Api manager preconference

© 2016 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Developing and Managing API with Adobe ColdFusion and API
Manager
Kevin, Mayur, Pavan

Agenda
 Use Case
 Designing your API
 API Manager Actors
 Onboarding of the API
 Building Blocks
 Security
 SLA
 Analytics

API
API Manager
M
E
R
C
H
A
N
T
STORE ADMINISTRATOR
C
U
S
T
O
M
E
R

E-commerce Store APIs
1. Product
2. Merchants
3. Order
4. Promotion
5. Payment Gateway

Product API
Endpoints:
Add a product
(POST /products/v1 )
Get all products
(GET /products/v1 )
Add/Update Brand
(PUT /products/v1 )
Search product
(GET /products/v1/search?searchid=123)

Merchant API
Endpoints:
Add a product
(POST /merchant/v1/products/<merchant_id>)
Update Product Price
(PUT merchant/v1/products/<merchant_id>?product_id=101965 )
Update Product quantity
(PUT merchant/v1/products/<merchant_id>?product_id=101965 )
Delete a product under merchant store
(DELETE /merchant/v1/products/<merchant_id>? product_id=101965)

Order API
Endpoints:
Place a new Order
( POST /order/v1)
Retrieve List of All Orders
(GET /orders/v1/<customerId>)
Update an Order
(PUT /orders/v1/<orderid>)
Delete a Single Order
(DELETE /orders/v1/ /<customerId>/<orderid>)

Promotion API
Endpoints:
Create a promotion type
(POST /promotion/v1)
Create a discount code
(POST /promotion/discount)
Invalidate a discount code
(PUT /promotion/discount/invalidate/<discount_code>)
Retrieve List of promotions
(GET /promotion/v1)
8

Payment Gateways
Endpoints:
Get all registered gateways
(GET /gateway/v1)
Disable a Gateway
(PUT /gateway/v1/<gateway_id>)
Enable a Gateway
(PUT /promotion/v1/<gateway_id>)
9

Building API’s in ColdFusion
 You can create REST services by defining certain attributes in the tags cfcomponent, cffunction, and cfargument and publish
as REST resources. Script can also be used.
• Follows HTTP request-response model: Beyond having HTTP as a medium, the service lets you follow all HTTP norms. The
components published as REST services can be consumed over HTTP/HTTPS request. The REST services are identified with
URI (Uniform Resource Identifier) and can be accessed from a web page as well as by specifying the URI in the browser's
address bar.
• Supports all HTTP methods : The REST enabled CFCs support the following HTTP methods: GET, POST, PUT, DELETE, HEAD,
and OPTIONS.
• Implicit handling of serialization/deserialization: ColdFusion natively supports JSON and XML serialization/deserialization. So
client applications can consume REST services by issuing HTTP/HTTPS request. The response can either be serialized to
XML or JSON format.
• Publish web service as both REST service and WSDL service: You can create and publish the same ColdFusion component as
a REST service and WSDL service.
10

<cfcomponent>
 Two arguments for the <cfcomponent> tag:
 rest (true/false) – if true, the cfc is REST enabled.
 restPath – path used to access the REST service.
 Example:
 <cfcomponent rest="true" restpath="/person">
11
Sample URI:
http://localhost:8500/rest/restTest/restService
URL Component Description
http://localhost:8500 Base URL which includes the IP address and port of the ColdFusion server.If
you deploy ColdFusion as a JEE application, the URL will contain a context
root, for example,
http://localhost:8500*/cfusion*
rest Implies that the request sent is a REST request.This default value can be
renamed by revising the context path in web.xml available at
cfusion/wwroot/WEB-INF and update the same mapping in
uriworkermap.properties file found at configwsconfig1.
restTest Application name or service mapping that you have used while registering
the service in ColdFusion Administrator. If you do not specify a service
mapping in the ColdFusion Administrator, then the application name is
taken from Application.cfc.
restService Rest path you defined in the service. That is, the value of the attribute
restPath in the tag cfcomponent.

<cffunction>
 <cffunction>
 restPath – specify to use a sub-resource path for the CFC.
 httpMethod – the HTTP method to use
 GET, POST, PUT, DELETE, HEAD, OPTIONS
 Example:
 <cffunction name="getPerson” returntype="string” access="remote” httpmethod="GET”
restPath=“/person/{personID}” produces="application/json”>
12

<cfargument>
 <cfargument>
 restArgSource – Where to find the value of the argument
 path,query,form,cookie,header,matrix
 restArgName – The name that can be mapped to the argument name.
 Example:
 <cfargument name=”personID" required="true" type="numeric" restargsource="path" />
13

Registering an application with the REST service
 After you create the CFC you want to REST-enable, specify the folder for registering as web
service either using the autoRegister Application setting, the function restInitAplication() or in
the ColdFusion Administrator or using the ColdFusion Admin API.
 If you are in a shared environment:
 <cfset this.restsettings.autoregister = true />
 restInitApplication(rootPath[,serviceMapping[,options]])
 These options not require administrator privileges.
14

REST Responses
15
Default Response Description
200 OK Sent if the response has a body.
204 No Content Sent if the response doesn’t have a body.
Default Response Description
404 Not Found Request URL is not valid
406 Not Acceptable No function in the REST service can produce the MIME type
requested by the client
415 Unsupported Media Type A resource is unable to consume the MIME type of the client
request
405 Method not allowed If the client invokes an HTTP method on a valid URI to which
the request HTTP method is not bound.
Custom responses can be created using the restSetResponse method for
success or <cfthrow type=“RestError”> for errors.

