The learning curve for REST API security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, and almost seem designed to deliberately confuse. With an aggressive distaste for fancy terminology, this session delves into OAuth 2.0 with and without JWT for user identity; AWS-style security for B2B with API keys; and OAuth 2.0 Proof of Possession, which merges both into two-factor bliss. Using a baseline microservice architecture, the presentation compares them, with a heavy focus on the wire, showing actual HTTP messages and analyzing their impact on load and security. Starting with basic authentication and a brief intro to hashing and signing, this is the perfect session to align the whole team.

1. @radcortez @ivanjunckes @tomitribehttps://www.tomitribe.com/codeone/dev6001/
Roberto Cortez, Ivan Junckes Filho
Chasing the RESTful Trinity
Client, CLI and Documentation

2. @radcortez @ivanjunckes @tomitribehttps://www.tomitribe.com/codeone/dev6001/
Speakers
Roberto Cortez
● Senior Software Engineer at Tomitribe
● Java Champion & Oracle Groundbreaker
● JUG Leader Coimbra JUG & vJUG
● JNation Conference Founder & Organizer
● Blogger, Youtuber, Speaker
● +10 years of experience with Java
● Software Engineer at Tomitribe
● Oracle Certified Professional
● 9+ years experience with JavaEE
● Eclipse Commiter: JnoSQL, JPA, JSONB
and JSP
Ivan Junckes
● Memberof GUjavaSC

3. @radcortez @CesarHgt @tomitribehttps://www.tomitribe.com/codeone/dev6016/
Questions?
As soon as you have them!

4. @radcortez @ivanjunckes @tomitribehttps://www.tomitribe.com/codeone/dev6001/
Agenda
● REST API Development
● Problems
● Challenges
● Inget
● Future

5. @radcortez @ivanjunckes @tomitribehttps://www.tomitribe.com/codeone/dev6001/
REST API Dominates

6. @radcortez @ivanjunckes @tomitribehttps://www.tomitribe.com/codeone/dev6001/
REST API
● Most projects use REST now
● Stable Standards
● Repetitive
● Plenty of frameworks to use

7. @radcortez @ivanjunckes @tomitribehttps://www.tomitribe.com/codeone/dev6001/

8. @radcortez @ivanjunckes @tomitribehttps://www.tomitribe.com/codeone/dev6001/
Real Case
● Typical project with a REST API
● 2 years work
● 8-10 developers
● 100+ API’s
● CRUDs and Lists

9. @radcortez @ivanjunckes @tomitribehttps://www.tomitribe.com/codeone/dev6001/
Result?

10. @radcortez @ivanjunckes @tomitribehttps://www.tomitribe.com/codeone/dev6001/
Problems
● Different names to represent the same object
● Some uses prefixes, others don’t
● Different Collection types
● Booleans (is, get, set)
● Enums vs Strings

11. @radcortez @ivanjunckes @tomitribehttps://www.tomitribe.com/codeone/dev6001/
Problems
● PUT vs POST
● Read / Create / Update properties
● Return Status Codes?
● Plural or singular names?
● Headers / Path Params / Query Params?

12. @radcortez @ivanjunckes @tomitribehttps://www.tomitribe.com/codeone/dev6001/
And we were still missing...
● Client Libraries
● Documentation
● Command Line
● Versioning

13. @radcortez @ivanjunckes @tomitribehttps://www.tomitribe.com/codeone/dev6001/
Challenges
● Producing REST apis is less than half of the work
● Tooling around it is needed
● How are you going to call a service?
● How are you going to document it?
● Do you want to expose it non technical people?

14. @radcortez @ivanjunckes @tomitribehttps://www.tomitribe.com/codeone/dev6001/
More challenges...
1. Microservices evolve too fast
2. Maintenance requires too much effort
3. Changing or adding new interfaces will require changes in all the
tooling around it
4. Documentation is frequently out of date
5. Cost is too high

15. @radcortez @ivanjunckes @tomitribehttps://www.tomitribe.com/codeone/dev6001/
How to solve it
● Generation is the realistic solution
● Tool with Client, CLI and Documentation
● The client will help you call the services from different apps
● The Command-line Interface will help access the services without code
● Your services will have up to date docs

