WC
Uploaded byWO Community
PDF, PPTX4,912 views

ERRest

The document discusses updates and features of the Errest framework, including anonymous updates, sorting on relationships, error handling, and various authentication methods such as basic auth, sessions, and tokens. It also covers versioning strategies for REST services, HTML routing capabilities, and debugging techniques for monitoring REST interactions. Key recommendations include using mod_rewrite for cleaner URLs and implementing security for both browser-based and system-to-system applications.

Embed presentation

Download as PDF, PPTX
MONTREAL 1/3 JULY 2011 ERRest Pascal Robert Conatus/MacTI
The Menu • What's new in ERRest • Debugging • Security • Caching (Sunday!) • Versioning • Optimistic locking (Sunday!) • HTML routing • Using the correct HTTP verbs and codes (Sunday!)
What's New in ERRest
Anymous updates • No need to send the ids of nested objects anymore • Call ERXKeyFilter.setAnonymousUpdateEnabled(true) • If 1:N relationship, will replace existing values for all nested objects
Anonymous update protected ERXKeyFilter filter() { ERXKeyFilter filter = ERXKeyFilter.filterWithAttributes(); ERXKeyFilter personFilter = ERXKeyFilter.filterWithAttributes(); personFilter.include(Person.FIRST_NAME); personFilter.setAnonymousUpdateEnabled(true); filter.include(BlogEntry.PERSON, personFilter); return filter; } curl -X PUT -d "{ title: 'New Post', person: {firstName: 'Test'} }" http://127.0.0.1/cgi-bin/WebObjects/ SimpleBlog.woa/ra/posts/23.json
Sort ordering on 1:N • You can now sort a 1:N relationship • Call ERXKeyFilter.setSortOrderings()
Sort ordering ERXKeyFilter filter = ERXKeyFilter.filterWithAttributes(); ERXKeyFilter categoryFilter = ERXKeyFilter.filterWithAttributes(); categoryFilter.setSortOrderings(BlogCategory.SHORT_NAME.ascs()); filter.include(BlogEntry.CATEGORIES, categoryFilter);
Ignoring unknow keys • By default, returns status 500 if unknow attribute is found in request • To ignore those errors, call: yourErxKeyFilter.setUnknownKeyIgnored(true)
ERXRouteController.performActi onName That method have been split in 5 methods to make it easier to override on the method.
ERXRestContext • Hold a userInfo dict + the editing context • Can pass a different date format per controller • Override createRestContext to do that
ERXRestContext public class BlogEntryController extends BaseRestController { ... @Override protected ERXRestContext createRestContext() { ERXRestContext restContext = new ERXRestContext(editingContext()); restContext.setUserInfoForKey("yyyy-MM-dd", "er.rest.dateFormat"); restContext.setUserInfoForKey("yyyy-MM-dd", "er.rest.timestampFormat"); return restContext; } }
Other new stuff • More strict HTTP status code in responses • Support for @QueryParam, @CookieParam and @HeaderParam for JSR-311 annotations • Indexed bean properties are supported in bean class descriptions • updateObjectWithFilter will update subobjects
Security
What other REST services uses? • Twitter and Google: OAuth • Amazon S3: signature • Campaign Monitor: Basic Authentication • MailChimp: API Key
Security • Basic Authentification • Sessions • Tokens
USE SSL!
Basic Auth
Basic Auth • Pros: • 99.9% of HTTP clients can work with it • Easy to implement • Cons: • It's just a Base64 representation of your credentials! • No logout option (must close the browser) • No styling of the user/pass box
Implementing Basic Auth protected void initAuthentication() throws MemberException, NotAuthorizedException { String authValue = request().headerForKey( "authorization" ); if( authValue != null ) { try { byte[] authBytes = new BASE64Decoder().decodeBuffer( authValue.replace( "Basic ", "" ) ); String[] parts = new String( authBytes ).split( ":", 2 ); String username = parts[0]; String password = parts[1]; setAuthenticatedUser(Member.validateLogin(editingContext(), username, password)); } catch ( IOException e ) { log.error( "Could not decode basic auth data: " + e.getMessage() ); e.printStackTrace(); } } else { throw new NotAuthorizedException(); } } public class NotAuthorizedException extends Exception { public NotAuthorizedException() { super(); } }
Implementing Basic Auth @Override public WOActionResults performActionNamed(String actionName, boolean throwExceptions) { // This is if you don't want to use Basic Auth for HTML apps if (!(ERXRestFormat.html().name().equals(this.format().name()))) { try { initAuthentication(); } catch (UserLoginException ex) { WOResponse response = (WOResponse)errorResponse(401); response.setHeader("Basic realm="ERBlog"", "WWW-Authenticate"); return response; } catch (NotAuthorizedException ex) { WOResponse response = (WOResponse)errorResponse(401); response.setHeader("Basic realm="ERBlog"", "WWW-Authenticate"); return response; } } return super.performActionNamed(actionName, throwExceptions); }
Sessions • Pros: • Can store other data on the server-side (but REST is suppose to be stateless) • Easy to implement • Cons: • Timeouts... • Sessions are bind to a specific instance of the app • State on the server • Non-browser clients have to store the session ID
Login with a session curl -X GET http://127.0.0.1/cgi-bin/WebObjects/App.woa/ra/users/login.json?username=auser&password=md5pass public Session() { setStoresIDsInCookies(true); } public WOActionResults loginAction() throws Throwable { try { String username = request().stringFormValueForKey("username"); String password = request().stringFormValueForKey("password"); Member member = Member.validateLogin(session().defaultEditingContext(), username, password); return response(member, ERXKeyFilter.filterWithNone()); } catch (MemberException ex) { return errorResponse(401); } } (This only works on a version of ERRest after June 9 2011)
Login with a session protected void initAuthentication() throws MemberException, NotAuthorizedException { if (context().hasSession()) { Session session = (Session)context()._session(); if (session.member() == null) { throw new NotAuthorizedException(); } } else { throw new NotAuthorizedException(); } } @Override public WOActionResults performActionNamed(String actionName, boolean throwExceptions) { try { initAuthentication(); } catch (MemberException ex) { return pageWithName(Login.class); } catch (NotAuthorizedException ex) { return pageWithName(Login.class); } return super.performActionNamed(actionName, throwExceptions); }
Tokens • Pros: • No timeout based on inactivity (unless you want to) • Cons: • More work involved • Client must request a token • Can store the token in a cookie, Authorization header or as a query argument