Areas I look into:
Web Services (SOAP, REST) , PDF, Spreadsheet
API Manager
Hobbies:
Working on DIY projects
Of course watching TV Series (GOT !!! )
Adobe ColdFusion TeamI AM AN ENGINEER

API Manager Actors
19
ADMINISTRATOR PUBLISHER
API Developer
SUBSCRIBER
APP Creator

Onboarding the API
 Manual API Creation
 CF Discovery
 Swagger Import
 Soap to Rest
 Soap Pass Through

API Manager Building Blocks
 API Visibility
 API Versioning
 API Life cycle
 Security
 SLA
 Caching
 Analytics

API Visibility
 Public
 Partner
 Intranet

API Versioning
Upgrade APIs without worrying about
backward compatibility by managing
multiple versions using a single platform.

API Life cycle
 Draft
 Published
 Deprecate
 Retire
25

Caching
26
During experiments, Many bird
species store peanuts in a cache
for later retrieval. In the wild,
these birds store acorns and
insects.
Wikipedia

About me
Developer & Security Evangelist at Adobe
Previously Security Consultant at RSA Security
Movie Buff
Email: sanniset@adobe.com

API Security
28
Identity Authentication Authorization

User Store and API Security
 API Security
 API Key
 Basic
 OAuth2 and OAuth2 with SAML
 User Store
 LDAP
 Data Base
 SAML

API/APP Key Authentication
 Suitable for Business to Business Sharing
 Application Identification
30

Authentication (Who say you are)
31
 How to Bring in the Users ? (User Stores)
 LDAP
 DATABASE
 SAML
 Administrator can configure user stores.

Sample User Store: Database
32

BASIC Authentication
 Simplest & Standard form of authenticating
 Auth happens via username & password.
 Pass Username & password in each request
 Requires HTTPS
 Application Should securely store the password
33

When it is not Enough!!!!
 Password Anti Pattern
 Trust Issues – Third Party Apps
 Can’t Revoke Application
 No Selective Data Sharing
34

An open protocol to allow secureauthorization
in a simple and standard method from web,
mobile and desktop applications.
Introducing

Resource Owner: the person or theapplication
that holds the data to be shared.
Resource Server: the application that holdsthe
protected resources.
Authorization Server: the application that
verifies the identity of the users.
Client: the application that makes requests to
RS on behalf of RO.
OAuth 2.0: Actors

Resource Owner: the person or the application
Resource Server: the application that holdsthe
RS on behalf of RO.
OAuth 2.0: Actors

Resource Owner: the person or the application
Resource Server: the application that holds the
RS on behalf of RO.
OAuth 2.0: Actors

I want to see a list of games
Protocol Flow

Hey, API Manager, could you please
give me a list of games?
Protocol Flow

Protocol Flow
Sorry Pal, This is a secured API. Provide me an
Access Token.

Protocol Flow
@alvaro_sanchez

Protocol Flow
Hi, Could you provide me your
username & password ?

Here you go. My username is
sanniset@adobe.com and password is top-
secret
Protocol Flow

Hi API Manager, here is my token:
7ee85874dde4c7235b6c3afc82e3fb
Protocol Flow

Protocol Flow
Hi, I have been given the token
7ee85874dde4c7235b6c3afc82e3fb. Is it
Legitimate ?

Protocol Flow
Of Course. The Token is valid & it
belongs to sanniset@adobe.com

All Well!!. Here is the list of games
Protocol Flow

Here you are the list of games. Have a
goodday!
Protocol Flow

OAuth 2.0 isa delegation protocol, as this
guy has no idea about the credentials of
this guy
Protocol Flow

SLA
 SLA Plans
 Rate Limiting
 Throttling
 HARD and SOFT Limit

Analytics
 Administrator Analytics
 Publisher Analytics
 Subscriber Analytics

Recap - APIs – From concept to Go-To-Market
Step 1
Define your business
objectives
58
Step 2
Design your API
Step 3
On-board your API
Step 4
Manage your API
Step 5
Secure your API
Step 6
Engage Customers
Step 7
Measure impact

Api manager preconference

More Related Content

What's hot

Viewers also liked

Similar to Api manager preconference

More from ColdFusionConference

Recently uploaded

Api manager preconference