Learn all you ever wanted to learn about RESTful services development challenges in large scale applications
This session is a deep dive as well as an interactive discussion on design principles, considerations, lessons learned from mistakes that can be taken into account when developing RESTful services. It will cover a variety of topics from Designing of RESTful resources, Versioning, Exception Handling, Caching, Validation, Security, Rate limiting, HATEOAS, Testing and Documentation. This talk will walk through and compare the different REST API provided by companies like Twitter, Paypal, Google, Stripe and more we can learn the good, the bad and ugly. So join me in this talk to build high quality applications that can be highly scalable, available and reliable.
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Real world RESTful service development problems and solutions
1. Real world RESTful service development
problems and solutions
by Bhakti Mehta
@bhakti_mehta
2. Introduction
Senior Staff Engineer at Blue Jeans Network
Worked at Sun Microsystems/Oracle for 13 years
Committer to numerous open source projects
including GlassFish Open Source Application Server
Copyright 2014 Bhakti Mehta All rights reserved
2
3. My latest book
Copyright 2014 Bhakti Mehta All rights reserved
3
5. What you will learn
REST architectural style
Goals of REST
Design principles for REST
Advanced topics
Emerging standards and REST
Copyright 2014 Bhakti Mehta All rights reserved
5
6. What is REST?
All resources are identified by the URIs.
All resources can have multiple representations
All resources can be
accessed/modified/created/deleted by standard
HTTP methods.
There is no state information on the server.
Copyright 2014 Bhakti Mehta All rights reserved
6
7. Why REST?
Mature architectural style
Ease of use
Statelessness improves
Visibility
Reliability
Performance
Age of applications
Copyright 2014 Bhakti Mehta All rights reserved
7
8. Java API for RESTful Services
Standardized API as part of platform to build
RESTful Services
Convert POJOs to RESTful Web Services using
Annotations
Support for various representations
Improved support for client APIs
Copyright 2014 Bhakti Mehta All rights reserved
8
9. Design principles for building RESTful Services
Identify the resource URIs.
Identify the different representations supported by
the resource
Implement the RESTful services using JAX-RS APIs
Deploy the RESTful services
Test the RESTful services
Copyright 2014 Bhakti Mehta All rights reserved
9
10. Resource URI patterns
Nouns representing a resource
Verbs representing an action on the resource
Safety
Idempotence
Copyright 2014 Bhakti Mehta All rights reserved
10
11. URI representation of a resource
/v1/coffees
To represent all the coffees that are sold by a coffee shop
/v1/coffees/orders
To represent all the coffees that are ordered
/v1/coffees/orders/123
To represent a single coffee order of coffee identified by
“123”
/v1/users/5034/books
To represent all the books for a user identified by “5034”
Copyright 2014 Bhakti Mehta All rights reserved
11
12. HTTP verbs and REST
GET
PUT
POST
DELETE
HEAD
Copyright 2014 Bhakti Mehta All rights reserved
12
13. HTTP verbs and actions
GET v1/library/books
Gets a list of books
POST v1/library/books
Creates a new book order
DELETE v1/library/books/isbn/12345678
Deletes a book identified by ISBN “12345678”
PUT v1/library/books/isbn/12345678
Updates a specific book identified by ISBN “12345678’
Copyright 2014 Bhakti Mehta All rights reserved
13
14. Safety and Idepotence
Safe methods
Safe methods are methods that do not change the state on the
server.
For example GET is a safe method.
Idempotent methods
This method produce the same results irrespective of how
many times it is called.
For example GET, PUT and DELETE are idempotent
Copyright 2014 Bhakti Mehta All rights reserved
14
15. PUT vs POST
PUT vs POST
So POST /v1/coffees/orders means to create a new
resource and return an identifier to describe the resource
In contrast PUT /v1/coffees/orders/1234 means to
update a resource identified by “1234” if it exists else
create a new order and use the URI orders/1234 to
identify it.
PUT and POST can both be used to create or update
methods. The usage of the method depends on the
idempotence behavior expected from the method as well
the location of the resource to identify it.
