SlideShare uma empresa Scribd logo
1 de 84
Baixar para ler offline
Testing REST
Web Services
SOA Symposium Berlin 2010
Jan Algermissen, algermissen@acm.org
Jan Algermissen
@algermissen
http://www.nordsc.com/
“Applying the Web to Enterprise IT”
MORE TO TEST THAN
YOU THINK!
Client Server
Communication requires
shared knowledge.
Client Server
Shared Knowledge
Allows Expectations
Client Server
Expectation Levels
Expectation Levels
Message
Expectation Levels
Resource
Message
Expectation Levels
Application
Resource
Message
Expectation Levels
MESSAGE LEVEL
FAULTS
GET /index.html HTTP/1.0
?
GET /index.html HTTP/1.0
HTTP/1.0 204 No Content
/* Hello there */
DELETE /index.html HTTP/1.0
DELETE /index.html HTTP/1.0
HTTP/1.0 404.6 Verb denied
Content-Type: text/plain
Sorry, you cannot delete this resource.
?
GET /index.html HTTP/1.0
GET /index.html HTTP/1.0
HTTP/1.0 305 Use Proxy
?
HTTP 1.1
(RFC 2616)
GET /news HTTP/1.0
GET /news HTTP/1.0
HTTP/1.0 200 Ok
Content-Type: application/atom+xml
<feed>
<entry>
</fee>
?
GET /news HTTP/1.0
GET /news HTTP/1.0
HTTP/1.0 200 Ok
Content-Type: application/atom+xml
<feed>
<link href=”/de/news”
rel=”alternate” hreflang=”de”/>
<link href=”/de/news2”
rel=”alternate” hreflang=”de”/>
</feed>
?
MEDIA TYPE
TESTS
Message
Level
•Correct HTTP syntax?
•Correct HTTP semantics?
•Correct payload syntax?
•Correct payload semantics?
Message level
tests passed!
Are we done testing?
“The notion that REST-based user
agents can't have expectations of a
resource is clearly false.”
-- Roy Fielding
GREAT!
MORE TO TEST
RESOURCE LEVEL
FAULTS
GET /page.html HTTP/1.0
GET /page.html HTTP/1.0
200 Ok
Content-Type: text/html
<html>
<body><p>My dog:
<img src=”/img/dog.jpg”/>
</p></body>
</html>
GET /img/dog.jpg HTTP/1.0
Accept: image/*
GET /img/dog.jpg HTTP/1.0
Accept: image/*
HTTP/1.0 406 Not Acceptable
Content-Length: 0
Link semantics create
expectations.
<html><head>
<link rel=”stylesheet” type=”text/css”
href=”/css/default.css”/>
</head>
....
</html>
“A stylesheet”
<app:collection href=”/blog/entries”>
<app:accept>text/plain</app:accept>
</app:collection>
“A collection”
<OpenSearchDescription>
<Url type=”application/rss+xml”
template=”/search?q={searchTerms}”/>
</OpenSearchDescription>
“A search result”
Link semantics create
expectations.
These expectations can
be tested.
BUT HOW?
Specifications (loosely)
associate link semantics
with media types.
curl -I http://foo.org/img/dog.jpg -HAccept:image/*
HTTP/1.1 406 Not Acceptable
Content-Length: 0
Verify that it is an image
406 —› Test failed
curl -I http://foo.org/blog/entries 
-HAccept:application/atom+xml
HTTP/1.1 200 Ok
Content-Type: application/atom+xml
Verify that it is a collection
200 —› Test passed
Use media types
to test resource
semantics
GET /articles/1002110.html HTTP/1.0
GET /articles/1002110.html HTTP/1.0
HTTP/1.0 200 Ok
Date: Tue, 2 Jun 2010 11:00:00 GMT
Content-Type: text/html
<html>...</html>
GET /articles/1002110.html HTTP/1.0
GET /articles/1002110.html HTTP/1.0
HTTP/1.0 404 Not Found
Date: Wed, 3 Jun 2010 11:00:00 GMT
Content-Type: text/plain
Nothing found that matches the request URI.
?
GET /stock-quote/COKE HTTP/1.0
GET /stock-quote/COKE HTTP/1.0
HTTP/1.0 200 Ok
Date: Tue, 2 Jun 2010 11:00:00 GMT
Content-Type: text/plain
49.5
GET /stock-quote/COKE HTTP/1.0
GET /stock-quote/COKE HTTP/1.0
HTTP/1.0 200 Ok
Date: Wed, 3 Jun 2010 11:00:00 GMT
Content-Type: text/plain
Current weather in Berlin: 25 degrees
Celsius, sunny.
?
Cool URIs don’t change!
GET /orders/42 HTTP/1.0
Accept: application/order
GET /orders/42 HTTP/1.0
Accept: application/order
HTTP/1.0 200 Ok