Login with a token curl -X GET http://127.0.0.1/cgi-bin/WebObjects/App.woa/ra/members/login.json?username=auser&password=md5pass public static final ERXBlowfishCrypter crypter = new ERXBlowfishCrypter(); public WOActionResults loginAction() throws Throwable { try { String username = request().stringFormValueForKey("username"); String password = request().stringFormValueForKey("password"); Member member = Member.validateLogin(editingContext(), username, password); String hash = crypter.encrypt(member.username()); if (hash != null) { return response(hash, ERXKeyFilter.filterWithAll()); } } catch (MemberException ex) { return errorResponse(401); } }
Login with a token public static final ERXBlowfishCrypter crypter = new ERXBlowfishCrypter(); protected void initTokenAuthentication() throws MemberException, NotAuthorizedException { String tokenValue = this.request().cookieValueForKey("someCookieKeyForToken"); if (tokenValue != null) { String username = crypter.decrypt(tokenValue); Member member = Member.fetchMember(editingContext(), Member.USERNAME.eq(username)); if (member == null) { throw new NotAuthorizedException(); } } else { throw new NotAuthorizedException(); } } @Override public WOActionResults performActionNamed(String actionName, boolean throwExceptions) { try { initTokenAuthentication(); } catch (MemberException ex) { return pageWithName(Login.class); } catch (NotAuthorizedException ex) { return pageWithName(Login.class); } return super.performActionNamed(actionName, throwExceptions); }
Browser vs System-to-System It near impossible to have a REST backend with security that works well with both browsers-based and "system-to-system" applications. • For browser apps: use cookies • For system-to-system: use the Authorization header
Handling HTML and routes auth @Override protected WOActionResults performHtmlActionNamed(String actionName) throws Exception { try { initCookieAuthentication(); } catch (MemberException ex) { return pageWithName(LoginPage.class); } catch (NotAuthorizedException ex) { return pageWithName(LoginPage.class); } return super.performHtmlActionNamed(actionName); } @Override protected WOActionResults performRouteActionNamed(String actionName) throws Exception { try { initTokenAuthentication(); } catch (MemberException ex) { return errorResponse(401); } catch (NotAuthorizedException ex) { return errorResponse(401); } return super.performRouteActionNamed(actionName); }
Other options • OAuth • Custom HTTP Authentication scheme • Digest Authentification • OpenID • API Key (similar to token)
Versioning
Versioning • Try hard to not having to version your REST services... • ... but life is never as planified • Use mod_rewrite and ERXApplication._rewriteURL to make it easier • Use mod_rewrite even if you are not versionning! It makes shorter and nicer URLs
Versioning In Apache config: RewriteEngine On RewriteRule ^/your-service/v1/(.*)$ /cgi-bin/WebObjects/YourApp-v1.woa/ra$1 [PT,L] RewriteRule ^/your-service/v2/(.*)$ /cgi-bin/WebObjects/YourApp-v2.woa/ra$1 [PT,L] In Application.java: public String _rewriteURL(String url) { String processedURL = url; if (url != null && _replaceApplicationPathPattern != null && _replaceApplicationPathReplace != null) { processedURL = processedURL.replaceFirst(_replaceApplicationPathPattern, _replaceApplicationPathReplace); } return processedURL; } In the Properties of YourApp-v1.woa: er.extensions.ERXApplication.replaceApplicationPath.pattern=/cgi-bin/WebObjects/YourApp-v1.woa/ra er.extensions.ERXApplication.replaceApplicationPath.replace=/your-service/v1/ In the Properties of YourApp-v2.woa: er.extensions.ERXApplication.replaceApplicationPath.pattern=/cgi-bin/WebObjects/YourApp-v2.woa/ra er.extensions.ERXApplication.replaceApplicationPath.replace=/your-service/v2/
Versioning: the gotcha Watch out for schema changes or other changes that can break old versions if all versions use the same database schema!
HTML routing
HTML routing? • Power of ERRest + WO/EOF + clean URLs! • Like DirectActions, but with a lot of work done for you • Useful for small public apps that can be cacheable (or accessible offline)
Automatic routing: damn easy • Create a REST controller for your entity and set isAutomaticHtmlRoutingEnabled() to true • Create a <EntityName><Action>Page (eg, MemberIndexPage.wo) component • Register your controller • Your component must implements IERXRouteComponent • Run your app • Profits!
Passing data to the component Use the ERXRouteParameter annotation to tag methods to receive data: @ERXRouteParameter public void setMember(Member member) { this.member = member; }
Automatic HTML routing If the <EntityName><Action>Page component is not found, it will default back to the controller and try to execute the requested method.
HTML routing gotchas • When submitting forms, you're back to the stateful request handler • ERXRouteUrlUtils doesn't create rewritten URLs
Manual HTML routing That's easy: same as a DirectAction: public WOActionResults indexAction() throws Throwable { return pageWithName(Main.class); }
100% REST public Application() { ERXRouteRequestHandler restRequestHandler = new ERXRouteRequestHandler(); requestHandler.insertRoute(new ERXRoute("Main","", MainController.class, "index")); ... setDefaultRequestHandler(requestHandler); } public class MainController extends BaseController { public MainController(WORequest request) { super(request); } @Override protected boolean isAutomaticHtmlRoutingEnabled() { return true; } @Override public WOActionResults indexAction() throws Throwable { return pageWithName(Main.class); } @Override protected ERXRestFormat defaultFormat() { return ERXRestFormat.html(); } ...
HTML routing: demo
Cool trick: Application Cache Manifest • Let you specify that some URLs of your app can be available offline • URLs in the CACHE section will be available offline until you change the manifest and remove the URLs from the CACHE section • Use a DirectAction or a static file to create the manifest • One cool reason to use the HTML routing stuff
Cache Manifest In your DirectAction class: public WOActionResults manifestAction() { EOEditingContext ec = ERXEC.newEditingContext(); WOResponse response = new WOResponse(); response.appendContentString("CACHE MANIFESTn"); response.appendContentString("CACHE:n"); response.appendContentString(ERXRouteUrlUtils.actionUrlForEntityType(this.context(), Entity.ENTITY_NAME, "index", ERXRestFormat.HTML_KEY, null, false, false) + "n"); response.appendContentString("NETWORK:n"); response.setHeader("text/cache-manifest", "Content-Type"); return response; } In your component: <wo:WOGenericContainer elementName="html" manifest=$urlToManifest" lang="en" xmlns="http://www.w3.org/1999/xhtml"> public String urlForManifest() { return this.context().directActionURLForActionNamed("manifest", null); }
Debugging
Debugging REST problems • curl -v : will display all headers and content, for both request and response • Firebug and WebKit Inspector : useful to see the XMLHttpRequest calls • tcpflow : see all trafic on a network interface, can do filters • Apache DUMPIO (mod_dumpio) : dump ALL requests and responses data to Apache's error log
Debugging Demo
MONTREAL 1/3 JULY 2011 Q&A

