Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.



Published on

  • Great information about writing! If you ever need any help with proofreading, editing or research check out Writer’s Help. They are a great resource for personal, educational or business writing needs. The website is
    Are you sure you want to  Yes  No
    Your message goes here


  1. 1. REST with JAX-RS, Security, Java EE 6Carol McDonald
  2. 2. Agenda• REST Primer• RESTful Design and API Elements• Building a Simple Service• Security• Q&A
  3. 3. REpresentational State TransferGet Response XML data = REST Web Service REpresentational State Client Transfer Client State1 State2  The URL identifies the resource  Click on the url (resource) in page (hypermedia) html page is transferred to the browser REpresentational State transfer occurs
  4. 4. REST Tenets• Resources (nouns) > Identified by a URI, For example: • Methods (verbs) to manipulate the nouns > Small fixed set:  GET, PUT, POST, DELETE Read, Update, Create, Delete• Representation of the Resource > data and state transferred between client and server > XML, JSON...• Use verbs to exchange application state and representation
  5. 5. method resourceRequest: GET http://localhost:8080/RestfulCustomer/webresources/model.customer/1Status: 200 (OK)Time-Stamp: Fri, 14 Dec 2012 02:19:34 GMTReceived:{"name":"Jumbo Eagle Corp","state":"FL","customerId":1,"addressline1":"111 E. Las Olivas Blvd","addressline2":"Suite 51","city":"Fort Lauderdale","phone":"305-555-0188","fax":"305-555-0189","email":"","creditLimit":100000} representation
  6. 6. Rest Uniform Interface:Every thing is a Resource Every resource has an id, URI is the id
  7. 7. Every Resource has an Id URI is the id, Every resource has a URI Collection name Primary key• URIs identify : > items, collections of items, virtual and physical objects, or computation results.
  8. 8. Rest Standard Interface:Use Standard HTTP Methods• Example  GET /store/customers/123456
  9. 9. Use Standard Methods:• /orders – GET - list all orders Order Customer – POST - submit a new order Mgmt Example /orders/{order-id} > GET - get an order representation > PUT - update an order > DELETE - cancel an order /orders/average-sale – GET - calculate average sale• /customers – GET - list all customers introduction – POST - create a new customer /customers/{cust-id} > GET - get a customer representation > DELETE- remove a customer /customers/{cust-id}/orders – GET - get the orders of a customer
  10. 10. Use Standard HTTP Methods• HTTP Get, Head > Should not modify anything > Cache-able With Correct use of Last-Modified and ETag• Idempotency: > PUT, DELETE, GET, HEAD can be repeated and the results are the same
  11. 11. Link things together• Hypermedia• As• The• Engine• Of• Application• StateHATEOAS© Availity, LLC | All rights reserved.
  12. 12. Link Things TogetherRepresentations contain links to other resources: <prop self=""> <customer ref=""> <product ref=""/> <amount value="1"/> </order>• Service provides links in response to the Client > Enables client to move the application from one state to the next by following a link
  13. 13. Example © Availity, LLC | All rights reserved.
  14. 14. Example© Availity, LLC | All rights reserved.