Date: Tue, 2 Jun 2010 11:00:00 GMT
Content-Type: application/order
<order> ... </order>
GET /orders/42 HTTP/1.0
Accept: application/order
GET /orders/42 HTTP/1.0
Accept: application/order
HTTP/1.0 406 Not Acceptable
Date: Wed, 3 Jun 2010 11:00:00 GMT
Content-Type: text/plain
Media type application/order no longer
available. Try application/order.v2
?
BE NICE!
Keep variants around.
TESTS
Resource
Level
•Does resource match link semantics?
•Is resource available over time?
•Are resource semantics stable over time?
•Are variants available over time?
APPLICATION LEVEL
FAULTS
What’s an application anyway?
•Buying a book in an online store
•Looking up a word in an online dictionary
•Taking an online exam
•Indexing a set of Web sites
•Checking for updates in monitored feeds
•Monitoring programming language
adoption using stackoverflow.com
GET /shop-home.html HTTP/1.0
Host: www.bestbookshop.com
GET /shop-home.html HTTP/1.0
Host: www.bestbookshop.com
HTTP/1.0 200 Ok
Content-Type: text/html
<html><body><p>
Sorry, buying is not possible here anymore.
Check out the store catalog at <a href=”/
catalog.html”/> and walk to one of our
stores. </p></body></html>
?
Application Level Tests
Does the service work
as expected by the application?
Application Level Tests
Does the service work
as expected by the application?
Testable only in context of the application. The server
cannot know how it is being re-used!
TESTS
Application
Level
•Does service offer expected capability?
•Is the user goal reachable?
Testing REST Web Services
Testing REST Web Services
Message
Level
•Correct HTTP syntax?
•Correct HTTP semantics?
•Correct payload syntax?
•Correct payload semantics?
Resource
Level
•Does resource match link semantics?
•Is resource available over time?
•Are resource semantics stable over time?
•Are variants available over time?
Testing REST Web Services
Message
Level
•Correct HTTP syntax?
•Correct HTTP semantics?
•Correct payload syntax?
•Correct payload semantics?
Resource
Level
•Does resource match link semantics?
•Is resource available over time?
•Are resource semantics stable over time?
•Are variants available over time?
Testing REST Web Services
Application
Level
•Does service offer expected capability?
•Is the user goal reachable?
Message
Level
•Correct HTTP syntax?
•Correct HTTP semantics?
•Correct payload syntax?
•Correct payload semantics?
EXPLORE THE
CONTRACT
SERVER MUST PASS TESTS
SERVER MUST PASS TESTS
NO CLIENT ASSUMPTIONS BEYOND TESTS
USE
TESTS AS
GUIDE
Server Developer Client Developer
Server Developer
Guidance
Server must...
•Conform to HTTP
•Conform to the media types used
•Resources must match link semantics
•Keep URIs around
•Keep resource semantics stable
•Maintain variants over time
•Maintain capabilities
Anything else is not
constrained and will
not break clients!
Server may....
•Change representations
•Add resources
•Add variants
•Make full use of HTTP
•Make full use of media types
Client Developer
Guidance
Client may rely on...
•Message level correctness
•Resources matching link semantics
•Bookmarkable URIs
•Stable resource semantics
•Variant availability over time
•Stable service nature
Anything else the
server is absolutely
free to change at any
time.
The client must...
•Implement all of HTTP
•Deal with supported media types
completely
•Prepare for unexpected but valid
responses
Take Aways
•Quite some things to test
•Tests reveal and illustrate contract
•REST constrains over time
•Servers are, in fact, rather constrained
REST achieves
evolvability by
rigorous constraints on
server change!
HAPPY TESTING!
Testing REST Web Services