Copyright 2014 Bhakti Mehta All rights reserved
15
16. Best practices for RESTful resources
The API developer should use nouns to understand
and navigate through resources
Use associations in the URIs to identify sub
resources. For user/1234/books/5678/authors.
For specific variations use query parameters. For
example to get all the books with 10 reviews
/user/1234/books?reviews_counts=10
Copyright 2014 Bhakti Mehta All rights reserved
16
17. Best practices for RESTful resources
Have defaults for the output format for the response
Have camelCase or use _ for attribute names.
Support a standard API for count for example
users/1234/books/count
Support a pretty printing option
users/1234?pretty_print.
Copyright 2014 Bhakti Mehta All rights reserved
17
19. Richardson Maturity Model
Level 0 – Remote Procedure Invocation
SOAP or XML RPC and POX with POST
Level 1 – REST resources
POST with REST URIs
Level 2 – More HTTP Verbs
Verbs like GET, HEAD, PUT, DELETE
Level 3 – HATEOAS
Responses contain more details to help client take next action
Copyright 2014 Bhakti Mehta All rights reserved
19
21. Content Negotiation
The process of selecting the best representation for a
given response when there are multiple
representations available.
Typical responses can be from
JSON
XML
TEXT
etc
Copyright 2014 Bhakti Mehta All rights reserved
21
22. Content Negotiation
Using HTTP headers
The Content-Type HTTP header is used to indicate the mime
type of the entity being sent by the server
A client can make a request to the server and specify what
media types it can handle and what is its order of preference as
part of the “Accept” HTTP header.
Copyright 2014 Bhakti Mehta All rights reserved
22
23. Content Negotiation
Using URL patterns
Using resource representation based on extension of
a resource in the URL.
For example a client can ask for details using
http://foo.api.com/v2/library/books.xml
orhttp://foo.api.com/v2/library/books.json
Copyright 2014 Bhakti Mehta All rights reserved
23
24. Content Negotiation and JAX-RS
javax.ws.rs.Produces
javax.ws.rs.Consumes
@POST
@Consumes(MediaType.APPLICATION_JSON)
@Produces(MediaType.APPLICATION_JSON)
public Response addCoffee(Coffee coffee) {
// Implementation here
}
Copyright 2014 Bhakti Mehta All rights reserved
24
25. Versioning
For evolution of the application
It is hard to foresee all the resources, which will
change over the life of the application.
The API developers must ensure that the HTTP verbs
semantics and status codes should continue to work
without human intervention as the version changes.
Copyright 2014 Bhakti Mehta All rights reserved
25
26. API versioning strategies
Specify the version in the URI itself.
Specify the version in the request query parameter
Specify the version in the Accept header
Copyright 2014 Bhakti Mehta All rights reserved
26
27. Version in the URI
For example http://api.foo.com/v2/coffees/1234
Additionally API developers can provide a path,
which defaults to the latest version of the API. Thus
the following request URI's should behave identically
http://api.foo.com/coffees/1234
http://api.foo.com/v2/coffees/1234
Copyright 2014 Bhakti Mehta All rights reserved
27
28. Version in request query parameter
For example in the following URL v2 has been
specified as part of the query parameter, ?version=v2
http://api.foo.com/coffees/1234?version=v2
Copyright 2014 Bhakti Mehta All rights reserved
28
29. Version as part of mime type
Some APIs prefer to put version as part of the
“Accept” header
For example Accept: application/vnd.foo-v1+json
In the above snippet vnd stands for vendor specific
mime type.
GitHub uses this format
Copyright 2014 Bhakti Mehta All rights reserved
29
30. Case studies for versioning
Facebook, Twitter, Stripe API all use versions as part
of the URI.
Facebook API makes a version unusable two years
after the date that the subsequent version is released.
If a client makes a un-versioned call, the server will
default to the oldest available version of the
Facebook API.
Twitter API, provides a six months to completely
transition from v1.0 from v1.1
Copyright 2014 Bhakti Mehta All rights reserved
30
31. Specifying version in the Accept header
For example Accept: application/vnd.foo-v1+json
In the above snippet vnd stands for vendor specific
mime type. This removes the version for the URL
and is preferred by some API developers.
