Your SlideShare is downloading. ×
0
Rest with Java EE 6 , Security , Backbone.js
Rest with Java EE 6 , Security , Backbone.js
Rest with Java EE 6 , Security , Backbone.js
Rest with Java EE 6 , Security , Backbone.js
Rest with Java EE 6 , Security , Backbone.js
Rest with Java EE 6 , Security , Backbone.js
Rest with Java EE 6 , Security , Backbone.js
Rest with Java EE 6 , Security , Backbone.js
Rest with Java EE 6 , Security , Backbone.js
Rest with Java EE 6 , Security , Backbone.js
Rest with Java EE 6 , Security , Backbone.js
Rest with Java EE 6 , Security , Backbone.js
Rest with Java EE 6 , Security , Backbone.js
Rest with Java EE 6 , Security , Backbone.js
Rest with Java EE 6 , Security , Backbone.js
Rest with Java EE 6 , Security , Backbone.js
Rest with Java EE 6 , Security , Backbone.js
Rest with Java EE 6 , Security , Backbone.js
Rest with Java EE 6 , Security , Backbone.js
Rest with Java EE 6 , Security , Backbone.js
Rest with Java EE 6 , Security , Backbone.js
Rest with Java EE 6 , Security , Backbone.js
Rest with Java EE 6 , Security , Backbone.js
Rest with Java EE 6 , Security , Backbone.js
Rest with Java EE 6 , Security , Backbone.js
Rest with Java EE 6 , Security , Backbone.js
Rest with Java EE 6 , Security , Backbone.js
Rest with Java EE 6 , Security , Backbone.js
Rest with Java EE 6 , Security , Backbone.js
Rest with Java EE 6 , Security , Backbone.js
Rest with Java EE 6 , Security , Backbone.js
Rest with Java EE 6 , Security , Backbone.js
Rest with Java EE 6 , Security , Backbone.js
Rest with Java EE 6 , Security , Backbone.js
Rest with Java EE 6 , Security , Backbone.js
Rest with Java EE 6 , Security , Backbone.js
Rest with Java EE 6 , Security , Backbone.js
Rest with Java EE 6 , Security , Backbone.js
Rest with Java EE 6 , Security , Backbone.js
Rest with Java EE 6 , Security , Backbone.js
Rest with Java EE 6 , Security , Backbone.js
Rest with Java EE 6 , Security , Backbone.js
Rest with Java EE 6 , Security , Backbone.js
Rest with Java EE 6 , Security , Backbone.js
Rest with Java EE 6 , Security , Backbone.js
Rest with Java EE 6 , Security , Backbone.js
Rest with Java EE 6 , Security , Backbone.js
Rest with Java EE 6 , Security , Backbone.js
Rest with Java EE 6 , Security , Backbone.js
Rest with Java EE 6 , Security , Backbone.js
Rest with Java EE 6 , Security , Backbone.js
Rest with Java EE 6 , Security , Backbone.js
Rest with Java EE 6 , Security , Backbone.js
Rest with Java EE 6 , Security , Backbone.js
Rest with Java EE 6 , Security , Backbone.js
Rest with Java EE 6 , Security , Backbone.js
Rest with Java EE 6 , Security , Backbone.js
Rest with Java EE 6 , Security , Backbone.js
Rest with Java EE 6 , Security , Backbone.js
Rest with Java EE 6 , Security , Backbone.js
Rest with Java EE 6 , Security , Backbone.js
Rest with Java EE 6 , Security , Backbone.js
Rest with Java EE 6 , Security , Backbone.js
Rest with Java EE 6 , Security , Backbone.js
Rest with Java EE 6 , Security , Backbone.js
Rest with Java EE 6 , Security , Backbone.js
Rest with Java EE 6 , Security , Backbone.js
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Rest with Java EE 6 , Security , Backbone.js

7,532

Published on

2 Comments
5 Likes
Statistics
Notes
No Downloads
Views
Total Views
7,532
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
210
Comments
2
Likes
5