16. @radcortez @ivanjunckes @tomitribehttps://www.tomitribe.com/codeone/dev6001/
Benefits
● You only spend time with the things that really affect the business
● You can evolve fast without worrying about the impact in different
toolings
● Less maintenance
● Less cost

17. @radcortez @ivanjunckes @tomitribehttps://www.tomitribe.com/codeone/dev6001/

18. @radcortez @ivanjunckes @tomitribehttps://www.tomitribe.com/codeone/dev6001/
Inget
● Open Source, Apache License
● Code Generator Tool
● Maven Plugin
● Use your own source
● From the model or resources files

19. @radcortez @ivanjunckes @tomitribehttps://www.tomitribe.com/codeone/dev6001/
JavaParser
● Parse
● Analyze
● Transform
● Generate
● Java Code

20. @radcortez @ivanjunckes @tomitribehttps://www.tomitribe.com/codeone/dev6001/
JavaParser
CompilationUnit cu = JavaParser.parse("JavaFilename.java");
ClassOrInterfaceDeclaration klass = cu.getClassByName("ClassName").get();
klass.addField("Date", "date", Modifier.PRIVATE);
klass.addImport("java.util.Date");

21. @radcortez @ivanjunckes @tomitribehttps://www.tomitribe.com/codeone/dev6001/
Model
● Amazon style Model
● Separate classes for each operation
● Only expose the fields used
● Annotated Model class to generate required classes

22. @radcortez @ivanjunckes @tomitribehttps://www.tomitribe.com/codeone/dev6001/
Demo
Model Generation

23. @radcortez @ivanjunckes @tomitribehttps://www.tomitribe.com/codeone/dev6001/
Resources
● Generates interfaces
● JAX-RS Endpoint
● Support for Bulk, Filters and Pagination
● You can add your own endpoints

24. @radcortez @ivanjunckes @tomitribehttps://www.tomitribe.com/codeone/dev6001/
Demo
Resources Generation

25. @radcortez @ivanjunckes @tomitribehttps://www.tomitribe.com/codeone/dev6001/
Client
● Microprofile Typesafe client implementation
● Deals with everything required to call a resource
● Can be incorporated to other applications
● Works with Basic, Signature and OAuth2 (very soon) authentication

26. @radcortez @ivanjunckes @tomitribehttps://www.tomitribe.com/codeone/dev6001/
BabyStore
Spotify Desktop App
Netflix Web App
client
client
client
Tribestream API Gateway

27. @radcortez @ivanjunckes @tomitribehttps://www.tomitribe.com/codeone/dev6001/
Demo
Client Generation

28. @radcortez @ivanjunckes @tomitribehttps://www.tomitribe.com/codeone/dev6001/
Command-line Interface
● Airlift / Airline
● Executable binary
● Manual page (Man page)
● SSH Keys
● Easily build scripts to call microservices

29. @radcortez @ivanjunckes @tomitribehttps://www.tomitribe.com/codeone/dev6001/
BabyStore
CLI
Tribestream API Gateway
Command Line Interface (baby)

30. @radcortez @ivanjunckes @tomitribehttps://www.tomitribe.com/codeone/dev6001/
Demo
Command Line Generation

31. @radcortez @ivanjunckes @tomitribehttps://www.tomitribe.com/codeone/dev6001/
Documentation
● Generates the Open API file (json / yaml)
● Microprofile Open API
● AsciiDoc / Markdown from Open API
● HTML to publish the documentation

32. @radcortez @ivanjunckes @tomitribehttps://www.tomitribe.com/codeone/dev6001/
Demo
Documentation Generation

33. @radcortez @ivanjunckes @tomitribehttps://www.tomitribe.com/codeone/dev6001/
Limitations
● Requires the initial model
● Lacks configuration
● Additional plugins to generate OpenAPI files and docs
● Missing store for CLI

34. @radcortez @ivanjunckes @tomitribehttps://www.tomitribe.com/codeone/dev6001/
Future
● Generation of clients in other languages
● Generate from openapi file
● Simplify setup
● GraalVM Native Images for CLI
● CLI auto complete

35. @radcortez @ivanjunckes @tomitribehttps://www.tomitribe.com/codeone/dev6001/
https://www.tomitribe.com/codeone/dev6001
Thank you
Contact us @TOMITRIBE