Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Api manager preconference

990 views

Published on

Api manager preconference

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Api manager preconference

  1. 1. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Developing and Managing API with Adobe ColdFusion and API Manager Kevin, Mayur, Pavan
  2. 2. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Agenda  Use Case  Designing your API  API Manager Actors  Onboarding of the API  Building Blocks  Security  SLA  Analytics
  3. 3. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. API API Manager M E R C H A N T STORE ADMINISTRATOR C U S T O M E R
  4. 4. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. E-commerce Store APIs 1. Product 2. Merchants 3. Order 4. Promotion 5. Payment Gateway
  5. 5. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Product API Endpoints: Add a product (POST /products/v1 ) Get all products (GET /products/v1 ) Add/Update Brand (PUT /products/v1 ) Search product (GET /products/v1/search?searchid=123)
  6. 6. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Merchant API Endpoints: Add a product (POST /merchant/v1/products/<merchant_id>) Update Product Price (PUT merchant/v1/products/<merchant_id>?product_id=101965 ) Update Product quantity (PUT merchant/v1/products/<merchant_id>?product_id=101965 ) Delete a product under merchant store (DELETE /merchant/v1/products/<merchant_id>? product_id=101965)
  7. 7. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Order API Endpoints: Place a new Order ( POST /order/v1) Retrieve List of All Orders (GET /orders/v1/<customerId>) Update an Order (PUT /orders/v1/<orderid>) Delete a Single Order (DELETE /orders/v1/ /<customerId>/<orderid>)
  8. 8. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Promotion API Endpoints: Create a promotion type (POST /promotion/v1) Create a discount code (POST /promotion/discount) Invalidate a discount code (PUT /promotion/discount/invalidate/<discount_code>) Retrieve List of promotions (GET /promotion/v1) 8
  9. 9. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Payment Gateways Endpoints: Get all registered gateways (GET /gateway/v1) Disable a Gateway (PUT /gateway/v1/<gateway_id>) Enable a Gateway (PUT /promotion/v1/<gateway_id>) 9
  10. 10. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Building API’s in ColdFusion  You can create REST services by defining certain attributes in the tags cfcomponent, cffunction, and cfargument and publish as REST resources. Script can also be used. • Follows HTTP request-response model: Beyond having HTTP as a medium, the service lets you follow all HTTP norms. The components published as REST services can be consumed over HTTP/HTTPS request. The REST services are identified with URI (Uniform Resource Identifier) and can be accessed from a web page as well as by specifying the URI in the browser's address bar. • Supports all HTTP methods : The REST enabled CFCs support the following HTTP methods: GET, POST, PUT, DELETE, HEAD, and OPTIONS. • Implicit handling of serialization/deserialization: ColdFusion natively supports JSON and XML serialization/deserialization. So client applications can consume REST services by issuing HTTP/HTTPS request. The response can either be serialized to XML or JSON format. • Publish web service as both REST service and WSDL service: You can create and publish the same ColdFusion component as a REST service and WSDL service. 10
  11. 11. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. <cfcomponent>  Two arguments for the <cfcomponent> tag:  rest (true/false) – if true, the cfc is REST enabled.  restPath – path used to access the REST service.  Example:  <cfcomponent rest="true" restpath="/person"> 11 Sample URI: http://localhost:8500/rest/restTest/restService URL Component Description http://localhost:8500 Base URL which includes the IP address and port of the ColdFusion server.If you deploy ColdFusion as a JEE application, the URL will contain a context root, for example, http://localhost:8500*/cfusion* rest Implies that the request sent is a REST request.This default value can be renamed by revising the context path in web.xml available at cfusion/wwroot/WEB-INF and update the same mapping in uriworkermap.properties file found at configwsconfig1. restTest Application name or service mapping that you have used while registering the service in ColdFusion Administrator. If you do not specify a service mapping in the ColdFusion Administrator, then the application name is taken from Application.cfc. restService Rest path you defined in the service. That is, the value of the attribute restPath in the tag cfcomponent.
  12. 12. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. <cffunction>  <cffunction>  restPath – specify to use a sub-resource path for the CFC.  httpMethod – the HTTP method to use  GET, POST, PUT, DELETE, HEAD, OPTIONS  Example:  <cffunction name="getPerson” returntype="string” access="remote” httpmethod="GET” restPath=“/person/{personID}” produces="application/json”> 12
  13. 13. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. <cfargument>  <cfargument>  restArgSource – Where to find the value of the argument  path,query,form,cookie,header,matrix  restArgName – The name that can be mapped to the argument name.  Example:  <cfargument name=”personID" required="true" type="numeric" restargsource="path" /> 13
  14. 14. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Registering an application with the REST service  After you create the CFC you want to REST-enable, specify the folder for registering as web service either using the autoRegister Application setting, the function restInitAplication() or in the ColdFusion Administrator or using the ColdFusion Admin API.  If you are in a shared environment:  <cfset this.restsettings.autoregister = true />  restInitApplication(rootPath[,serviceMapping[,options]])  These options not require administrator privileges. 14
  15. 15. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. REST Responses 15 Default Response Description 200 OK Sent if the response has a body. 204 No Content Sent if the response doesn’t have a body. Default Response Description 404 Not Found Request URL is not valid 406 Not Acceptable No function in the REST service can produce the MIME type requested by the client 415 Unsupported Media Type A resource is unable to consume the MIME type of the client request 405 Method not allowed If the client invokes an HTTP method on a valid URI to which the request HTTP method is not bound. Custom responses can be created using the restSetResponse method for success or <cfthrow type=“RestError”> for errors.
  16. 16. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Areas I look into: Web Services (SOAP, REST) , PDF, Spreadsheet API Manager Hobbies: Working on DIY projects Of course watching TV Series (GOT !!! ) Adobe ColdFusion TeamI AM AN ENGINEER