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. REST with JAX-RS, Security, Java EE 6Carol McDonald
  • 2. Agenda• REST Primer• RESTful Design and API Elements• Building a Simple Service• Security• Q&A
  • 3. REpresentational State TransferGet Response XML data = REST Webhttp://www.depot.com/parts Service REpresentational State Client Transfer Client State1 State2  The URL identifies the resource  Click on the url (resource) in page (hypermedia) html page is transferred to the browser REpresentational State transfer occurs
  • 4. REST Tenets• Resources (nouns) > Identified by a URI, For example:  http://www.parts-depot.com/parts• Methods (verbs) to manipulate the nouns > Small fixed set:  GET, PUT, POST, DELETE Read, Update, Create, Delete• Representation of the Resource > data and state transferred between client and server > XML, JSON...• Use verbs to exchange application state and representation
  • 5. method resourceRequest: GET http://localhost:8080/RestfulCustomer/webresources/model.customer/1Status: 200 (OK)Time-Stamp: Fri, 14 Dec 2012 02:19:34 GMTReceived:{"name":"Jumbo Eagle Corp","state":"FL","customerId":1,"addressline1":"111 E. Las Olivas Blvd","addressline2":"Suite 51","city":"Fort Lauderdale","phone":"305-555-0188","fax":"305-555-0189","email":"jumboeagle@example.com","creditLimit":100000} representation
  • 6. Rest Uniform Interface:Every thing is a Resource Every resource has an id, URI is the id http://company.com/customers/123456
  • 7. Every Resource has an Id URI is the id, Every resource has a URI http://company.com/customers/123456Resource Collection name Primary key• URIs identify : > items, collections of items, virtual and physical objects, or computation results.http://company.com/customers/123456/orders/12http://example.com/orders/2007/11http://example.com/products?color=green
  • 8. Rest Standard Interface:Use Standard HTTP Methods• Example  GET /store/customers/123456
  • 9. Use Standard Methods:• /orders – GET - list all orders Order Customer – POST - submit a new order Mgmt Example /orders/{order-id} > GET - get an order representation > PUT - update an order > DELETE - cancel an order /orders/average-sale – GET - calculate average sale• /customers http://www.infoq.com/articles/rest- – GET - list all customers introduction – POST - create a new customer /customers/{cust-id} > GET - get a customer representation > DELETE- remove a customer /customers/{cust-id}/orders – GET - get the orders of a customer
  • 10. Use Standard HTTP Methods• HTTP Get, Head > Should not modify anything > Cache-able With Correct use of Last-Modified and ETag• Idempotency: > PUT, DELETE, GET, HEAD can be repeated and the results are the same
  • 11. Link things together• Hypermedia• As• The• Engine• Of• Application• StateHATEOAS© Availity, LLC | All rights reserved.
  • 12. Link Things TogetherRepresentations contain links to other resources: <prop self="http://example.com/orders/101230"> <customer ref="http://example.com/customers/bar"> <product ref="http://example.com/products/21034"/> <amount value="1"/> </order>• Service provides links in response to the Client > Enables client to move the application from one state to the next by following a link
  • 13. Examplehttp://www.infoq.com/articles/webber-rest-workflow © Availity, LLC | All rights reserved.
  • 14. Example© Availity, LLC | All rights reserved.
