REST – Beyond the hype
The document discusses REST and common misconceptions about RESTful API design. It begins with a brief history of REST and considerations of alternatives like SOAP. It then addresses how the rise of frameworks led to prescriptive but incorrect "rules" for REST. The bulk of the document dispels common myths and "lies" told about RESTful design, focusing on proper use of URIs, resources, media types, and use of hypermedia. It emphasizes that REST is an architectural style and not a rigid set of rules.
Instant Security & Scalable User Management with Spring BootStormpath
In this talk, Les Hazlewood, Stormpath CTO and Apache Shiro Chair, goes beyond the traditional way to secure applications and takes a deep dive into how Spring Security + Stormpath gives you an instant, highly-available and highly-secure user management system for Spring Boot applications.
We already showed you how to build a Beautiful REST+JSON API(http://www.slideshare.net/stormpath/rest-jsonapis), but how do you secure your API? At Stormpath we spent 18 months researching best practices, implementing them in the Stormpath API, and figuring out what works. Here’s our playbook on how to secure a REST API.
Build A Killer Client For Your REST+JSON APIStormpath
REST+JSON APIs are great - but you still need to communicate with them from your code. Wouldn't you prefer to interact with clean and intuitive Java objects instead of messing with HTTP requests, HTTP status codes and JSON parsing? Wouldn't you prefer to work with type-safe objects specific to your API?
In this presentation, Les Hazlewood - Stormpath CTO and Apache Shiro PMC Chair - will share all of the golden nuggets learned while designing, implementing and supporting multiple clients purpose-built for a real-world REST+JSON API.
Further reading: http://www.stormpath.com/blog
Stormpath is a user management and authentication service for developers. By offloading user management and authentication to Stormpath, developers can bring applications to market faster, reduce development costs, and protect their users. Easy and secure, the flexible cloud service can manage millions of users with a scalable pricing model.
During the past years, the data deluge that prevails in the World
Wide Web has been accompanied by a number of APIs that
expose business logic. In this paper, we discuss a novel approach
to enrich existing API standards definitions with business rules.
Taking advantage of the REST principles, we aim at enabling the
creation of generic clients that can dynamically navigate through
semantically enriched web affordances with the help of Hydrabased
Hypermedia API descriptions, which encapsulate the finite
state machine of possible actions into SWRL rules.
Instant Security & Scalable User Management with Spring BootStormpath
In this talk, Les Hazlewood, Stormpath CTO and Apache Shiro Chair, goes beyond the traditional way to secure applications and takes a deep dive into how Spring Security + Stormpath gives you an instant, highly-available and highly-secure user management system for Spring Boot applications.
We already showed you how to build a Beautiful REST+JSON API(http://www.slideshare.net/stormpath/rest-jsonapis), but how do you secure your API? At Stormpath we spent 18 months researching best practices, implementing them in the Stormpath API, and figuring out what works. Here’s our playbook on how to secure a REST API.
Build A Killer Client For Your REST+JSON APIStormpath
REST+JSON APIs are great - but you still need to communicate with them from your code. Wouldn't you prefer to interact with clean and intuitive Java objects instead of messing with HTTP requests, HTTP status codes and JSON parsing? Wouldn't you prefer to work with type-safe objects specific to your API?
In this presentation, Les Hazlewood - Stormpath CTO and Apache Shiro PMC Chair - will share all of the golden nuggets learned while designing, implementing and supporting multiple clients purpose-built for a real-world REST+JSON API.
Further reading: http://www.stormpath.com/blog
Stormpath is a user management and authentication service for developers. By offloading user management and authentication to Stormpath, developers can bring applications to market faster, reduce development costs, and protect their users. Easy and secure, the flexible cloud service can manage millions of users with a scalable pricing model.
During the past years, the data deluge that prevails in the World
Wide Web has been accompanied by a number of APIs that
expose business logic. In this paper, we discuss a novel approach
to enrich existing API standards definitions with business rules.
Taking advantage of the REST principles, we aim at enabling the
creation of generic clients that can dynamically navigate through
semantically enriched web affordances with the help of Hydrabased
Hypermedia API descriptions, which encapsulate the finite
state machine of possible actions into SWRL rules.
