O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.


2.651 visualizações

Publicada em

  • Great information about writing! If you ever need any help with proofreading, editing or research check out Writer’s Help. They are a great resource for personal, educational or business writing needs. The website is HelpWriting.net
    Tem certeza que deseja  Sim  Não
    Insira sua mensagem aqui


  1. 1. REST with JAX-RS, Security, Java EE 6Carol McDonald
  2. 2. Agenda• REST Primer• RESTful Design and API Elements• Building a Simple Service• Security• Q&A
  3. 3. REpresentational State TransferGet Response XML data = REST Webhttp://www.depot.com/parts Service REpresentational State Client Transfer Client State1 State2  The URL identifies the resource  Click on the url (resource) in page (hypermedia) html page is transferred to the browser REpresentational State transfer occurs
  4. 4. REST Tenets• Resources (nouns) > Identified by a URI, For example:  http://www.parts-depot.com/parts• Methods (verbs) to manipulate the nouns > Small fixed set:  GET, PUT, POST, DELETE Read, Update, Create, Delete• Representation of the Resource > data and state transferred between client and server > XML, JSON...• Use verbs to exchange application state and representation
  5. 5. method resourceRequest: GET http://localhost:8080/RestfulCustomer/webresources/model.customer/1Status: 200 (OK)Time-Stamp: Fri, 14 Dec 2012 02:19:34 GMTReceived:{"name":"Jumbo Eagle Corp","state":"FL","customerId":1,"addressline1":"111 E. Las Olivas Blvd","addressline2":"Suite 51","city":"Fort Lauderdale","phone":"305-555-0188","fax":"305-555-0189","email":"jumboeagle@example.com","creditLimit":100000} representation
  6. 6. Rest Uniform Interface:Every thing is a Resource Every resource has an id, URI is the id http://company.com/customers/123456
  7. 7. Every Resource has an Id URI is the id, Every resource has a URI http://company.com/customers/123456Resource Collection name Primary key• URIs identify : > items, collections of items, virtual and physical objects, or computation results.http://company.com/customers/123456/orders/12http://example.com/orders/2007/11http://example.com/products?color=green
  8. 8. Rest Standard Interface:Use Standard HTTP Methods• Example  GET /store/customers/123456
  9. 9. Use Standard Methods:• /orders – GET - list all orders Order Customer – POST - submit a new order Mgmt Example /orders/{order-id} > GET - get an order representation > PUT - update an order > DELETE - cancel an order /orders/average-sale – GET - calculate average sale• /customers http://www.infoq.com/articles/rest- – GET - list all customers introduction – POST - create a new customer /customers/{cust-id} > GET - get a customer representation > DELETE- remove a customer /customers/{cust-id}/orders – GET - get the orders of a customer
  10. 10. Use Standard HTTP Methods• HTTP Get, Head > Should not modify anything > Cache-able With Correct use of Last-Modified and ETag• Idempotency: > PUT, DELETE, GET, HEAD can be repeated and the results are the same
  11. 11. Link things together• Hypermedia• As• The• Engine• Of• Application• StateHATEOAS© Availity, LLC | All rights reserved.
  12. 12. Link Things TogetherRepresentations contain links to other resources: <prop self="http://example.com/orders/101230"> <customer ref="http://example.com/customers/bar"> <product ref="http://example.com/products/21034"/> <amount value="1"/> </order>• Service provides links in response to the Client > Enables client to move the application from one state to the next by following a link
  13. 13. Examplehttp://www.infoq.com/articles/webber-rest-workflow © Availity, LLC | All rights reserved.
  14. 14. Example© Availity, LLC | All rights reserved.