  • 15. Multiple Representations• Offer data in a variety of formats, for different needs > XML > JSON > (X)HTML• Support content negotiation > Accept header GET /foo Accept: application/json > URI-based GET /foo.json > Response header > Content-Type application/xml
  • 16. content negotiationRequest: http://localhost:8080/RestfulCustomer/webresources/application.wadlStatus: 200 (OK)Time-Stamp: Fri, 14 Dec 2012 03:11:50 GMTReceived:<?xml version="1.0" encoding="UTF-8"?> <resources base="http://localhost:8080/RestfulCustomer/webresources/"> <resource path="model.customer"> <method id="findAll" name="GET"> <response> <representation mediaType="application/xml"/> <representation mediaType="application/json"/> </response> </method>
  • 17. Stateless Communications • HTTP protocol is stateless • Everything required to process a request contained in the request > No client session on the server > Eliminates many failure conditions • application state kept on Client • Service responsible for resource state
  • 18. Rest Common Patterns: Container, ItemServer in control of URI• Container – a collection of items• List catalog items: GET /catalog/items• Add item to container: POST /catalog/items > with item in request > URI of item returned in HTTP response header > e.g. http://host/catalog/items/1• Update item: PUT /catalog/items/1 > with updated item in request Good example: Atom Publishing Protocol
  • 19. Common Patterns: Map, Key, ValueClient in control of URI • List key-value pairs: GET /map • Put new value to map: PUT /map/{key} > with entry in request > e.g. PUT /map/dir/contents.xml • Read value: GET /map/{key} • Update value: PUT /map/{key} > with updated value in request • Remove value: DELETE /map/{key} • Good example: Amazon S3
  • 20. Rest Key Benefits• Server side > Uniform Interface > Cacheable > Scalable > Easy failover• Client side > Easy to experiment in browser > Broad programming language support > Choice of data formats
  • 21. Agenda• REST Primer• RESTful Design and API Elements with JAX-RS• Building a Simple Service• Status• Q&A
  • 22. JAX-RS: Clear mapping to REST concepts• High level, Declarative > Uses @ annotation in POJOs• Jersey – reference implementation of JSR 311  Download it from http://jersey.dev.java.net  Comes with Glassfish, Java EE 6  Tools support in NetBeans
  • 23. Resources• Resource class > POJO, No required interfaces• ID provided by @Path annotation > Relative to deployment context > Annotate class or “sub-resource locator” method http://host/ctx/orders/12@Path("orders/{id}")public class OrderResource { @Path("customer") http://host/ctx/orders/12/customer CustomerResource getCustomer(...) {...}}
  • 24. Request Mapping• Annotate resource class methods with standard method > @GET, @PUT, @POST, @DELETE, @HEAD• annotations on parameters specify mapping from request data• Return value mapped to http response@Path("orders/{order_id}")public class OrderResource { @GET Order getOrder(@PathParam("order_id") String id) { ... }}
  • 25. Multiple RepresentationsStatic and dynamic content negotiation• Annotate methods or classes > @Produces matches Accepts header > @Consumes matches Content-Type header@GET@Consumes("application/json")@Produces({"application/xml","application/json"})String getOrder(@PathParam("order_id") String id) { ...}
  • 26. Multiple Representations: JAX-RSconsuming@Path("/items/")@ConsumeMime(“application/xml”)public class ItemsResource { http://host/catalog/items/?start=0 @GET ItemsConverter get(@QueryParam("start") int start) { ... } http://host/catalog/items/123 @Path("{id}/") ItemResource getItemResource(@PathParam("id")Long id){ ... }}
  • 27. Multiple Representations@Post@ConsumeMime(“application/x-www-form-urlencoded”)@ProduceMime(“application/xml”)public JAXBClass updateEmployee( MultivalueMap<String, String> form) { ... converted to XML Converted to a map for accessing forms field
  • 28. Multiple Representations: producing aresponse@Path(“/items”)class Items { Use Response class to build “created”response @POST @ProduceMime(“application/xml”) Response create(Ent e) { // persist the new entry, create URI return Response.created( uriInfo.getAbsolutePath(). resolve(uri+"/")).build(); }}
  • 29. Uniform interface: HTTP request and responseC: POST /items HTTP/1.1C: Host: host.comC: Content-Type: application/xmlC: Content-Length: 35C:C: <item><name>dog</name></item>S: HTTP/1.1 201 CreatedS: Location: http://host.com/employees/1234S: Content-Length: 0