Copyright 2014 Bhakti Mehta All rights reserved
31
32. Error handling and Response codes
HTTP provides standardized response codes that can
be returned for every request.
It is a good practice to not show a stack trace as part
of the response
Use response codes to identify client or server side
errors appropriately
Copyright 2014 Bhakti Mehta All rights reserved
32
33. REST response codes
Group Response code Description
Success 2XX 200 OK Used with PUT or
POST or DELETE. It
returns content as part
of the response
201 Created used when creating a
resource with PUT. It
must contain the
Location header of the
resource.
204 No Content used for DELETE,
POST or PUT
operation. No content
is returned as part of
the response.
Copyright 2014 Bhakti Mehta All rights reserved
33
34. REST response codes
Group Response code Description
Success 2XX 202 Accepted Send response
later as processing
has not been
completed as yet.
Redirectional 3XX 301 Permanent All requests are
directed to new
location.
302 Found Resource is valid
and exists
Copyright 2014 Bhakti Mehta All rights reserved
34
35. REST response codes
Group Response code Description
Client Error 4XX 401 Unauthorized Cannot process the
request based on
credentials
404 Not Found Resource is not
found
Server Errors 5xx 500 Internal
Server Error
Generic message
when no specific
exceptions are
available
Copyright 2014 Bhakti Mehta All rights reserved
35
36. JAX-RS and Response codes
JAX-RS defines a javax.ws.rs.core.Response class,
which has static methods to create an instance using
javax.ws.rs.core.Response.ResponseBuilder
@POST
Response addCoffee(...) {
Coffee coffee = ...
URI coffeeId = UriBuilder.fromResource(Coffee.class)...
return Response.created(coffeeId).build();
}
Copyright 2014 Bhakti Mehta All rights reserved
36
37. Logging REST API
Complex distributed applications can introduce
many points of failure
Logging is a very important aspect of building
RESTful services especially in the case of debugging
production issues in distributed nodes running
various micro services.
It helps to link events or transactions between the
various components that make an application or a
business service.
Copyright 2014 Bhakti Mehta All rights reserved
37
38. Logging REST API best practices
Including a detailed consistent pattern across service
logs
Obfuscating sensitive data
Identifying the caller or the initiator as part of the
logs
Do not log payloads by default
Copyright 2014 Bhakti Mehta All rights reserved
38
39. Case studies of logging frameworks in distributed
environments
Facebook has developed a homegrown solution
called Scribe, which is a server for aggregating
streaming log data.
Dapper is Google's tracing system, which samples
data from the thousands of requests and provides
sufficient information to trace data. Traces are
collected in local log files and then pulled in Google's
BigTable database.
Copyright 2014 Bhakti Mehta All rights reserved
39
40. Caching
Storing response information related to the requests
in a temporary storage for a specific period of time.
Ensures that the server is not burdened with
processing those requests in future when the
responses can be fulfilled from the cache.
Copyright 2014 Bhakti Mehta All rights reserved
40
41. Caching Patterns
Types of Caching Headers
Strong Caching Headers
Weak Caching Headers
Copyright 2014 Bhakti Mehta All rights reserved
41
42. Strong Caching Headers
Cache-Control
Expires
The Expires and Cache-Control headers specify the
time period during which the browser can use the
cached resource without checking for a newer
version.
Cache-Control max-age takes the time
Expires takes a date
Copyright 2014 Bhakti Mehta All rights reserved
42
43. Weak Caching Headers
ETag
Last-Modified
These headers enable the browser to check if the
resource has changed since the last GET request. In
the Last-Modified header, there is a date associated
with the modification of the resource. In the ETag
header, there can be any value that uniquely
identifies a resource (like a hash).