More Related Content

PDF
ERRest in Depth
byWO Community
 
PDF
ERRest - Designing a good REST service
byWO Community
 
PDF
ERRest - The Next Steps
byWO Community
 
PDF
ERRest: the Basics
byWO Community
 
PDF
KAAccessControl
byWO Community
 
PDF
ERRest and Dojo
byWO Community
 
PDF
Class-based views with Django
bySimon Willison
 
PPT
Jsp/Servlet
bySunil OS
 
ERRest in Depth
byWO Community
 
ERRest - Designing a good REST service
byWO Community
 
ERRest - The Next Steps
byWO Community
 
ERRest: the Basics
byWO Community
 
KAAccessControl
byWO Community
 
ERRest and Dojo
byWO Community
 
Class-based views with Django
bySimon Willison
 
Jsp/Servlet
bySunil OS
 

What's hot

PPT
JavaScript
bySunil OS
 
PDF
QA Lab: тестирование ПО. Станислав Шмидт: "Self-testing REST APIs with API Fi...
byGeeksLab Odessa
 
PPT
Developing application for Windows Phone 7 in TDD
byMichele Capra
 
PDF
How to write easy-to-test JavaScript
byYnon Perek
 
PPTX
Тарас Олексин - Sculpt! Your! Tests!
byDataArt
 
PDF
Activator and Reactive at Play NYC meetup
byHenrik Engström
 
PPTX
Test and profile your Windows Phone 8 App
byMichele Capra
 
PDF
Mastering Oracle ADF Bindings
byEuegene Fedorenko
 
PDF
Object Oriented Exploitation: New techniques in Windows mitigation bypass
bySam Thomas
 
PDF
Http4s, Doobie and Circe: The Functional Web Stack
byGaryCoady
 
DOC
Selenium Webdriver with data driven framework
byDavid Rajah Selvaraj
 
PPT
Intoduction to Play Framework
byKnoldus Inc.
 