Securing Web Applications with Token AuthenticationStormpath
In this presentation, Java Developer Evangelist Micah Silverman demystifies HTTP Authentication and explains how the Next Big Thing - Token Authentication - can be used to secure web applications on the JVM, REST APIs, and 'unsafe' clients while supporting security best practices and even improving your application's performance and scale.
Topics Covered:
Security Concerns for Modern Web Apps
Cross-Site Scripting Prevention
Working with 'Untrusted Clients'
Securing API endpoints
Cookies
Man in the Middle (MitM) Attacks
Cross-Site Request Forgery
Session ID Problems
Token Authentication
JWTs
Working with the JJWT library
End-to-end example with Spring Boot
LoopBack is an open source API framework built on top of Express optimized for mobile and web. Connect to multiple data sources, write business logic in Node.js, glue on top of your existing services and data, connect using JS, iOS & Android SDKs.
Join Stormpath Developer Evangelist, Robert Damphousse, to dive deep into browser security. Robert will explain how Session IDs, Man in the Middle (MITM), Cross-Site Scripting (XSS), and Cross-Site Request Forgery (CSRF) attacks work, and how to use cookies to support security best practices.
Topics Covered:
- Security concerns for modern web apps
- Cookies, the right way
- MITM, XSS, and CSRF attacks
- Session ID problems
- Examples in an Angular app
Secure Enterprise APIs for Mobile, Cloud & Open Web
APIs present enterprises with many business opportunities but they also create new attack vectors that hackers can potentially exploit. APIs share many of the same threats that plague the Web but APIs are fundamentally different from Web sites and have an entirely unique risk profile that must be addressed.
By adopting a secure API architecture from the beginning, it is possible to address both old and new threats. In this webinar, Scott Morrison – CTO at Layer 7 Technologies – will explain in detail how an enterprise can pursue its API publishing strategy without compromising the security of its on-premise systems and data.
You Will Learn
How APIs increase the attack surface
What key types of risk are introduced by APIs
How enterprises can mitigate each of these risks
Why it is crucial to separate API implementation and security into distinct tiers
Presented By
Scott Morrison, CTO, Layer 7 Technologies
Picking the Right Node.js Framework for Your Use CaseJimmy Guerrero
Picking the Right Node.js Framework for Your Use Case with Shubhra Kar.
Topics covered in this webinar:
* Understanding the evolution of frameworks by design patterns
* Express
* Hapi
* Sails.js
* LoopBack.io
* Microservices
* IoT
Hydra: A Vocabulary for Hypermedia-Driven Web APIsMarkus Lanthaler
Presentation of the paper "Hydra: A Vocabulary for Hypermedia-Driven Web APIs" at the 6th Workshop on Linked Data on the Web (LDOW2013) at the WWW2013 in Rio de Janeiro, Brazil
This is a academic work for developing a crawler that can classify the Web Content using SVM and Naive Bayes for Machine Learning, implemented with Elasticsearch, Crawler4J and Apache Spark.
Securing Web Applications with Token AuthenticationStormpath
In this presentation, Java Developer Evangelist Micah Silverman demystifies HTTP Authentication and explains how the Next Big Thing - Token Authentication - can be used to secure web applications on the JVM, REST APIs, and 'unsafe' clients while supporting security best practices and even improving your application's performance and scale.
Topics Covered:
Security Concerns for Modern Web Apps
Cross-Site Scripting Prevention
Working with 'Untrusted Clients'
Securing API endpoints
Cookies
Man in the Middle (MitM) Attacks
Cross-Site Request Forgery
Session ID Problems
Token Authentication
JWTs
Working with the JJWT library
End-to-end example with Spring Boot
LoopBack is an open source API framework built on top of Express optimized for mobile and web. Connect to multiple data sources, write business logic in Node.js, glue on top of your existing services and data, connect using JS, iOS & Android SDKs.
Join Stormpath Developer Evangelist, Robert Damphousse, to dive deep into browser security. Robert will explain how Session IDs, Man in the Middle (MITM), Cross-Site Scripting (XSS), and Cross-Site Request Forgery (CSRF) attacks work, and how to use cookies to support security best practices.