Copyright 2014 Bhakti Mehta All rights reserved
43
44. JAX-RS and Caching headers
@GET
@Path("{order}")
@Produces(MediaType.APPLICATION_XML)
@NotNull(message = "Coffee does not exist for the order id
requested")
public Response getCoffee(@PathParam("order") int order) {
Coffee coffee = CoffeeService.getCoffee(order);
CacheControl cacheControl = new CacheControl();
cacheControl.setMaxAge(3600);
cacheControl.setPrivate(true);
Response.ResponseBuilder responseBuilder =
Response.ok(coffee);
responseBuilder.cacheControl(cacheControl);
return responseBuilder.build();
}
Copyright 2014 Bhakti Mehta All rights reserved
44
45. Caching best practices
It is a good practice to specify either Expires or
Cache-Control max-age along with one of the two
Last-Modified and ETag headers in the HTTP
response. Sending both Expires and Cache-Control
max-age is redundant. Similarly, sending both Last-
Modified and ETag is redundant
Copyright 2014 Bhakti Mehta All rights reserved
45
46. Caching best practices
Cache on GET request
Invalidate cache on PUT, POST or DELETE
Periodically purge cache entries
Copyright 2014 Bhakti Mehta All rights reserved
46
47. Asynchronous and long running jobs in REST
A common pattern in developing RESTful API is to
deal with asynchronous and long running jobs.
API developers need to create resources that might
take a considerable amount of time
They cannot have the clients wait on the API to
finish.
Copyright 2014 Bhakti Mehta All rights reserved
47
48. Asynchronous and long running jobs
Server side:
AsyncResponse
@Suspended
CompletionCallback
ConnectionCallback
Copyright 2014 Bhakti Mehta All rights reserved
48
49. Asynchronous and long running jobs
Client side
InvocationCallback
Future
Copyright 2014 Bhakti Mehta All rights reserved
49
50. Asynchronous operations best practices
Send 202 Accepted if resource is not available
immediately with Location
Use message queues to handle tasks asynchronously
Copyright 2014 Bhakti Mehta All rights reserved
50
51. Rate limiting
Rate limiting involves restricting the number of
requests that can be made by a client.
A client can be identified based on the access token
it uses for the request
Another way the client can be identified is the IP
address of the client.
Copyright 2014 Bhakti Mehta All rights reserved
51
52. Rate limiting
The server can decide what the natural rate limit per
client should be, say for example, 500 requests per
hour.
The server checks if the request count is within the
limit.
If the request count is within the limit, the request
goes through and the count is increased for the
client.
If the client request count exceeds the limit, the
server can throw a 429 error.
Copyright 2014 Bhakti Mehta All rights reserved
52
53. Rate limiting and JAX-RS
Rate limiting can be implemented as a filter
This can check for the access count for a client and
allow the messages to go through if within the limits
Else throw a 429 Error
Copyright 2014 Bhakti Mehta All rights reserved
53
54. Response pagination patterns
The following are the different techniques of
pagination that can be used:
Offset-based pagination
Time-based pagination
Cursor-based pagination
Copyright 2014 Bhakti Mehta All rights reserved
54
55. Offset-based pagination
Offset-based pagination is the case when the client
wants results specified by a page number and the
number of results per page
GET v1/coffees/orders?page=1&limit=50
Copyright 2014 Bhakti Mehta All rights reserved
55
56. Time-based pagination
The time-based pagination technique will be used
when the client wants to query for a set of results
between a specific timeframe.
For example, GET
v1/coffees/orders?since=140358321&until=1430874
72
Copyright 2014 Bhakti Mehta All rights reserved
56
57. Cursor based pagination
The cursor-based pagination is a technique where
the results are separated into pages by a cursor, and
the results can be navigated forwards and backwards
using the next and previous cursors that are
provided in the response.
Copyright 2014 Bhakti Mehta All rights reserved
57
58. HATEOAS
Hypermedia as the Engine of Application
State (HATEOAS) is a constraint of the REST
application architecture.
Provides hypermedia links in the response sent by
the server.