PDF
Solr workshop
byYasas Senarath
 
PDF
Codegeneration With Xtend
bySven Efftinge
 
PDF
Building High Performance and Reliable Windows Phone 8 Apps
byMichele Capra
 
PDF
Phoenix + Reactで 社内システムを 密かに作ってる
byTakahiro Kobaru
 
ODP
An introduction to SQLAlchemy
bymengukagan
 
PPTX
Devoxx 2012 hibernate envers
byRomain Linsolas
 
PDF
119764860 dx-auth
byBirtan Yıldız
 
PPT
Intorduction of Playframework
bymaltiyadav
 
JavaScript
bySunil OS
 
QA Lab: тестирование ПО. Станислав Шмидт: "Self-testing REST APIs with API Fi...
byGeeksLab Odessa
 
Developing application for Windows Phone 7 in TDD
byMichele Capra
 
How to write easy-to-test JavaScript
byYnon Perek
 
Тарас Олексин - Sculpt! Your! Tests!
byDataArt
 
Activator and Reactive at Play NYC meetup
byHenrik Engström
 
Test and profile your Windows Phone 8 App
byMichele Capra
 
Mastering Oracle ADF Bindings
byEuegene Fedorenko
 
Object Oriented Exploitation: New techniques in Windows mitigation bypass
bySam Thomas
 
Http4s, Doobie and Circe: The Functional Web Stack
byGaryCoady
 
Selenium Webdriver with data driven framework
byDavid Rajah Selvaraj
 
Intoduction to Play Framework
byKnoldus Inc.
 
Solr workshop
byYasas Senarath
 
Codegeneration With Xtend
bySven Efftinge
 
Building High Performance and Reliable Windows Phone 8 Apps
byMichele Capra
 
Phoenix + Reactで 社内システムを 密かに作ってる
byTakahiro Kobaru
 
An introduction to SQLAlchemy
bymengukagan
 
Devoxx 2012 hibernate envers
byRomain Linsolas
 
119764860 dx-auth
byBirtan Yıldız
 
Intorduction of Playframework
bymaltiyadav
 

Similar to ERRest

PPTX
Rest API Security - A quick understanding of Rest API Security
byMohammed Fazuluddin
 
PPTX
Rest API Security
byStormpath
 
PPTX
Secureyourrestapi 140530183606-phpapp02
bySubhajit Bhuiya
 
PPTX
Secure Your REST API (The Right Way)
byStormpath
 
PPTX
REST API Security: OAuth 2.0, JWTs, and More!
byStormpath
 
PDF
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
byMatt Raible
 
PDF
Creating a Facebook Clone - Part XXV - Transcript.pdf
byShaiAlmog1
 
PDF
Java Web Programming [9/9] : Web Application Security
byIMC Institute
 
PDF
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
byMatt Raible
 
PDF
Pentesting RESTful webservices
byMohammed A. Imran
 
PDF
Rest with Spring
byEugen Paraschiv
 
PDF
Securing Web Applications with Token Authentication
byStormpath
 
PDF
Third Party Auth in WebObjects
byWO Community
 
PDF
General Method of HTTP Messages Authentication Based on Hash Functions in Web...
byDenis Kolegov
 
PDF
API SECURITY
byTubagus Rizky Dharmawan
 
PPTX
How to build Simple yet powerful API.pptx
byChanna Ly
 
PDF
Rest api titouan benoit
byTitouan BENOIT
 
PDF
RESTful Day 5
byAkhil Mittal
 
PPTX
Introduction to Web Security
byKamil Lelonek
 
PDF
Secured REST Microservices with Spring Cloud
byOrkhan Gasimov
 
Rest API Security - A quick understanding of Rest API Security
byMohammed Fazuluddin
 
Rest API Security
byStormpath
 
Secureyourrestapi 140530183606-phpapp02
bySubhajit Bhuiya
 
Secure Your REST API (The Right Way)
byStormpath
 
REST API Security: OAuth 2.0, JWTs, and More!
byStormpath
 
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
byMatt Raible
 
Creating a Facebook Clone - Part XXV - Transcript.pdf
byShaiAlmog1
 
Java Web Programming [9/9] : Web Application Security
byIMC Institute
 
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
byMatt Raible
 
Pentesting RESTful webservices
byMohammed A. Imran
 
Rest with Spring
byEugen Paraschiv
 
Securing Web Applications with Token Authentication
byStormpath
 
Third Party Auth in WebObjects
byWO Community
 
General Method of HTTP Messages Authentication Based on Hash Functions in Web...
byDenis Kolegov
 