  15. 15. Multiple Representations• Offer data in a variety of formats, for different needs > XML > JSON > (X)HTML• Support content negotiation > Accept header GET /foo Accept: application/json > URI-based GET /foo.json > Response header > Content-Type application/xml
  16. 16. content negotiationRequest: http://localhost:8080/RestfulCustomer/webresources/application.wadlStatus: 200 (OK)Time-Stamp: Fri, 14 Dec 2012 03:11:50 GMTReceived:<?xml version="1.0" encoding="UTF-8"?> <resources base="http://localhost:8080/RestfulCustomer/webresources/"> <resource path="model.customer"> <method id="findAll" name="GET"> <response> <representation mediaType="application/xml"/> <representation mediaType="application/json"/> </response> </method>
  17. 17. Stateless Communications • HTTP protocol is stateless • Everything required to process a request contained in the request > No client session on the server > Eliminates many failure conditions • application state kept on Client • Service responsible for resource state
  18. 18. Rest Common Patterns: Container, ItemServer in control of URI• Container – a collection of items• List catalog items: GET /catalog/items• Add item to container: POST /catalog/items > with item in request > URI of item returned in HTTP response header > e.g. http://host/catalog/items/1• Update item: PUT /catalog/items/1 > with updated item in request Good example: Atom Publishing Protocol
  19. 19. Common Patterns: Map, Key, ValueClient in control of URI • List key-value pairs: GET /map • Put new value to map: PUT /map/{key} > with entry in request > e.g. PUT /map/dir/contents.xml • Read value: GET /map/{key} • Update value: PUT /map/{key} > with updated value in request • Remove value: DELETE /map/{key} • Good example: Amazon S3
  20. 20. Rest Key Benefits• Server side > Uniform Interface > Cacheable > Scalable > Easy failover• Client side > Easy to experiment in browser > Broad programming language support > Choice of data formats
  21. 21. Agenda• REST Primer• RESTful Design and API Elements with JAX-RS• Building a Simple Service• Status• Q&A
  22. 22. JAX-RS: Clear mapping to REST concepts• High level, Declarative > Uses @ annotation in POJOs• Jersey – reference implementation of JSR 311  Download it from  Comes with Glassfish, Java EE 6  Tools support in NetBeans
  23. 23. Resources• Resource class > POJO, No required interfaces• ID provided by @Path annotation > Relative to deployment context > Annotate class or “sub-resource locator” method http://host/ctx/orders/12@Path("orders/{id}")public class OrderResource { @Path("customer") http://host/ctx/orders/12/customer CustomerResource getCustomer(...) {...}}
  24. 24. Request Mapping• Annotate resource class methods with standard method > @GET, @PUT, @POST, @DELETE, @HEAD• annotations on parameters specify mapping from request data• Return value mapped to http response@Path("orders/{order_id}")public class OrderResource { @GET Order getOrder(@PathParam("order_id") String id) { ... }}
  25. 25. Multiple RepresentationsStatic and dynamic content negotiation• Annotate methods or classes > @Produces matches Accepts header > @Consumes matches Content-Type header@GET@Consumes("application/json")@Produces({"application/xml","application/json"})String getOrder(@PathParam("order_id") String id) { ...}
  26. 26. Multiple Representations: JAX-RSconsuming@Path("/items/")@ConsumeMime(“application/xml”)public class ItemsResource { http://host/catalog/items/?start=0 @GET ItemsConverter get(@QueryParam("start") int start) { ... } http://host/catalog/items/123 @Path("{id}/") ItemResource getItemResource(@PathParam("id")Long id){ ... }}
  27. 27. Multiple Representations@Post@ConsumeMime(“application/x-www-form-urlencoded”)@ProduceMime(“application/xml”)public JAXBClass updateEmployee( MultivalueMap<String, String> form) { ... converted to XML Converted to a map for accessing forms field
  28. 28. Multiple Representations: producing aresponse@Path(“/items”)class Items { Use Response class to build “created”response @POST @ProduceMime(“application/xml”) Response create(Ent e) { // persist the new entry, create URI return Response.created( uriInfo.getAbsolutePath(). resolve(uri+"/")).build(); }}
  29. 29. Uniform interface: HTTP request and responseC: POST /items HTTP/1.1C: Host: host.comC: Content-Type: application/xmlC: Content-Length: 35C:C: <item><name>dog</name></item>S: HTTP/1.1 201 CreatedS: Location: Content-Length: 0