  15. 15. Multiple Representations• Offer data in a variety of formats, for different needs > XML > JSON > (X)HTML• Support content negotiation > Accept header GET /foo Accept: application/json > URI-based GET /foo.json > Response header > Content-Type application/xml
  16. 16. content negotiationRequest: http://localhost:8080/RestfulCustomer/webresources/application.wadlStatus: 200 (OK)Time-Stamp: Fri, 14 Dec 2012 03:11:50 GMTReceived:<?xml version="1.0" encoding="UTF-8"?> <resources base="http://localhost:8080/RestfulCustomer/webresources/"> <resource path="model.customer"> <method id="findAll" name="GET"> <response> <representation mediaType="application/xml"/> <representation mediaType="application/json"/> </response> </method>
  17. 17. Stateless Communications • HTTP protocol is stateless • Everything required to process a request contained in the request > No client session on the server > Eliminates many failure conditions • application state kept on Client • Service responsible for resource state
  18. 18. Rest Common Patterns: Container, ItemServer in control of URI• Container – a collection of items• List catalog items: GET /catalog/items• Add item to container: POST /catalog/items > with item in request > URI of item returned in HTTP response header > e.g. http://host/catalog/items/1• Update item: PUT /catalog/items/1 > with updated item in request Good example: Atom Publishing Protocol
  19. 19. Common Patterns: Map, Key, ValueClient in control of URI • List key-value pairs: GET /map • Put new value to map: PUT /map/{key} > with entry in request > e.g. PUT /map/dir/contents.xml • Read value: GET /map/{key} • Update value: PUT /map/{key} > with updated value in request • Remove value: DELETE /map/{key} • Good example: Amazon S3
  20. 20. Rest Key Benefits• Server side > Uniform Interface > Cacheable > Scalable > Easy failover• Client side > Easy to experiment in browser > Broad programming language support > Choice of data formats
  21. 21. Agenda• REST Primer• RESTful Design and API Elements with JAX-RS• Building a Simple Service• Status• Q&A
  22. 22. JAX-RS: Clear mapping to REST concepts• High level, Declarative > Uses @ annotation in POJOs• Jersey – reference implementation of JSR 311  Download it from http://jersey.dev.java.net  Comes with Glassfish, Java EE 6  Tools support in NetBeans
  23. 23. Resources• Resource class > POJO, No required interfaces• ID provided by @Path annotation > Relative to deployment context > Annotate class or “sub-resource locator” method http://host/ctx/orders/12@Path("orders/{id}")public class OrderResource { @Path("customer") http://host/ctx/orders/12/customer CustomerResource getCustomer(...) {...}}
  24. 24. Request Mapping• Annotate resource class methods with standard method > @GET, @PUT, @POST, @DELETE, @HEAD• annotations on parameters specify mapping from request data• Return value mapped to http response@Path("orders/{order_id}")public class OrderResource { @GET Order getOrder(@PathParam("order_id") String id) { ... }}
  25. 25. Multiple RepresentationsStatic and dynamic content negotiation• Annotate methods or classes > @Produces matches Accepts header > @Consumes matches Content-Type header@GET@Consumes("application/json")@Produces({"application/xml","application/json"})String getOrder(@PathParam("order_id") String id) { ...}
  26. 26. Multiple Representations: JAX-RSconsuming@Path("/items/")@ConsumeMime(“application/xml”)public class ItemsResource { http://host/catalog/items/?start=0 @GET ItemsConverter get(@QueryParam("start") int start) { ... } http://host/catalog/items/123 @Path("{id}/") ItemResource getItemResource(@PathParam("id")Long id){ ... }}
  27. 27. Multiple Representations@Post@ConsumeMime(“application/x-www-form-urlencoded”)@ProduceMime(“application/xml”)public JAXBClass updateEmployee( MultivalueMap<String, String> form) { ... converted to XML Converted to a map for accessing forms field
  28. 28. Multiple Representations: producing aresponse@Path(“/items”)class Items { Use Response class to build “created”response @POST @ProduceMime(“application/xml”) Response create(Ent e) { // persist the new entry, create URI return Response.created( uriInfo.getAbsolutePath(). resolve(uri+"/")).build(); }}
  29. 29. Uniform interface: HTTP request and responseC: POST /items HTTP/1.1C: Host: host.comC: Content-Type: application/xmlC: Content-Length: 35C:C: <item><name>dog</name></item>S: HTTP/1.1 201 CreatedS: Location: http://host.com/employees/1234S: Content-Length: 0