API SECURITY
byTubagus Rizky Dharmawan
 
How to build Simple yet powerful API.pptx
byChanna Ly
 
Rest api titouan benoit
byTitouan BENOIT
 
RESTful Day 5
byAkhil Mittal
 
Introduction to Web Security
byKamil Lelonek
 
Secured REST Microservices with Spring Cloud
byOrkhan Gasimov
 

More from WO Community

PDF
In memory OLAP engine
byWO Community
 
PDF
Using Nagios to monitor your WO systems
byWO Community
 
PDF
Build and deployment
byWO Community
 
PDF
High availability
byWO Community
 
PDF
Reenabling SOAP using ERJaxWS
byWO Community
 
PDF
Chaining the Beast - Testing Wonder Applications in the Real World
byWO Community
 
PDF
D2W Stateful Controllers
byWO Community
 
PDF
Deploying WO on Windows
byWO Community
 
PDF
Unit Testing with WOUnit
byWO Community
 
PDF
Life outside WO
byWO Community
 
PDF
Apache Cayenne for WO Devs
byWO Community
 
PDF
Advanced Apache Cayenne
byWO Community
 
PDF
Migrating existing Projects to Wonder
byWO Community
 
PDF
iOS for ERREST - alternative version
byWO Community
 
PDF
iOS for ERREST
byWO Community
 
PDF
"Framework Principal" pattern
byWO Community
 
PDF
Filtering data with D2W
byWO Community
 
PDF
WOver
byWO Community
 
PDF
Localizing your apps for multibyte languages
byWO Community
 
PDF
WOdka
byWO Community
 
In memory OLAP engine
byWO Community
 
Using Nagios to monitor your WO systems
byWO Community
 
Build and deployment
byWO Community
 
High availability
byWO Community
 
Reenabling SOAP using ERJaxWS
byWO Community
 
Chaining the Beast - Testing Wonder Applications in the Real World
byWO Community
 
D2W Stateful Controllers
byWO Community
 
Deploying WO on Windows
byWO Community
 
Unit Testing with WOUnit
byWO Community
 
Life outside WO
byWO Community
 
Apache Cayenne for WO Devs
byWO Community
 
Advanced Apache Cayenne
byWO Community
 
Migrating existing Projects to Wonder
byWO Community
 
iOS for ERREST - alternative version
byWO Community
 
iOS for ERREST
byWO Community
 
"Framework Principal" pattern
byWO Community
 
Filtering data with D2W
byWO Community
 
WOver
byWO Community
 
Localizing your apps for multibyte languages
byWO Community
 
WOdka
byWO Community
 

Recently uploaded

PPTX
INSY_7213_Theme Sessions 47 & 48 Advanced databases.pptx
bystormzy56
 
PPTX
TechSprint Inauguration at SJB Institute of Technology held on 18 December 2025
bysuhasspgdg
 
PDF
Adapt.com Seed Fundraising Deck | The AI Computer for Business
byashley459565
 
PDF
Transcript: EU regulations for the North American book supply chain - Tech Fo...
byBookNet Canada
 
PPTX
TechSprint WinterHack — Top 10 Teams Pitching Session we are excited for pit...
bybajpaitusharoffon678
 
PDF
"Painless Major Upgrade: A Strategy for Updating Large Codebases", Andrii Yat...
byFwdays
 
PDF
Real-Time AI Masterclass: Vector Search at Scale
byScyllaDB
 
PDF
OpenCharacter AI Reviews: Features, Plans, and Best Alternative
byOpenCharacter AI
 
PDF
Real-Time AI at Scale Masterclass: Feature Store at Scale
byScyllaDB
 
PDF
Web3 - Applications and Architectures - History and Horizons
byGokul Alex
 
PDF
Certified AI-Empowered SAFe 6 Scrum Master.pdf
byMarc Entsminger SPC6, RTE, SSM, SA, SDP
 
PPTX
The Lex Wire Precedent: A Technical Standard for Machine-Mediated Authority ...
byJeff Howell
 
PDF
Title Installing Windows, Linux, MacOS.pdf
byGeraldAbadajos
 
PDF
Parental Control App for Phones_ The Complete 2026 Guide for Safer, Smarter P...
byRyan Cooper
 
PDF
Pneumatic Pressure Pump PPP01 for Calibration & Testing
bySERRAX TECHNOLOGIES LLP
 
PDF
Computer-Based Training (CBT) The Backbone of Modern Technical & Defence Trai...
bycomputerbasedtrainin1
 
PDF
Why AI Girlfriends Are the Future of Digital Companionship
byAi Angels
 
PDF
TrustArc Webinar - From Zero to Privacy Hero: Launching Your Program Right an...
byTrustArc
 
PDF
React Mastery: Visual Mental Models to Understand React Deeply
byThomas Gaye
 
PDF
"When every team does things "right", but together it turns into chaos", Yozh...
byFwdays
 
INSY_7213_Theme Sessions 47 & 48 Advanced databases.pptx
bystormzy56
 
TechSprint Inauguration at SJB Institute of Technology held on 18 December 2025
bysuhasspgdg
 
Adapt.com Seed Fundraising Deck | The AI Computer for Business
byashley459565
 
Transcript: EU regulations for the North American book supply chain - Tech Fo...
byBookNet Canada
 
TechSprint WinterHack — Top 10 Teams Pitching Session we are excited for pit...
bybajpaitusharoffon678
 