  30. 30. Link Things Together• UriInfo provides information about the request URI and the route to the resource• UriBuilder provides facilities to easily build URIs for resources@Context UriInfo info;OrderResource r = ...UriBuilder b = info.getBaseUriBuilder();URI u = b.path(OrderResource.class).build(;
  31. 31. Agenda• REST Primer• RESTful Design and API Elements• Building a Simple Service• Deployment Options• Status
  32. 32. Example RESTful Catalog
  33. 33. URIs and Methods: Item Catalog Example /items – GET - list all items – POST – add item to catalog /items/{id} > GET - get an item representation > PUT - update an item > DELETE – remove an item introduction
  34. 34. Methods@Path(“/items”)class ItemsResource { @GET public List<Item> findAll() { ... } @POST Response create(Item) { ... } @PUT @Path("{id}") public void editp(Item entity) {} @GET @Path("{id}") public Item find(@PathParam("id") Integer id) { ... }} Java method name is not significant The @HTTP method is the method
  35. 35. RESTful Catalog  Javascript client, JAX-RS, JSON, JPA Registration Application JAX-RS class Entity Class JSON class Item DB ItemsResource javascript client
  36. 36. Item Entity JAXB annotated@Entity@Table(name = "ITEM")@XmlRootElementpublic class Item implements Serializable { @Id private Integer id; ...}
  37. 37. XML <item uri="http://localhost/Web/resources/items/1/"> <description> black cat is nice</description> <id>1</id> <imagethumburl>/images/anth.jpg</imagethumburl> <name>not Friendly Cat</name> <price>307.10</price> <productid>feline01</productid> </item>
  38. 38. JSON { "@uri":"http://host/catalog/resources/items/1/", "name":"Friendly Cat", "description":"This black and white colored cat is super friendly.", "id":"1", "imageurl":"http://localhost:8080/CatalogService/images/anthony.jpg" }
  39. 39. Resource Classes > Items Resource retrieves updates a collection of Item entities > /items – URI for a list of Items > /item/1 – URI for item 1 JAX-RS class Entity Class Item DB ItemsResource Dojo client
  40. 40. Get Items responds to the URI http://host/catalog/items/@Path("/items/") responds to HTTP GETpublic class ItemsResource { responds with JSON @GET @Produces("application/json") JAXB class public List<Item> get(){ CriteriaQuery cq = getEntityManager(). getCriteriaBuilder().createQuery();; return getEntityManager().createQuery (cq).getResultList(); } Performs JPA Query, returns list of entities
  41. 41. JQuery Clientvar rootURL = "http://localhost:8080/catalog/resources/item";// Retrieve item listfunction findAll() { $.ajax({ type: GET, url: rootURL, dataType: "json", success: renderList });}function renderList(data) { var list =data; $(#itemList li).remove(); $.each(list, function(index, item) { $(#itemList).append(<li><a href="#" data-identity=" + + "></a></li>); });}
  42. 42. Backbone.js client© Availity, LLC | All rights reserved.
  43. 43. MVC© Availity, LLC | All rights reserved.
  44. 44. Backbone.sync maps CRUD requests to RESTSave (new) → create → HTTP POST /urlFetch → read → GET /url/idSave → update → PUT /url/idDestroy → delete → DELETE /url/id© Availity, LLC | All rights reserved.
  45. 45. backbone Clientwindow.Item = Backbone.Model.extend({ urlRoot: "resources/items", defaults: { id: null, name: "", description: "", imageurl: null }});window.ItemCollection = Backbone.Collection.extend({ model: Item, url: "resources/items"});
  46. 46. Agenda• REST Primer• RESTful Design and API Elements• Building a Simple Service• Security• Q&A
  47. 47. Securing your REST Web Service• Authentication for Identity Verification• Authorizaton• Encryption
  48. 48. Authentication: Configure web.xml <login-config> <auth-method>BASIC</auth-method> <realm-name>admin</realm-name> </login-config>
  49. 49. Authentication: Configure web.xml <login-config> <auth-method>BASIC</auth-method> <realm-name>admin</realm-name> </login-config> • Login-config: > defines how HTTP requests should be authenticated • Auth-method: > BASIC, DIGEST, or CLIENT_CERT. corresponds to Basic, Digest, and Client Certificate authentication, respectively. • Realm-name: realm > Name for database of users and groups that identify valid users of a web application
  50. 50. Authentication: Configure web.xml<security-constraint> <web-resource-collection> <url-pattern>/secure/*</url-pattern> <http-method>POST</http-method> </web-resource-collection>...• security constraint > defines access privileges to a collection of resources• url-pattern: > URL pattern you want to secure• Http-method: > Methods to be protected
