status Codes

1xx
2xx
3xx
4xx
5xx

→
→
→
→
→

Informational
Success
Redirection
Client error
Server error


60/84


HTTP Status Codes
Important 2xx Codes

200 OK
→ Resource returned
201 Created
→ Resource created
204 No content
→ Resource deleted


61/84


HTTP Status Codes
Important 3xx Codes

301 Moved Permanently
→ Resource reorganised
302 Found
→ Redirection for speciﬁc object (e. g. search)
303 Other
→ A redirect due to an operation
304 Not modiﬁed
→ Resource wasn’t changed


62/84


HTTP Status Codes
Important 4xx Codes

400 Bad request
→ Incorrect payload
401 Unauthorized
→ Not authorized to operate
403 Forbidden
→ Not authorized to operate
404 Not found
→ Resource was not found
405 Method not allowed
→ Method incorrect
406 Not acceptable
→ Cannot return in correct format
412 Precondition failed
→ “ETag mismatch”
(418 I’m a teapot
→ Hyper Text Coﬀee Pot Control Protocol)

63/84


HTTP Status Codes

501 Not implemented vs. 405 Method not allowed
409 Conﬂict vs. 412 Precondition failed
→ de·bat·a·ble/di’b¯t b l/Adjective
a


64/84


Useful HTTP Headers

If-Unmodified-Since

(problem: only 1 second granularity)
If-Match and If-None-Match
(used with ETag value)
Remember: State can change in the meantime


65/84



GET /blogpost/12345 HTTP/1.1
HTTP/1.1 200 OK
Content-length: 12340
Content-type: application/json
ETag: abcd-1234
{ author: Guy Kloss,
title: Frobnification of Sub-Marine Vehicles,
...
}


66/84


For Caching

GET /blogpost/12345 HTTP/1.1
If-None-Match: abcd-1234
HTTP/1.1 304 Not modified

→ Blog post is cached and can be used


67/84


For Concurrency Protection

PATCH /blogpost/12345 HTTP/1.1
If-Match: abcd-1234
{ author: Heinrich von Zinkeduetten }
HTTP/1.1 412 Precondition failed

Blog post was concurrently modiﬁed by “someone”
HTTP PATCH performs a partial update


68/84


Outline
1 REST APIs

HATEOAS
2 Example Scenario

HTTP Status Codes
5 REST Examples

69/84


An XML Example
Just to show you, it does work with XML, too.
PUT /booking/1616163 HTTP/1.1
Accept: application/vnd.mycompany.myapp-v1+xml
booking
flight/flight/15263/flight
seat17F/seat
mealhalal/meal
/booking
HTTP/1.1 200 OK
Conent-type: application/vnd.mycompany.myapp-v1.0+xml
booking
link rel=details href=/booking/1616163
method=GET type=application/vnd.mycompany.myapp+xml
link rel=payment href=/payment/booking
method=POST type=application/vnd.mycompany.myapp+xml
link rel=cancel href=/booking/1616163
method=DELETE type=application/vnd.mycompany.myapp+xml
/booking

70/84


Creating a Resource

POST /articles HTTP/1.1
Content-type: application/vnd.mycompany.myapp-v1+json
{ name: Teddybear,
colour: red,
stock: 15,
price: { EUR: 15.95,
NZD: 26.95 }
}
Location: /articles/1234


71/84


Getting a Resource Collection
GET /articles HTTP/1.1
HTTP/1.1 200 OK
Date: sun, 08 Aug 2013 12:34:56 NZST
{ articles: [
{ name: Rubic’s Cube,
links: [ { href: /articles/1233, method: GET,
rel: article, type: application/vnd.mycompany.myapp+json } ]
},
{ name: Teddybear,
links: [ { href: /articles/1234, method: GET,
rel: article, type: application/vnd.mycompany.myapp+json } ]
}
]
}


72/84


Getting a Resource
GET /articles/1234 HTTP/1.1
HTTP/1.1 200 OK
ETag: 23709-12135125
Date: sun, 08 Aug 2013 12:34:56 NZST
{ name: Teddybear,
manufacturer: Steiff,
colour: red,
stock: 30,
...
}
HTTP/1.1 404 Not found
Content-length: 0
Date: sun, 08 Aug 2013 12:34:56 NZST