  30. 30. Link Things Together• UriInfo provides information about the request URI and the route to the resource• UriBuilder provides facilities to easily build URIs for resources@Context UriInfo info;OrderResource r = ...UriBuilder b = info.getBaseUriBuilder();URI u = b.path(OrderResource.class).build(r.id);
  31. 31. Agenda• REST Primer• RESTful Design and API Elements• Building a Simple Service• Deployment Options• Status
  32. 32. Example RESTful Catalog
  33. 33. URIs and Methods: Item Catalog Example /items – GET - list all items – POST – add item to catalog /items/{id} > GET - get an item representation > PUT - update an item > DELETE – remove an item http://www.infoq.com/articles/rest- introduction
  34. 34. Methods@Path(“/items”)class ItemsResource { @GET public List<Item> findAll() { ... } @POST Response create(Item) { ... } @PUT @Path("{id}") public void editp(Item entity) {} @GET @Path("{id}") public Item find(@PathParam("id") Integer id) { ... }} Java method name is not significant The @HTTP method is the method
  35. 35. RESTful Catalog  Javascript client, JAX-RS, JSON, JPA Registration Application JAX-RS class Entity Class JSON class Item DB ItemsResource javascript client
  36. 36. Item Entity JAXB annotated@Entity@Table(name = "ITEM")@XmlRootElementpublic class Item implements Serializable { @Id private Integer id; ...}
  37. 37. XML <item uri="http://localhost/Web/resources/items/1/"> <description> black cat is nice</description> <id>1</id> <imagethumburl>/images/anth.jpg</imagethumburl> <name>not Friendly Cat</name> <price>307.10</price> <productid>feline01</productid> </item>
  38. 38. JSON { "@uri":"http://host/catalog/resources/items/1/", "name":"Friendly Cat", "description":"This black and white colored cat is super friendly.", "id":"1", "imageurl":"http://localhost:8080/CatalogService/images/anthony.jpg" }
  39. 39. Resource Classes > Items Resource retrieves updates a collection of Item entities > /items – URI for a list of Items > /item/1 – URI for item 1 JAX-RS class Entity Class Item DB ItemsResource Dojo client
  40. 40. Get Items responds to the URI http://host/catalog/items/@Path("/items/") responds to HTTP GETpublic class ItemsResource { responds with JSON @GET @Produces("application/json") JAXB class public List<Item> get(){ CriteriaQuery cq = getEntityManager(). getCriteriaBuilder().createQuery(); cq.select(cq.from(Item)); return getEntityManager().createQuery (cq).getResultList(); } Performs JPA Query, returns list of entities
  41. 41. JQuery Clientvar rootURL = "http://localhost:8080/catalog/resources/item";// Retrieve item listfunction findAll() { $.ajax({ type: GET, url: rootURL, dataType: "json", success: renderList });}function renderList(data) { var list =data; $(#itemList li).remove(); $.each(list, function(index, item) { $(#itemList).append(<li><a href="#" data-identity=" + item.id + ">+item.name+</a></li>); });}
  42. 42. Backbone.js client© Availity, LLC | All rights reserved.
  43. 43. MVC© Availity, LLC | All rights reserved.
  44. 44. Backbone.sync maps CRUD requests to RESTSave (new) → create → HTTP POST /urlFetch → read → GET /url/idSave → update → PUT /url/idDestroy → delete → DELETE /url/id© Availity, LLC | All rights reserved.
  45. 45. backbone Clientwindow.Item = Backbone.Model.extend({ urlRoot: "resources/items", defaults: { id: null, name: "", description: "", imageurl: null }});window.ItemCollection = Backbone.Collection.extend({ model: Item, url: "resources/items"});
  46. 46. Agenda• REST Primer• RESTful Design and API Elements• Building a Simple Service• Security• Q&A
  47. 47. Securing your REST Web Service• Authentication for Identity Verification• Authorizaton• Encryption
  48. 48. Authentication: Configure web.xml <login-config> <auth-method>BASIC</auth-method> <realm-name>admin</realm-name> </login-config>
  49. 49. Authentication: Configure web.xml <login-config> <auth-method>BASIC</auth-method> <realm-name>admin</realm-name> </login-config> • Login-config: > defines how HTTP requests should be authenticated • Auth-method: > BASIC, DIGEST, or CLIENT_CERT. corresponds to Basic, Digest, and Client Certificate authentication, respectively. • Realm-name: realm > Name for database of users and groups that identify valid users of a web application
  50. 50. Authentication: Configure web.xml<security-constraint> <web-resource-collection> <url-pattern>/secure/*</url-pattern> <http-method>POST</http-method> </web-resource-collection>...• security constraint > defines access privileges to a collection of resources• url-pattern: > URL pattern you want to secure• Http-method: > Methods to be protected