  51. 51. Authentication: Configure web.xml<security-constraint>... <auth-constraint> <description>only let admin login </description> <role-name>admin</role-name> </auth-constraint>• auth-constraint: > names the roles authorized to access the URL patterns and HTTP methods declared by this security constraint
  52. 52. Encryption: Configure web.xml<security-constraint>... <user-data-constraint> <description>SSL</description> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint></security-constraint> • user-data-constraint: NONE, INTEGRAL, or CONFIDENTIAL > how the data will be transported between client and server
  53. 53. Authentication: Configure web.xml <security-role> <role-name>admin</role-name> </security-role> • security-role: lists all of the security roles used in the application > For every <role-name> used in <auth- constraints> must define a corresponding <security-role> •
  54. 54. Authentication: map roles to realm<sun-web-app> <security-role-mapping> <role-name>admin</role-name> <principal-name>admin</principal-name> </security-role-mapping></sun-web-app> LDAP • security-role-mapping: realm > Assigns security role to a group or user in Application Server realm • Realm: > database of users and groups that identify valid users of a web application (FILE, LDAP
  55. 55. Authentication: map roles to realm file realm
  56. 56. Authorization Annotations roles permitted to execute operation@Path("/customers")@RolesAllowed({"ADMIN", "CUSTOMER"})public class CustomerResource { @GET @Path("{id}") @Produces("application/xml") public Customer getCustomer(@PathParam("id") int id) {...} @RolesAllowed("ADMIN") @POST @Consumes("application/xml") public void createCustomer(Customer cust) {...} @PermitAll @GET @Produces("application/xml") authenticated user any public Customer[] getCustomers() {}}
  57. 57. JAX-RS Security Contextpublic interface SecurityContext { Determine the identity of the user public Principal getUserPrincipal(); check whether user belongs to a certain role public boolean isUserInRole(String role); whether this request was made using a secure channel public boolean isSecure(); public String getAuthenticationScheme();}
  58. 58. JAX-RS Security Context@Path("/customers") check whether userpublic class CustomerService { belongs to a certain role @GET @Produces("application/xml") public Customer[] getCustomers(@Context SecurityContext sec) { if (sec.isSecure() && !sec.isUserInRole("ADMIN")){ logger.log(sec.getUserPrincipal() + " accessed customer database."); } ... }} Determine the identity of the user
  59. 59. Java EE 6• JAX-RS is part of Java EE 6• Gradle dependencies are easy apply plugin: wardependencies { testCompile org.glassfish.extras:glassfish-embedded-all:3.0.1 providedCompile org.glassfish.extras:glassfish-embedded- all:3.0.1’}
  60. 60. Java EE 6 security• Service/Façade • Declarative (@RolesAllowed) • Programmatic• Web Controller • New annotations for authentication & authorization • @ServletSecurity @HttpConstraint , @HttpMethodConstraint • @WebFilter @DeclareRoles @RunAsPresentation• Transport Layer • CONFIDENTIAL, INTEGRAL, NONE • ServletSecurity.TransportGuarantee@WebServlet(name="UnderwritingServlet", urlPatterns={"/UnderwritingServlet"})@ServletSecurity(@HttpConstraint(transportGuarantee=ServletSecurity.Transport Guarantee.CONFIDENTIAL),))© Availity, LLC | All rights reserved.
  61. 61. CDI • Bean discovery and wiringpublic class ItemController { @Inject private CatalogService catalogService ;© Availity, LLC | All rights reserved.
  62. 62. Bean Validationpublic class Address { @NotNull @Size(max=30, message="longer than {max} characters") private String street1; ... @NotNull @Valid private Country country;}public class Country { @NotNull @Size(max=30) private String name; ...}© Availity, LLC | All rights reserved.
  63. 63. Servlet 3.0 • Ease of Development @WebServlet(urlPatterns=“/foo”, name=”MyServlet”, asyncSupported=true) • @WebFilter("/secured/*") • Asynchronous Servlet > Support Comet applications • Security enhancements© Availity, LLC | All rights reserved.
  64. 64. Summary• REST architecture is gaining popularity > Simple, scalable and the infrastructure is already in place• JAX-RS (JSR-311) provides a high level declarative programming model >
  65. 65. For More Information• Reference Implementation •• Java EE 6 tutorial •• Backbone.js JAX-RS example • part-1-getting-started/• JAX-RS Comet example • 139170.html
  66. 66. For More Information• RESTful Java with JAX-RS