73/84


Deleting a Resource

DELETE /articles/1234 HTTP/1.1
HTTP/1.1 204 No content
Content-length: 0
Date: sun, 08 Aug 2013 12:34:56 NZST


74/84


Updating a Resource
PUT /articles/1234 HTTP/1.1
If-Match: 23709-12135125
{ name: Teddybear,
manufacturer: Steiff,
colour: red,
stock: 30,
price: { EUR: 15.95,
NZD: 26.95 }
}
HTTP/1.1 200 OK
Content-length: 0
Date: sun, 08 Aug 2013 12:34:56 NZST
HTTP/1.1 412 Precondition failed
Content-length: 0
Date: sun, 08 Aug 2013 12:34:56 NZST

Idempotent!

75/84


Updating a Resource

is an idempotent operation
It (completely) replaces the content
of the whole resource
Consider PATCH for partial updates!
PUT


76/84


Controller Resources (Non-CRUD)
Revisited . . .

POST /user/gkloss/address_merge HTTP/1.1
Content-type: application/csv;charset=UTF-8
John Doe, 1 Main Street, Seattle, WA
Jane Doe, 100 North Street, Los Angeles, CA
HTTP/1.1 303 See Other
Location: /user/gkloss/addressbook


77/84


Conclusion
Web-based services are about state machines
and business protocols
→ The HATEOAS constraint from REST

What can be called “RESTful” depends on who you ask
(it’s not a formally accepted deﬁnition)
Some say: You are not RESTful without hypermedia
I say: REST is about Representational State Transfer,
and hypermedia is an add-on (though very important)
There are still good APIs without hypermedia
(e. g. Amazon S3)
There are very bad APIs (pretending to be RESTful)
(e. g. Twitter API)

If in doubt, certain APIs can be considered “RESTish”
Certain ones are deﬁnitely no more than RESTish!

78/84


Comparison REST vs. SOAP


79/84


Comparison REST vs. SOAP
Both are request/response type services
SOAP is more an RPC-style API (procedures with verb)
REST is about REST (duh!)
SOAP has strictly defined interfaces,
and the communication can be verified
REST is more about evolving APIs,
and making them explorable through hypermedia
Bells’n’whistles in SOAP, but can be found in REST
(less obvious, less used: WADL, JSON schema, . . . )
Use . . .
SOAP for well managed “corporate-style” consumers
REST for many, less-defined “citizen consumers”
REST if the API is likely to evolve

80/84


More Reading

Wikipedia: Representational State Transfer
http://en.wikipedia.org/wiki/Representational_State_Transfer

Roy Fielding’s PhD dissertation coming up with the REST idea:
http://www.ics.uci.edu/~fielding/pubs/dissertation/top.htm

“RESTful Web Services Cookbook –
Solutions for Improving Scalability and Simplicity”
http://oreilly.com/catalog/9780596801694


81/84


More Reading
Online Slide Presentations

“Designing HTTP Interfaces and RESTful Web Services”
http://www.slideshare.net/Wombert/
designing-http-interfaces-and-restful-web-services-dpc2012-20120608

“HATEOAS: The Confusing Bit from REST”
http://www.slideshare.net/adorepump/
hateoas-the-confusing-bit-from-rest

“REST in Practice”
http://www.slideshare.net/guilhermecaelum/rest-in-practice

“RESTful Web APIs with Python, Flask and MongoDB”
https://speakerdeck.com/nicola/
developing-restful-web-apis-with-python-flask-and-mongodb


82/84

THANKS TO

KIWI PYCON
AUCKLAND 2013

THE YEAR OF THE SNAKE
Kiwi PyCon 2013 will
be held at Auckland
University of
Technology's new
Sir Paul Reeves
Building, also
known as building

AKL

SIMPLICITY

WG at AUT's city
campus.

SEPTEMBER

FLEXIBILITY

BEAUTY

6-8

New Zealand's premier Python event of the year
http://nz.pycon.org/

Questions?

Image used under Creative Commons from Boston Public Library
http://flickr.com/boston_public_library/

Representational State Transfer (REST) and HATEOAS

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Destaque

Destaque (20)

Semelhante a Representational State Transfer (REST) and HATEOAS

Semelhante a Representational State Transfer (REST) and HATEOAS (20)

Mais de Guy K. Kloss

Mais de Guy K. Kloss (16)

Último

Último (20)

Representational State Transfer (REST) and HATEOAS