  • 30. Link Things Together• UriInfo provides information about the request URI and the route to the resource• UriBuilder provides facilities to easily build URIs for resources@Context UriInfo info;OrderResource r = ...UriBuilder b = info.getBaseUriBuilder();URI u = b.path(OrderResource.class).build(r.id);
  • 31. Agenda• REST Primer• RESTful Design and API Elements• Building a Simple Service• Deployment Options• Status
  • 32. Example RESTful Catalog
  • 33. URIs and Methods: Item Catalog Example /items – GET - list all items – POST – add item to catalog /items/{id} > GET - get an item representation > PUT - update an item > DELETE – remove an item http://www.infoq.com/articles/rest- introduction
  • 34. Methods@Path(“/items”)class ItemsResource { @GET public List<Item> findAll() { ... } @POST Response create(Item) { ... } @PUT @Path("{id}") public void editp(Item entity) {} @GET @Path("{id}") public Item find(@PathParam("id") Integer id) { ... }} Java method name is not significant The @HTTP method is the method
  • 35. RESTful Catalog  Javascript client, JAX-RS, JSON, JPA Registration Application JAX-RS class Entity Class JSON class Item DB ItemsResource javascript client
  • 36. Item Entity JAXB annotated@Entity@Table(name = "ITEM")@XmlRootElementpublic class Item implements Serializable { @Id private Integer id; ...}
  • 37. XML <item uri="http://localhost/Web/resources/items/1/"> <description> black cat is nice</description> <id>1</id> <imagethumburl>/images/anth.jpg</imagethumburl> <name>not Friendly Cat</name> <price>307.10</price> <productid>feline01</productid> </item>
  • 38. JSON { "@uri":"http://host/catalog/resources/items/1/", "name":"Friendly Cat", "description":"This black and white colored cat is super friendly.", "id":"1", "imageurl":"http://localhost:8080/CatalogService/images/anthony.jpg" }
  • 39. Resource Classes > Items Resource retrieves updates a collection of Item entities > /items – URI for a list of Items > /item/1 – URI for item 1 JAX-RS class Entity Class Item DB ItemsResource Dojo client
  • 40. Get Items responds to the URI http://host/catalog/items/@Path("/items/") responds to HTTP GETpublic class ItemsResource { responds with JSON @GET @Produces("application/json") JAXB class public List<Item> get(){ CriteriaQuery cq = getEntityManager(). getCriteriaBuilder().createQuery(); cq.select(cq.from(Item)); return getEntityManager().createQuery (cq).getResultList(); } Performs JPA Query, returns list of entities
  • 41. JQuery Clientvar rootURL = "http://localhost:8080/catalog/resources/item";// Retrieve item listfunction findAll() { $.ajax({ type: GET, url: rootURL, dataType: "json", success: renderList });}function renderList(data) { var list =data; $(#itemList li).remove(); $.each(list, function(index, item) { $(#itemList).append(<li><a href="#" data-identity=" + item.id + ">+item.name+</a></li>); });}
  • 42. Backbone.js client© Availity, LLC | All rights reserved.
  • 43. MVC© Availity, LLC | All rights reserved.
  • 44. Backbone.sync maps CRUD requests to RESTSave (new) → create → HTTP POST /urlFetch → read → GET /url/idSave → update → PUT /url/idDestroy → delete → DELETE /url/id© Availity, LLC | All rights reserved.
  • 45. backbone Clientwindow.Item = Backbone.Model.extend({ urlRoot: "resources/items", defaults: { id: null, name: "", description: "", imageurl: null }});window.ItemCollection = Backbone.Collection.extend({ model: Item, url: "resources/items"});
  • 46. Agenda• REST Primer• RESTful Design and API Elements• Building a Simple Service• Security• Q&A
  • 47. Securing your REST Web Service• Authentication for Identity Verification• Authorizaton• Encryption
  • 48. Authentication: Configure web.xml <login-config> <auth-method>BASIC</auth-method> <realm-name>admin</realm-name> </login-config>
  • 49. Authentication: Configure web.xml <login-config> <auth-method>BASIC</auth-method> <realm-name>admin</realm-name> </login-config> • Login-config: > defines how HTTP requests should be authenticated • Auth-method: > BASIC, DIGEST, or CLIENT_CERT. corresponds to Basic, Digest, and Client Certificate authentication, respectively. • Realm-name: realm > Name for database of users and groups that identify valid users of a web application
  • 50. Authentication: Configure web.xml<security-constraint> <web-resource-collection> <url-pattern>/secure/*</url-pattern> <http-method>POST</http-method> </web-resource-collection>...• security constraint > defines access privileges to a collection of resources• url-pattern: > URL pattern you want to secure• Http-method: > Methods to be protected