Topics Covered:
- Security concerns for modern web apps
- Cookies, the right way
- MITM, XSS, and CSRF attacks
- Session ID problems
- Examples in an Angular app
Secure Enterprise APIs for Mobile, Cloud & Open Web
APIs present enterprises with many business opportunities but they also create new attack vectors that hackers can potentially exploit. APIs share many of the same threats that plague the Web but APIs are fundamentally different from Web sites and have an entirely unique risk profile that must be addressed.
By adopting a secure API architecture from the beginning, it is possible to address both old and new threats. In this webinar, Scott Morrison – CTO at Layer 7 Technologies – will explain in detail how an enterprise can pursue its API publishing strategy without compromising the security of its on-premise systems and data.
You Will Learn
How APIs increase the attack surface
What key types of risk are introduced by APIs
How enterprises can mitigate each of these risks
Why it is crucial to separate API implementation and security into distinct tiers
Presented By
Scott Morrison, CTO, Layer 7 Technologies
Picking the Right Node.js Framework for Your Use CaseJimmy Guerrero
Picking the Right Node.js Framework for Your Use Case with Shubhra Kar.
Topics covered in this webinar:
* Understanding the evolution of frameworks by design patterns
* Express
* Hapi
* Sails.js
* LoopBack.io
* Microservices
* IoT
Hydra: A Vocabulary for Hypermedia-Driven Web APIsMarkus Lanthaler
Presentation of the paper "Hydra: A Vocabulary for Hypermedia-Driven Web APIs" at the 6th Workshop on Linked Data on the Web (LDOW2013) at the WWW2013 in Rio de Janeiro, Brazil
This is a academic work for developing a crawler that can classify the Web Content using SVM and Naive Bayes for Machine Learning, implemented with Elasticsearch, Crawler4J and Apache Spark.
Prairie DevCon 2015 - Crafting Evolvable API Responsesdarrelmiller71
Web frameworks help you build an API quickly but most have little support for dealing with an API that needs to evolve, forcing you to prematurely version your API. But many industry professionals are telling us not to version. How can we avoid it? Take back control of the content you send over the wire. API responses are the "user interface" of your API and should be crafted with same attention to detail that cause designers to fret over color choices, shadows and highlights. In this talk I’ll show techniques that can be used to build responses that are easier to evolve and highlight the types of practices that encourage breaking changes and force you to version your API.
Integrate MongoDB & SQL data with a single REST APIEspresso Logic
Webinar slides. Describes how you create a backend application, in the cloud or on premise, that join data from MongoDb and SQL databases with a single RESTful API.
Hypermedia: The Missing Element to Building Adaptable Web APIs in RailsToru Kawamura
RubyKaigi 2014
http://rubykaigi.org/2014/presentation/S-ToruKawamura
Japanese enlargement version http://www.slideshare.net/tkawa1/rubykaigi2014-hypermedia-the-missing-element-enlarged-ja
What is API - Understanding API SimplifiedJubin Aghara
What is API/Getting started with API/Understanding API
The document will give you a basic idea of the following:
- What is API
- Real-world examples
- REST and SOAP
- Protocol layer
- Data format (JSON and XML)
- REST HTTP API example
- Which one to go for
- Tools to get started
Primary focus of this presentation is on the hypermedia as the engine of application state (HATEOAS) and how HTTP APIs may benefit from it. Provides sneak peek into HAL media type & gives an overview of hypermedia support in Java tools (JAX-RS / HalBuilder and Spring HATEOAS) along with practical suggestions for server-side design of hypermedia API. Also includes quick overview of Richardson Maturity Model based on a set of examples, current API trends.
These slides focus on documentation for REST APIs. See http://idratherbewriting.com for more detail. For the video recording, see http://youtu.be/0yfNd7tzH2Q. This deep dive is the second slide deck I used in the presentation.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
2. Who am I?
• Twitter: @darrel_miller
• http://www.bizcoder.com/
Solve API Problems Fast
3.
4. Objectives
• Very brief history of REST
• Consider the alternatives
• The rise and fall of Pop REST
• The lies you have been told about REST
• Just the facts
• Open question period
You will get more from this if it is interactive, so ask questions,
challenge my assertions.
5. REST
What is it and where did it come from?
REST describes the architectural style of the Web
http://www.ics.uci.edu/~fielding/pubs/dissertation/top.htm
6. “Most of REST’s constraints are focused on
preserving independent evolvability over time,
which is only measurable on the scale of years.”