"Painless Major Upgrade: A Strategy for Updating Large Codebases", Andrii Yat...
byFwdays
 
Real-Time AI Masterclass: Vector Search at Scale
byScyllaDB
 
OpenCharacter AI Reviews: Features, Plans, and Best Alternative
byOpenCharacter AI
 
Real-Time AI at Scale Masterclass: Feature Store at Scale
byScyllaDB
 
Web3 - Applications and Architectures - History and Horizons
byGokul Alex
 
Certified AI-Empowered SAFe 6 Scrum Master.pdf
byMarc Entsminger SPC6, RTE, SSM, SA, SDP
 
The Lex Wire Precedent: A Technical Standard for Machine-Mediated Authority ...
byJeff Howell
 
Title Installing Windows, Linux, MacOS.pdf
byGeraldAbadajos
 
Parental Control App for Phones_ The Complete 2026 Guide for Safer, Smarter P...
byRyan Cooper
 
Pneumatic Pressure Pump PPP01 for Calibration & Testing
bySERRAX TECHNOLOGIES LLP
 
Computer-Based Training (CBT) The Backbone of Modern Technical & Defence Trai...
bycomputerbasedtrainin1
 
Why AI Girlfriends Are the Future of Digital Companionship
byAi Angels
 
TrustArc Webinar - From Zero to Privacy Hero: Launching Your Program Right an...
byTrustArc
 
React Mastery: Visual Mental Models to Understand React Deeply
byThomas Gaye
 
"When every team does things "right", but together it turns into chaos", Yozh...
byFwdays
 