  51. 51. Authentication: Configure web.xml<security-constraint>... <auth-constraint> <description>only let admin login </description> <role-name>admin</role-name> </auth-constraint>• auth-constraint: > names the roles authorized to access the URL patterns and HTTP methods declared by this security constraint
  52. 52. Encryption: Configure web.xml<security-constraint>... <user-data-constraint> <description>SSL</description> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint></security-constraint> • user-data-constraint: NONE, INTEGRAL, or CONFIDENTIAL > how the data will be transported between client and server
  53. 53. Authentication: Configure web.xml <security-role> <role-name>admin</role-name> </security-role> • security-role: lists all of the security roles used in the application > For every <role-name> used in <auth- constraints> must define a corresponding <security-role> • http://java.sun.com/javaee/5/docs/tutorial/doc/bncas.html
  54. 54. Authentication: map roles to realm<sun-web-app> <security-role-mapping> <role-name>admin</role-name> <principal-name>admin</principal-name> </security-role-mapping></sun-web-app> LDAP • security-role-mapping: realm > Assigns security role to a group or user in Application Server realm • Realm: > database of users and groups that identify valid users of a web application (FILE, LDAP
  55. 55. Authentication: map roles to realm file realm
  56. 56. Authorization Annotations roles permitted to execute operation@Path("/customers")@RolesAllowed({"ADMIN", "CUSTOMER"})public class CustomerResource { @GET @Path("{id}") @Produces("application/xml") public Customer getCustomer(@PathParam("id") int id) {...} @RolesAllowed("ADMIN") @POST @Consumes("application/xml") public void createCustomer(Customer cust) {...} @PermitAll @GET @Produces("application/xml") authenticated user any public Customer[] getCustomers() {}}
  57. 57. JAX-RS Security Contextpublic interface SecurityContext { Determine the identity of the user public Principal getUserPrincipal(); check whether user belongs to a certain role public boolean isUserInRole(String role); whether this request was made using a secure channel public boolean isSecure(); public String getAuthenticationScheme();}
  58. 58. JAX-RS Security Context@Path("/customers") check whether userpublic class CustomerService { belongs to a certain role @GET @Produces("application/xml") public Customer[] getCustomers(@Context SecurityContext sec) { if (sec.isSecure() && !sec.isUserInRole("ADMIN")){ logger.log(sec.getUserPrincipal() + " accessed customer database."); } ... }} Determine the identity of the user
  59. 59. Java EE 6• JAX-RS is part of Java EE 6• Gradle dependencies are easy apply plugin: wardependencies { testCompile org.glassfish.extras:glassfish-embedded-all:3.0.1 providedCompile org.glassfish.extras:glassfish-embedded- all:3.0.1’}
  60. 60. Java EE 6 security• Service/Façade • Declarative (@RolesAllowed) • Programmatic• Web Controller • New annotations for authentication & authorization • @ServletSecurity @HttpConstraint , @HttpMethodConstraint • @WebFilter @DeclareRoles @RunAsPresentation• Transport Layer • CONFIDENTIAL, INTEGRAL, NONE • ServletSecurity.TransportGuarantee@WebServlet(name="UnderwritingServlet", urlPatterns={"/UnderwritingServlet"})@ServletSecurity(@HttpConstraint(transportGuarantee=ServletSecurity.Transport Guarantee.CONFIDENTIAL),))© Availity, LLC | All rights reserved.
  61. 61. CDI • Bean discovery and wiringpublic class ItemController { @Inject private CatalogService catalogService ;© Availity, LLC | All rights reserved.
  62. 62. Bean Validationpublic class Address { @NotNull @Size(max=30, message="longer than {max} characters") private String street1; ... @NotNull @Valid private Country country;}public class Country { @NotNull @Size(max=30) private String name; ...}© Availity, LLC | All rights reserved.
  63. 63. Servlet 3.0 • Ease of Development @WebServlet(urlPatterns=“/foo”, name=”MyServlet”, asyncSupported=true) • @WebFilter("/secured/*") • Asynchronous Servlet > Support Comet applications • Security enhancements© Availity, LLC | All rights reserved.
  64. 64. Summary• REST architecture is gaining popularity > Simple, scalable and the infrastructure is already in place• JAX-RS (JSR-311) provides a high level declarative programming model > http://jersey.dev.java.net
  65. 65. For More Information• Reference Implementation • http://jersey.java.net/• Java EE 6 tutorial • http://docs.oracle.com/javaee/6/tutorial/doc/• Backbone.js JAX-RS example • http://coenraets.org/blog/2011/12/backbone-js-wine-cellar-tutorial- part-1-getting-started/• JAX-RS Comet example • http://www.oracle.com/technetwork/systems/articles/cometslideshow- 139170.html
  66. 66. For More Information• RESTful Java with JAX-RS