7. • How many users do you have? 10, 100, 10000
• How many different client applications do you have?
• Can you force updates on your users?
• Do you even control the clients?
8. What are the alternatives?
• Distributed Objects
• Event Based Integration
• RPC
9. Why not SOAP?
• Tooling made SOAP based systems fragile
• XML got blamed for people’s poor use of it
• Tooling forced SOAP to be implemented as RPC
10. The birth of Pop REST
• The craving for prescriptive guidance
• Web API Frameworks
• API Management vendors
12. http://apievangelist.com/2014/04/15/what-are-some-good-examples-of-hypermedia-apis/
FoxyCart
A hypermedia example from the world of commerce, providing an example that fits nicely into the
API economy.
FamilySearch
An interesting approach to using hypermedia APIs for discovering and managing your family
history.
Huddle
An enteprise example of hypermdia APIs from the content collaboration platform huddle.
Amazon AppStream REST API
The Amazon AppStream web service provides APIs you can call to manage applications hosted on
Amazon AppStream and to manage client sessions connecting to those applications.
Clarify
Clarify is a self-service API that allows you to make your audio and video files actionable via search
and extracted keywords and topics.
Lync Web Developer
Microsoft’s Unified Communications Web API (UCWA) is the Next Generation Platform for Mobile
and Web Development.
PayPal REST API
One of the key features of the PayPal REST API is HATEOAS (Hypertext As The Engine Of Application
State).
VerticalResponse
VerticalResponse's API generally follows the REST model, based on the principles behind HTTP.
18. “Expose your entities as resources"
• Name the resource
• http://example.org/order/23
• http://example.org/order/24
• http://example.org/users?name=bob
• http://example.org/users?name=bill
• http://example.org/location?lat=34&long=23
RFC 3986
RFC 2396
19. Entity free resources
• http://example.org/dashboard
• http://example.org/printer
• http://example.org/barcodeprocessor
• http://example.org/invoice/32/status
• http://example.org/searchform
• http://example.org/calculator
"instead of trying to figure out what a resource is, think of it in
terms of what it does." Leonard Richardson
21. “GET/PUT/POST/DELETE == CRUD”
• POST is not necessarily create
• PUT might be create or update
• DELETE doesn’t have to physically delete
• What about PATCH, HEAD, OPTIONS, TRACE ?
CRUD is a uniform way of exposing data
REST is intended to expose an application workflow.
22. “A REST API is for exposing your data on the web”
Patterns of Enterprise Architecture
Martin Fowler
23. “REST has no contracts just return
application/json and/or application/xml”
{} </>
27. GET /some-mystery-resource
200 OK
Content-Type: application/data-series+xml
<series xAxisType="range"
yAxisType="percent"
title="% of requests with their max-age value in days">
<dataPoint yValue="59" xLowerValue="0" xUpperValue="0">
<dataPoint yValue="13" xLowerValue="0" xUpperValue="1">
<dataPoint yValue="17" xLowerValue="1" xUpperValue="30">
<dataPoint yValue="8" xLowerValue="30" xUpperValue="365">
<dataPoint yValue="3" xLowerValue="365" xUpperValue="65535">
</series>
28. Other media types that support hypermedia
application/xhtml+xml
application/hal+json
application/vnd.collection+json
application/vnd.siren+json
application/ld+json
application/rdf+xml
application/home+json
application/http-problem+json
application/atom+xml
application/activity+xml
text/uri-list
30. “Serializing DTOs is the best way to return data”
“A REST API should never have “typed” resources that are
significant to the client.”
“The only types that are significant to a client are the current
representation’s media type and standardized relation names.”
32. “Design your URIs first”
• Design by URI tends to force your resource design into a hierarchy
• Can be constrained by the routing capabilities of your framework
• Discourages the creation of resources that don’t map directly to other
implementation concepts
• Focus more on structural relationships between resource rather than
workflow relationships.
34. “Adding hypermedia to your representations is
inefficient”
• Caching is critical
• Allows correct granularity of resources
• The additional costs of providing hypermedia are far outweighed by
its benefits
35. “You must document the URIs your API
exposes”
Absolutely need - Media types specifications, link relation
specifications, HTTP specification and root URL.
Including URIs in documentation is dangerous for RESTful systems.