ERRest

  • 1.
    MONTREAL 1/3 JULY2011 ERRest Pascal Robert Conatus/MacTI
  • 2.
    The Menu • What's new in ERRest • Debugging • Security • Caching (Sunday!) • Versioning • Optimistic locking (Sunday!) • HTML routing • Using the correct HTTP verbs and codes (Sunday!)
  • 3.
  • 4.
    Anymous updates • No need to send the ids of nested objects anymore • Call ERXKeyFilter.setAnonymousUpdateEnabled(true) • If 1:N relationship, will replace existing values for all nested objects
  • 5.
    Anonymous update protected ERXKeyFilter filter() { ERXKeyFilter filter = ERXKeyFilter.filterWithAttributes(); ERXKeyFilter personFilter = ERXKeyFilter.filterWithAttributes(); personFilter.include(Person.FIRST_NAME); personFilter.setAnonymousUpdateEnabled(true); filter.include(BlogEntry.PERSON, personFilter); return filter; } curl -X PUT -d "{ title: 'New Post', person: {firstName: 'Test'} }" http://127.0.0.1/cgi-bin/WebObjects/ SimpleBlog.woa/ra/posts/23.json
  • 6.
    Sort ordering on1:N • You can now sort a 1:N relationship • Call ERXKeyFilter.setSortOrderings()
  • 7.
    Sort ordering ERXKeyFilter filter= ERXKeyFilter.filterWithAttributes(); ERXKeyFilter categoryFilter = ERXKeyFilter.filterWithAttributes(); categoryFilter.setSortOrderings(BlogCategory.SHORT_NAME.ascs()); filter.include(BlogEntry.CATEGORIES, categoryFilter);
  • 8.
    Ignoring unknow keys • By default, returns status 500 if unknow attribute is found in request • To ignore those errors, call: yourErxKeyFilter.setUnknownKeyIgnored(true)
  • 9.
    ERXRouteController.performActi onName That method have been split in 5 methods to make it easier to override on the method.
  • 10.
    ERXRestContext • Hold a userInfo dict + the editing context • Can pass a different date format per controller • Override createRestContext to do that
  • 11.
    ERXRestContext public class BlogEntryController extends BaseRestController { ... @Override protected ERXRestContext createRestContext() { ERXRestContext restContext = new ERXRestContext(editingContext()); restContext.setUserInfoForKey("yyyy-MM-dd", "er.rest.dateFormat"); restContext.setUserInfoForKey("yyyy-MM-dd", "er.rest.timestampFormat"); return restContext; } }
  • 12.
    Other new stuff • More strict HTTP status code in responses • Support for @QueryParam, @CookieParam and @HeaderParam for JSR-311 annotations • Indexed bean properties are supported in bean class descriptions • updateObjectWithFilter will update subobjects
  • 13.
  • 14.
    What other RESTservices uses? • Twitter and Google: OAuth • Amazon S3: signature • Campaign Monitor: Basic Authentication • MailChimp: API Key
  • 15.
    Security • Basic Authentification • Sessions • Tokens
  • 16.
  • 17.
  • 18.
    Basic Auth • Pros: • 99.9% of HTTP clients can work with it • Easy to implement • Cons: • It's just a Base64 representation of your credentials! • No logout option (must close the browser) • No styling of the user/pass box
  • 19.
    Implementing Basic Auth protected void initAuthentication() throws MemberException, NotAuthorizedException { String authValue = request().headerForKey( "authorization" ); if( authValue != null ) { try { byte[] authBytes = new BASE64Decoder().decodeBuffer( authValue.replace( "Basic ", "" ) ); String[] parts = new String( authBytes ).split( ":", 2 ); String username = parts[0]; String password = parts[1]; setAuthenticatedUser(Member.validateLogin(editingContext(), username, password)); } catch ( IOException e ) { log.error( "Could not decode basic auth data: " + e.getMessage() ); e.printStackTrace(); } } else { throw new NotAuthorizedException(); } } public class NotAuthorizedException extends Exception { public NotAuthorizedException() { super(); } }
  • 20.
    Implementing Basic Auth @Override public WOActionResults performActionNamed(String actionName, boolean throwExceptions) { // This is if you don't want to use Basic Auth for HTML apps if (!(ERXRestFormat.html().name().equals(this.format().name()))) { try { initAuthentication(); } catch (UserLoginException ex) { WOResponse response = (WOResponse)errorResponse(401); response.setHeader("Basic realm="ERBlog"", "WWW-Authenticate"); return response; } catch (NotAuthorizedException ex) { WOResponse response = (WOResponse)errorResponse(401); response.setHeader("Basic realm="ERBlog"", "WWW-Authenticate"); return response; } } return super.performActionNamed(actionName, throwExceptions); }
  • 21.
    Sessions • Pros: • Can store other data on the server-side (but REST is suppose to be stateless) • Easy to implement • Cons: • Timeouts... • Sessions are bind to a specific instance of the app • State on the server • Non-browser clients have to store the session ID
  • 22.
    Login with asession curl -X GET http://127.0.0.1/cgi-bin/WebObjects/App.woa/ra/users/login.json?username=auser&password=md5pass public Session() { setStoresIDsInCookies(true); } public WOActionResults loginAction() throws Throwable { try { String username = request().stringFormValueForKey("username"); String password = request().stringFormValueForKey("password"); Member member = Member.validateLogin(session().defaultEditingContext(), username, password); return response(member, ERXKeyFilter.filterWithNone()); } catch (MemberException ex) { return errorResponse(401); } } (This only works on a version of ERRest after June 9 2011)
  • 23.
    Login with asession protected void initAuthentication() throws MemberException, NotAuthorizedException { if (context().hasSession()) { Session session = (Session)context()._session(); if (session.member() == null) { throw new NotAuthorizedException(); } } else { throw new NotAuthorizedException(); } } @Override public WOActionResults performActionNamed(String actionName, boolean throwExceptions) { try { initAuthentication(); } catch (MemberException ex) { return pageWithName(Login.class); } catch (NotAuthorizedException ex) { return pageWithName(Login.class); } return super.performActionNamed(actionName, throwExceptions); }
  • 24.
    Tokens • Pros: • No timeout based on inactivity (unless you want to) • Cons: • More work involved • Client must request a token • Can store the token in a cookie, Authorization header or as a query argument
  • 25.
    Login with atoken curl -X GET http://127.0.0.1/cgi-bin/WebObjects/App.woa/ra/members/login.json?username=auser&password=md5pass public static final ERXBlowfishCrypter crypter = new ERXBlowfishCrypter(); public WOActionResults loginAction() throws Throwable { try { String username = request().stringFormValueForKey("username"); String password = request().stringFormValueForKey("password"); Member member = Member.validateLogin(editingContext(), username, password); String hash = crypter.encrypt(member.username()); if (hash != null) { return response(hash, ERXKeyFilter.filterWithAll()); } } catch (MemberException ex) { return errorResponse(401); } }