  • 51. Authentication: Configure web.xml<security-constraint>... <auth-constraint> <description>only let admin login </description> <role-name>admin</role-name> </auth-constraint>• auth-constraint: > names the roles authorized to access the URL patterns and HTTP methods declared by this security constraint
  • 52. Encryption: Configure web.xml<security-constraint>... <user-data-constraint> <description>SSL</description> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint></security-constraint> • user-data-constraint: NONE, INTEGRAL, or CONFIDENTIAL > how the data will be transported between client and server
  • 53. Authentication: Configure web.xml <security-role> <role-name>admin</role-name> </security-role> • security-role: lists all of the security roles used in the application > For every <role-name> used in <auth- constraints> must define a corresponding <security-role> • http://java.sun.com/javaee/5/docs/tutorial/doc/bncas.html
  • 54. Authentication: map roles to realm<sun-web-app> <security-role-mapping> <role-name>admin</role-name> <principal-name>admin</principal-name> </security-role-mapping></sun-web-app> LDAP • security-role-mapping: realm > Assigns security role to a group or user in Application Server realm • Realm: > database of users and groups that identify valid users of a web application (FILE, LDAP
  • 55. Authentication: map roles to realm file realm
  • 56. Authorization Annotations roles permitted to execute operation@Path("/customers")@RolesAllowed({"ADMIN", "CUSTOMER"})public class CustomerResource { @GET @Path("{id}") @Produces("application/xml") public Customer getCustomer(@PathParam("id") int id) {...} @RolesAllowed("ADMIN") @POST @Consumes("application/xml") public void createCustomer(Customer cust) {...} @PermitAll @GET @Produces("application/xml") authenticated user any public Customer[] getCustomers() {}}
  • 57. JAX-RS Security Contextpublic interface SecurityContext { Determine the identity of the user public Principal getUserPrincipal(); check whether user belongs to a certain role public boolean isUserInRole(String role); whether this request was made using a secure channel public boolean isSecure(); public String getAuthenticationScheme();}
  • 58. JAX-RS Security Context@Path("/customers") check whether userpublic class CustomerService { belongs to a certain role @GET @Produces("application/xml") public Customer[] getCustomers(@Context SecurityContext sec) { if (sec.isSecure() && !sec.isUserInRole("ADMIN")){ logger.log(sec.getUserPrincipal() + " accessed customer database."); } ... }} Determine the identity of the user
  • 59. Java EE 6• JAX-RS is part of Java EE 6• Gradle dependencies are easy apply plugin: wardependencies { testCompile org.glassfish.extras:glassfish-embedded-all:3.0.1 providedCompile org.glassfish.extras:glassfish-embedded- all:3.0.1’}
  • 60. Java EE 6 security• Service/Façade • Declarative (@RolesAllowed) • Programmatic• Web Controller • New annotations for authentication & authorization • @ServletSecurity @HttpConstraint , @HttpMethodConstraint • @WebFilter @DeclareRoles @RunAsPresentation• Transport Layer • CONFIDENTIAL, INTEGRAL, NONE • ServletSecurity.TransportGuarantee@WebServlet(name="UnderwritingServlet", urlPatterns={"/UnderwritingServlet"})@ServletSecurity(@HttpConstraint(transportGuarantee=ServletSecurity.Transport Guarantee.CONFIDENTIAL),))© Availity, LLC | All rights reserved.
  • 61. CDI • Bean discovery and wiringpublic class ItemController { @Inject private CatalogService catalogService ;© Availity, LLC | All rights reserved.
  • 62. Bean Validationpublic class Address { @NotNull @Size(max=30, message="longer than {max} characters") private String street1; ... @NotNull @Valid private Country country;}public class Country { @NotNull @Size(max=30) private String name; ...}© Availity, LLC | All rights reserved.
  • 63. Servlet 3.0 • Ease of Development @WebServlet(urlPatterns=“/foo”, name=”MyServlet”, asyncSupported=true) • @WebFilter("/secured/*") • Asynchronous Servlet > Support Comet applications • Security enhancements© Availity, LLC | All rights reserved.
  • 64. Summary• REST architecture is gaining popularity > Simple, scalable and the infrastructure is already in place• JAX-RS (JSR-311) provides a high level declarative programming model > http://jersey.dev.java.net
  • 65. For More Information• Reference Implementation • http://jersey.java.net/• Java EE 6 tutorial • http://docs.oracle.com/javaee/6/tutorial/doc/• Backbone.js JAX-RS example • http://coenraets.org/blog/2011/12/backbone-js-wine-cellar-tutorial- part-1-getting-started/• JAX-RS Comet example • http://www.oracle.com/technetwork/systems/articles/cometslideshow- 139170.html
  • 66. For More Information• RESTful Java with JAX-RS

×