  17. 17. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. API API Manager M E R C H A N T STORE ADMINISTRATOR C U S T O M E R
  18. 18. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. E-commerce Store APIs 1. Product 2. Merchants 3. Order 4. Promotion 5. Payment Gateway
  19. 19. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. API Manager Actors 19 ADMINISTRATOR PUBLISHER API Developer SUBSCRIBER APP Creator
  20. 20. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Onboarding the API  Manual API Creation  CF Discovery  Swagger Import  Soap to Rest  Soap Pass Through
  21. 21. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 21
  22. 22. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. API Manager Building Blocks  API Visibility  API Versioning  API Life cycle  Security  SLA  Caching  Analytics
  23. 23. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. API Visibility  Public  Partner  Intranet
  24. 24. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. API Versioning Upgrade APIs without worrying about backward compatibility by managing multiple versions using a single platform.
  25. 25. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. API Life cycle  Draft  Published  Deprecate  Retire 25
  26. 26. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Caching 26 During experiments, Many bird species store peanuts in a cache for later retrieval. In the wild, these birds store acorns and insects. Wikipedia
  27. 27. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. About me Developer & Security Evangelist at Adobe Previously Security Consultant at RSA Security Movie Buff Email: sanniset@adobe.com
  28. 28. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. API Security 28 Identity Authentication Authorization
  29. 29. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. User Store and API Security  API Security  API Key  Basic  OAuth2 and OAuth2 with SAML  User Store  LDAP  Data Base  SAML
  30. 30. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. API/APP Key Authentication  Suitable for Business to Business Sharing  Application Identification 30
  31. 31. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Authentication (Who say you are) 31  How to Bring in the Users ? (User Stores)  LDAP  DATABASE  SAML  Administrator can configure user stores.
  32. 32. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Sample User Store: Database 32
  33. 33. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. BASIC Authentication  Simplest & Standard form of authenticating  Auth happens via username & password.  Pass Username & password in each request  Requires HTTPS  Application Should securely store the password 33
  34. 34. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. When it is not Enough!!!!  Password Anti Pattern  Trust Issues – Third Party Apps  Can’t Revoke Application  No Selective Data Sharing 34
  35. 35. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. An open protocol to allow secureauthorization in a simple and standard method from web, mobile and desktop applications. Introducing
  36. 36. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Resource Owner: the person or theapplication that holds the data to be shared. Resource Server: the application that holdsthe protected resources. Authorization Server: the application that verifies the identity of the users. Client: the application that makes requests to RS on behalf of RO. OAuth 2.0: Actors
  37. 37. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Resource Owner: the person or the application that holds the data to be shared. Resource Server: the application that holdsthe protected resources. Authorization Server: the application that verifies the identity of the users. Client: the application that makes requests to RS on behalf of RO. OAuth 2.0: Actors
  38. 38. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Resource Owner: the person or the application that holds the data to be shared. Resource Server: the application that holds the protected resources. Authorization Server: the application that verifies the identity of the users. Client: the application that makes requests to RS on behalf of RO. OAuth 2.0: Actors
  39. 39. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Resource Owner: the person or the application that holds the data to be shared. Resource Server: the application that holds the protected resources. Authorization Server: the application that verifies the identity of the users. Client: the application that makes requests to RS on behalf of RO. OAuth 2.0: Actors
  40. 40. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. I want to see a list of games Protocol Flow
  41. 41. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Hey, API Manager, could you please give me a list of games? Protocol Flow
  42. 42. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Protocol Flow Sorry Pal, This is a secured API. Provide me an Access Token.
  43. 43. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Protocol Flow @alvaro_sanchez
  44. 44. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Protocol Flow @alvaro_sanchez
  45. 45. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Protocol Flow Hi, Could you provide me your username & password ?
  46. 46. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Here you go. My username is sanniset@adobe.com and password is top- secret Protocol Flow
  47. 47. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Protocol Flow @alvaro_sanchez
  48. 48. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Hi API Manager, here is my token: 7ee85874dde4c7235b6c3afc82e3fb Protocol Flow
  49. 49. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Protocol Flow Hi, I have been given the token 7ee85874dde4c7235b6c3afc82e3fb. Is it Legitimate ?
  50. 50. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Protocol Flow Of Course. The Token is valid & it belongs to sanniset@adobe.com
  51. 51. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. All Well!!. Here is the list of games Protocol Flow
  52. 52. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Here you are the list of games. Have a goodday! Protocol Flow
  53. 53. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. OAuth 2.0 isa delegation protocol, as this guy has no idea about the credentials of this guy Protocol Flow
  54. 54. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. SLA  SLA Plans  Rate Limiting  Throttling  HARD and SOFT Limit
  55. 55. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 55
  56. 56. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Analytics  Administrator Analytics  Publisher Analytics  Subscriber Analytics
  57. 57. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Recap - APIs – From concept to Go-To-Market Step 1 Define your business objectives 58 Step 2 Design your API Step 3 On-board your API Step 4 Manage your API Step 5 Secure your API Step 6 Engage Customers Step 7 Measure impact
  58. 58. © 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 59

×