  • 26.
    Login with atoken public static final ERXBlowfishCrypter crypter = new ERXBlowfishCrypter(); protected void initTokenAuthentication() throws MemberException, NotAuthorizedException { String tokenValue = this.request().cookieValueForKey("someCookieKeyForToken"); if (tokenValue != null) { String username = crypter.decrypt(tokenValue); Member member = Member.fetchMember(editingContext(), Member.USERNAME.eq(username)); if (member == null) { throw new NotAuthorizedException(); } } else { throw new NotAuthorizedException(); } } @Override public WOActionResults performActionNamed(String actionName, boolean throwExceptions) { try { initTokenAuthentication(); } catch (MemberException ex) { return pageWithName(Login.class); } catch (NotAuthorizedException ex) { return pageWithName(Login.class); } return super.performActionNamed(actionName, throwExceptions); }
  • 27.
    Browser vs System-to-System It near impossible to have a REST backend with security that works well with both browsers-based and "system-to-system" applications. • For browser apps: use cookies • For system-to-system: use the Authorization header
  • 28.
    Handling HTML androutes auth @Override protected WOActionResults performHtmlActionNamed(String actionName) throws Exception { try { initCookieAuthentication(); } catch (MemberException ex) { return pageWithName(LoginPage.class); } catch (NotAuthorizedException ex) { return pageWithName(LoginPage.class); } return super.performHtmlActionNamed(actionName); } @Override protected WOActionResults performRouteActionNamed(String actionName) throws Exception { try { initTokenAuthentication(); } catch (MemberException ex) { return errorResponse(401); } catch (NotAuthorizedException ex) { return errorResponse(401); } return super.performRouteActionNamed(actionName); }
  • 29.
    Other options • OAuth • Custom HTTP Authentication scheme • Digest Authentification • OpenID • API Key (similar to token)
  • 30.
  • 31.
    Versioning • Try hard to not having to version your REST services... • ... but life is never as planified • Use mod_rewrite and ERXApplication._rewriteURL to make it easier • Use mod_rewrite even if you are not versionning! It makes shorter and nicer URLs
  • 32.
    Versioning In Apache config: RewriteEngine On RewriteRule ^/your-service/v1/(.*)$ /cgi-bin/WebObjects/YourApp-v1.woa/ra$1 [PT,L] RewriteRule ^/your-service/v2/(.*)$ /cgi-bin/WebObjects/YourApp-v2.woa/ra$1 [PT,L] In Application.java: public String _rewriteURL(String url) { String processedURL = url; if (url != null && _replaceApplicationPathPattern != null && _replaceApplicationPathReplace != null) { processedURL = processedURL.replaceFirst(_replaceApplicationPathPattern, _replaceApplicationPathReplace); } return processedURL; } In the Properties of YourApp-v1.woa: er.extensions.ERXApplication.replaceApplicationPath.pattern=/cgi-bin/WebObjects/YourApp-v1.woa/ra er.extensions.ERXApplication.replaceApplicationPath.replace=/your-service/v1/ In the Properties of YourApp-v2.woa: er.extensions.ERXApplication.replaceApplicationPath.pattern=/cgi-bin/WebObjects/YourApp-v2.woa/ra er.extensions.ERXApplication.replaceApplicationPath.replace=/your-service/v2/
  • 33.
    Versioning: the gotcha Watchout for schema changes or other changes that can break old versions if all versions use the same database schema!
  • 34.
  • 35.
    HTML routing? • Power of ERRest + WO/EOF + clean URLs! • Like DirectActions, but with a lot of work done for you • Useful for small public apps that can be cacheable (or accessible offline)
  • 36.
    Automatic routing: damneasy • Create a REST controller for your entity and set isAutomaticHtmlRoutingEnabled() to true • Create a <EntityName><Action>Page (eg, MemberIndexPage.wo) component • Register your controller • Your component must implements IERXRouteComponent • Run your app • Profits!
  • 37.
    Passing data tothe component Use the ERXRouteParameter annotation to tag methods to receive data: @ERXRouteParameter public void setMember(Member member) { this.member = member; }
  • 38.
    Automatic HTML routing Ifthe <EntityName><Action>Page component is not found, it will default back to the controller and try to execute the requested method.
  • 39.
    HTML routing gotchas • When submitting forms, you're back to the stateful request handler • ERXRouteUrlUtils doesn't create rewritten URLs
  • 40.
    Manual HTML routing That'seasy: same as a DirectAction: public WOActionResults indexAction() throws Throwable { return pageWithName(Main.class); }
  • 41.
    100% REST public Application(){ ERXRouteRequestHandler restRequestHandler = new ERXRouteRequestHandler(); requestHandler.insertRoute(new ERXRoute("Main","", MainController.class, "index")); ... setDefaultRequestHandler(requestHandler); } public class MainController extends BaseController { public MainController(WORequest request) { super(request); } @Override protected boolean isAutomaticHtmlRoutingEnabled() { return true; } @Override public WOActionResults indexAction() throws Throwable { return pageWithName(Main.class); } @Override protected ERXRestFormat defaultFormat() { return ERXRestFormat.html(); } ...
  • 42.
  • 43.
    Cool trick: ApplicationCache Manifest • Let you specify that some URLs of your app can be available offline • URLs in the CACHE section will be available offline until you change the manifest and remove the URLs from the CACHE section • Use a DirectAction or a static file to create the manifest • One cool reason to use the HTML routing stuff
  • 44.
    Cache Manifest In your DirectAction class: public WOActionResults manifestAction() { EOEditingContext ec = ERXEC.newEditingContext(); WOResponse response = new WOResponse(); response.appendContentString("CACHE MANIFESTn"); response.appendContentString("CACHE:n"); response.appendContentString(ERXRouteUrlUtils.actionUrlForEntityType(this.context(), Entity.ENTITY_NAME, "index", ERXRestFormat.HTML_KEY, null, false, false) + "n"); response.appendContentString("NETWORK:n"); response.setHeader("text/cache-manifest", "Content-Type"); return response; } In your component: <wo:WOGenericContainer elementName="html" manifest=$urlToManifest" lang="en" xmlns="http://www.w3.org/1999/xhtml"> public String urlForManifest() { return this.context().directActionURLForActionNamed("manifest", null); }
  • 45.
  • 46.
    Debugging REST problems • curl -v : will display all headers and content, for both request and response • Firebug and WebKit Inspector : useful to see the XMLHttpRequest calls • tcpflow : see all trafic on a network interface, can do filters • Apache DUMPIO (mod_dumpio) : dump ALL requests and responses data to Apache's error log
  • 47.
  • 48.