Mais conteúdo relacionado

Mais procurados

Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemPrabath Siriwardena
 
In graph we trust: Microservices, GraphQL and security challenges
In graph we trust: Microservices, GraphQL and security challengesIn graph we trust: Microservices, GraphQL and security challenges
In graph we trust: Microservices, GraphQL and security challengesMohammed A. Imran
 
Rest and the hypermedia constraint
Rest and the hypermedia constraintRest and the hypermedia constraint
Rest and the hypermedia constraintInviqa
 
REST API and CRUD
REST API and CRUDREST API and CRUD
REST API and CRUDPrem Sanil
 
Restful api design
Restful api designRestful api design
Restful api designMizan Riqzia
 
Getting Started with API Security Testing
Getting Started with API Security TestingGetting Started with API Security Testing
Getting Started with API Security TestingSmartBear
 
Rest api standards and best practices
Rest api standards and best practicesRest api standards and best practices
Rest api standards and best practicesAnkita Mahajan
 
RESTful modules in zf2
RESTful modules in zf2RESTful modules in zf2
RESTful modules in zf2Corley S.r.l.
 
Application Security
Application SecurityApplication Security
Application Securitynirola
 
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...CA API Management
 
The Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API SecurityThe Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API SecurityStormpath
 
Guide on scaling web app
Guide on scaling web appGuide on scaling web app
Guide on scaling web appAshok Pundit
 
Understanding REST APIs in 5 Simple Steps
Understanding REST APIs in 5 Simple StepsUnderstanding REST APIs in 5 Simple Steps
Understanding REST APIs in 5 Simple StepsTessa Mero
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarOWASP Delhi
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectJonathan LeBlanc
 
The Internet as Web Services: introduction to ReST
The Internet as Web Services: introduction to ReSTThe Internet as Web Services: introduction to ReST
The Internet as Web Services: introduction to ReSTBruno Kessler Foundation
 
Creating Web Services with Zend Framework - Matthew Turland
Creating Web Services with Zend Framework - Matthew TurlandCreating Web Services with Zend Framework - Matthew Turland
Creating Web Services with Zend Framework - Matthew TurlandMatthew Turland
 

Mais procurados (20)

Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security Ecosystem
 
In graph we trust: Microservices, GraphQL and security challenges
In graph we trust: Microservices, GraphQL and security challengesIn graph we trust: Microservices, GraphQL and security challenges
In graph we trust: Microservices, GraphQL and security challenges
 
Rest and the hypermedia constraint
Rest and the hypermedia constraintRest and the hypermedia constraint
Rest and the hypermedia constraint
 
REST API and CRUD
REST API and CRUDREST API and CRUD
REST API and CRUD
 
Restful api design
Restful api designRestful api design
Restful api design
 
Introduction To REST
Introduction To RESTIntroduction To REST
Introduction To REST
 
Getting Started with API Security Testing
Getting Started with API Security TestingGetting Started with API Security Testing
Getting Started with API Security Testing
 
Rest api standards and best practices
Rest api standards and best practicesRest api standards and best practices
Rest api standards and best practices
 
RESTful modules in zf2
RESTful modules in zf2RESTful modules in zf2
RESTful modules in zf2
 
Application Security
Application SecurityApplication Security
Application Security
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
 
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
 
The Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API SecurityThe Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API Security
 
REST & RESTful Web Services
REST & RESTful Web ServicesREST & RESTful Web Services
REST & RESTful Web Services
 
Guide on scaling web app
Guide on scaling web appGuide on scaling web app
Guide on scaling web app
 
Understanding REST APIs in 5 Simple Steps
Understanding REST APIs in 5 Simple StepsUnderstanding REST APIs in 5 Simple Steps
Understanding REST APIs in 5 Simple Steps
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang Bhatnagar
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID Connect
 
The Internet as Web Services: introduction to ReST
The Internet as Web Services: introduction to ReSTThe Internet as Web Services: introduction to ReST
The Internet as Web Services: introduction to ReST
 
Creating Web Services with Zend Framework - Matthew Turland
Creating Web Services with Zend Framework - Matthew TurlandCreating Web Services with Zend Framework - Matthew Turland
Creating Web Services with Zend Framework - Matthew Turland
 

Semelhante a Testing REST Web Services

REST in ( a mobile ) peace @ WHYMCA 05-21-2011
REST in ( a mobile ) peace @ WHYMCA 05-21-2011REST in ( a mobile ) peace @ WHYMCA 05-21-2011
REST in ( a mobile ) peace @ WHYMCA 05-21-2011Alessandro Nadalin
 
PHP Training: Module 1
PHP Training: Module 1PHP Training: Module 1
PHP Training: Module 1hussulinux
 
Restful web-services
Restful web-servicesRestful web-services
Restful web-servicesrporwal
 
Concepts for Operating a Web Site
Concepts for Operating a Web SiteConcepts for Operating a Web Site
Concepts for Operating a Web SiteCan Burak Çilingir
 
HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0
HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0
HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0Cory Forsyth
 