Same for return types, error codes.
36. “You need to build a client SDK for your API”
• http://trafficandweather.io/posts/2013/10/20/episode-18-this-will-
be-way-easier
• SDKs can be a crutch for a poorly designed API
• SDKs are expensive to maintain
• SDKs can constrain deployment of new features
37. The problem with client libraries
PhotoSearchOptions options = new PhotoSearchOptions();
options.Tags = "blue,sky";
PhotoCollection photos = flickr.PhotosSearch(options);
38. So many lies, what is the truth
• Client/Server
• Stateless
• Caching
• Uniform Interface
• Layered
• Code on Demand
- Developer advocate for Runscope.
- Cloud based solutions for API performance monitoring
Microsoft MVP
Book
Considered doing the standard REST talk. This is how you can do it. But there are many places where they will tell you that. Many of them are wrong. I decided to take a more confrontational approach and tell you the lies you are being told about REST. Hopefully it will make the next few hours easier to stay awake and I’m hoping it will promote more interaction. We will have an open question period but ….
Why should I care about REST? REST is style that can be applied to building distributed systems. Web APIs, Microservices. Business to business interactions, Mobile applications.
Evolvability matters when there are many different participants in the distributed system under control by different release cycles. The REST constraints are all about reducing, focusing and controlling the coupling between clients and servers to make change easier to manage.
Dist objs. – died with corba, web sphere EBI – Service Buses, big client requirements. RPC – SOAP/ XML-RPC
SOAP 1.0 (2000) mentioned using it for RPC. By Dec 2001 it was fixed.
REST was touted as easier than SOAP, testable from the browser, the next silver bullet. More lightweight. “no contracts”.
Now almost 13,000 APIs listed. To this date there are only a handful of public APIs that support hypermedia.
I’m taking this more confrontational approach because I’m hoping to provoke conversation. This mis-information is everywhere. Even starting to appear in “best practices” articles. Credibility.
Which of these are RESTful? The question makes no sense. An identifier is just that. It can’t be restful or not restful. How you are able to interact with that resource determines whether the URI identifies a RESTful resource. Sadly, it’s an uphill battle. On SO alone there are 358 questions about RESTful urls.
Web Frameworks like rails invented this convention so that they could provide facilities to make it easy to implement REST based systems. But somewhere along the way, someone decided that this convention was definitively what REST was.
There is nothing wrong with a web framework defining conventions for exposing resources. However, claiming that this is the definition of REST is like Facebook declaring that Facebook is the Web. OData
Specific APIs can define conventions, but shouldn’t be standardized
Hurts re-use
Resources are more like object instances than classes.
Content-Type is supposed to provide the information I need to find out how to interpret the document
With this content-type, as a client developer, I can go to IANA, find the spec, understand the mean and write code to process it.
Obviously human readable makes sense, but just because we understand it, that isn’t enough. REST has a notion of self-descriptive. We don’t want to depend on the client having to be able to understand/recognize/parse the URL to be able to interpret the meaning of the response. The problem with the media type as define here, is that it is extremely specific. Not very re-usable. Too much effort to write a spec and register it. Consider for a moment what a client might want to do with this data.
If all we want the client to do is be able to view a graph of the data, or do some simple statistical analysis, then maybe a more generic media type is suitable.
Self-descriptive means that the message declares everything that the client application needs to understand in order to process the message. Adding metadata to an application/xml response just moves the lack of understanding of the content, to the lack of understanding of the metadata. Application/xml and application/json have no semantics
DTO’s as introduced by Fowler we useful for RPC based distributed systems, however REST uses media types as the contracts for interacting with other systems over the wire. Media types are a more controlled environment that take a far more tolerant approach to versioning and are globally discoverable
DTO generally get returned in application/xml and application/json formats so are not self-descriptive. This means the client needs to know what content is coming from which URI. Creating a media type for every DTO is a crazy proposition. Windows Explorer example.
No URIs were harmed in the making of this design.
Link bloat --- compression / relative URIs / templates
Is this accessing the REST api, or the SOAP api?
Which line of code makes a network request?
What happens when PhotosSearch fail? Is it safe to retry? Was it an auth problem? Was it a versioning problem?
What happens when Flickr add a new property to PhotoSearchOptions or PhotoCollection? New versions are all or nothing.