Copyright 2014 Bhakti Mehta All rights reserved
58
59. HATEOAS sample for book resource
{
"Name":" Developing RESTful Services with JAX-RS 2.0,
WebSockets, and JSON",
"ISBN": "1782178120"
"links": [
{
"rel": "self",
"href": "http://packt.com/books/123456789"
}
]
}
Copyright 2014 Bhakti Mehta All rights reserved
59
60. Authentication
Copyright 2014 Bhakti Mehta All rights reserved
60
Authentication enabled for all resources
Happens before any other validation
No access without validating the authentication
token
61. Authorization
Copyright 2014 Bhakti Mehta All rights reserved
61
Authorization is the process of checking whether the
requestor has permissions to perform the requested
operation.
Happens after detecting a valid authentication
Happens before any validation
62. OAuth
Copyright 2014 Bhakti Mehta All rights reserved
62
User or resource owner: The user is the resource
owner who wants to print his photos
Consumer application or client: This is the
print service application, which will act on behalf of
the user
Service provider or server: The service provider
is the resource server that will store the user's photos
64. 3 legged OAuth
Copyright 2014 Bhakti Mehta All rights reserved
64
1. User wants to allow an application to do a task on his behalf. In our example, the
task is to print photos, which are on a server using a consumer application.
2. The consumer application redirects the user to the service provider's
authorization URL.
3. Here, the provider displays a web page asking the user if they can grant the
application access to read and update their data.
4. The user agrees to grant the application access by the print service consumer
application.
5. The service provider redirects the user back to the application (via the redirect
URI), passing an authorization code as a parameter.
6. The application exchanges the authorization code for an access grant. The service
provider issues the access grant to the application. The grant includes an access
token and a refresh token.
7. Now that the connection is established, the consumer application can now obtain
a reference to the service API and invoke the provider on behalf of the user. Thus,
the print service can now access the user's photos from the service provider's site.
65. REST and micro services
Micro services vs Monolithic services
Advantages
Simplicity
Isolation of problems
Scale up and Scale down
Easy deployment
Clear Separation of concerns
Copyright 2014 Bhakti Mehta All rights reserved
65
66. REST and extensibility
Copyright 2014 Bhakti Mehta All rights reserved
66
Uniform interface constraint
Standard HTTP methods
Well defined representations of resources
Easy to use by myriad of clients from web, to mobile
clients to other applications
Improves scalability, visibility and reliability
67. Emerging standards and future of REST
WebSockets
WebHooks
ServerSentEvents
Copyright 2014 Bhakti Mehta All rights reserved
67
68. WebSockets
Full duplex communication over TCP
Initial Handshake over HTTP for Upgrade request
Used for games, chat applications
Copyright 2014 Bhakti Mehta All rights reserved
68
70. WebHooks
User defined custom HTTP callbacks
Event producer sends event to the endpoint provided
by client
Github WebHooks
Copyright 2014 Bhakti Mehta All rights reserved
70
72. Server-sent Events
Streaming model where clients get automatic
updates from server
One direction communication from the server
QOS directives can be added to the message
Copyright 2014 Bhakti Mehta All rights reserved
72
74. Comparisons
Criteria WebHooks WebSockets SSE
Long lived open
Y Y
connection
Callback URK
registered
Y
Bidirectional Y
Needs Fallback to
Y
Polling
Asynchronous real
time
communication
Y Y Y
Easy to implement Y Needs browser and
proxy servers
support
Y
Copyright 2014 Bhakti
Mehta All rights reserved
74
75. Questions
Blog
https://www.java.net/blog/bhaktimehta
Twitter
@bhakti_mehta
Copyright 2014 Bhakti Mehta All rights reserved
75
Editor's Notes
This is an injectable JAX-RS asynchronous response that provides means for asynchronous server-side response processing
AsyncResponse: This is an injectable JAX-RS asynchronous response that provides means for asynchronous server-side response processing
@Suspended: The @Suspended annotation instructs the container that the HTTP request processing should happen in a secondary thread
CompletionCallback: This is a request processing callback that receives request processing completion events
ConnectionCallback: This is an asynchronous request processing life cycle callback that receives connection-related asynchronous response life cycle events
InvocationCallback: This is a callback that can be implemented to receive the asynchronous processing events from the invocation processing
Future: This allows the client to poll for completion of the asynchronous operation or to block and wait for it