The Evolving Security Environment For Web Services
The Evolving Security Environment For Web ServicesThe Evolving Security Environment For Web Services
The Evolving Security Environment For Web ServicesQanita Ahmad
 
KMUTNB - Internet Programming 2/7
KMUTNB - Internet Programming 2/7KMUTNB - Internet Programming 2/7
KMUTNB - Internet Programming 2/7phuphax
 
Resource-Oriented Web Services
Resource-Oriented Web ServicesResource-Oriented Web Services
Resource-Oriented Web ServicesBradley Holt
 
The Top Tips You need to Learn about Data in your Mobile App
The Top Tips You need to Learn about Data in your Mobile AppThe Top Tips You need to Learn about Data in your Mobile App
The Top Tips You need to Learn about Data in your Mobile AppWoodruff Solutions LLC
 
zendframework2 restful
zendframework2 restfulzendframework2 restful
zendframework2 restfultom_li
 
Messaging for Real-time WebApps
Messaging for Real-time WebAppsMessaging for Real-time WebApps
Messaging for Real-time WebAppsTiju John
 
Rest WebAPI with OData
Rest WebAPI with ODataRest WebAPI with OData
Rest WebAPI with ODataMahek Merchant
 
HTTP fundamentals for developers
HTTP fundamentals for developersHTTP fundamentals for developers
HTTP fundamentals for developersMario Cardinal
 
KaTe RESTful adapter for SAP Process Integration: Introduction
KaTe RESTful adapter for SAP Process Integration: IntroductionKaTe RESTful adapter for SAP Process Integration: Introduction
KaTe RESTful adapter for SAP Process Integration: IntroductionKate_RESTful
 

Semelhante a Testing REST Web Services (20)

Starting With Php
Starting With PhpStarting With Php
Starting With Php
 
REST in ( a mobile ) peace @ WHYMCA 05-21-2011
REST in ( a mobile ) peace @ WHYMCA 05-21-2011REST in ( a mobile ) peace @ WHYMCA 05-21-2011
REST in ( a mobile ) peace @ WHYMCA 05-21-2011
 
PHP Training: Module 1
PHP Training: Module 1PHP Training: Module 1
PHP Training: Module 1
 
RESTful APIs
RESTful APIsRESTful APIs
RESTful APIs
 
Restful web-services
Restful web-servicesRestful web-services
Restful web-services
 
Concepts for Operating a Web Site
Concepts for Operating a Web SiteConcepts for Operating a Web Site
Concepts for Operating a Web Site
 
WebApp #3 : API
WebApp #3 : APIWebApp #3 : API
WebApp #3 : API
 
HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0
HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0
HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0
 
An Introduction To REST API
An Introduction To REST APIAn Introduction To REST API
An Introduction To REST API
 
The Evolving Security Environment For Web Services
The Evolving Security Environment For Web ServicesThe Evolving Security Environment For Web Services
The Evolving Security Environment For Web Services
 
KMUTNB - Internet Programming 2/7
KMUTNB - Internet Programming 2/7KMUTNB - Internet Programming 2/7
KMUTNB - Internet Programming 2/7
 
HTTP Basics Demo
HTTP Basics DemoHTTP Basics Demo
HTTP Basics Demo
 
Resource-Oriented Web Services
Resource-Oriented Web ServicesResource-Oriented Web Services
Resource-Oriented Web Services
 
The Top Tips You need to Learn about Data in your Mobile App
The Top Tips You need to Learn about Data in your Mobile AppThe Top Tips You need to Learn about Data in your Mobile App
The Top Tips You need to Learn about Data in your Mobile App
 
zendframework2 restful
zendframework2 restfulzendframework2 restful
zendframework2 restful
 
Messaging for Real-time WebApps
Messaging for Real-time WebAppsMessaging for Real-time WebApps
Messaging for Real-time WebApps
 
Rest WebAPI with OData
Rest WebAPI with ODataRest WebAPI with OData
Rest WebAPI with OData
 
Http_Protocol.pptx
Http_Protocol.pptxHttp_Protocol.pptx
Http_Protocol.pptx
 
HTTP fundamentals for developers
HTTP fundamentals for developersHTTP fundamentals for developers
HTTP fundamentals for developers
 
KaTe RESTful adapter for SAP Process Integration: Introduction
KaTe RESTful adapter for SAP Process Integration: IntroductionKaTe RESTful adapter for SAP Process Integration: Introduction
KaTe RESTful adapter for SAP Process Integration: Introduction
 

Testing REST Web Services