I'm developing a public rest api and want to use it for my company's web client as well (jquery). That would work since it would be on the same server.
Howerver, my question is whether rest is even supposed to be consumed by JavaScript? What about authentication and authorization and session information. Since rest is not supposed to maintain any session state.
Can I store all the state, create the response with the token etc within JavaScript?
or should I create another plain servlet layer ontop of my own rest api as a rest client which could be richer (break rest principles)
Create an extra version for the rest api that allows some less rest-like behavior (session data) and maybe even keep that private.
as a side question I'm also wondering if there's any performance difference between using say Jersey vs regular servlets processing calls? In other words, can I use Jersey as a servlet replacement (to take advantage of the format conversions).
Related
I know how to implement token based security via OAUTH to protect the access of an api. I also know ho to use HTTPClient to call an api.
But when I search/google how to use OAUTH calling a web api from a web api all it shows me is how to implement token based security for an web api (which I already have).
In my scenario I have an UI calling web api 1. After that I have to do some server to server communication: web api 1 calls web api 2 and web api 2 calls web api 3. Web Api 3 does something & returns to web api 2 which then does something based on success or failure, then returns to web api 1 (which does something) returning back to the UI.
(The reason for that intended implementation is storing (different) data in 3 different databases where I currently do not want (and later maybe not be allowed to) grant web api 1 direct access to them.
I am just unclear how I would manage the tokens (I don't want to request them every time, so I guess I will need some kind of service handling that and keeping them).
Any hint I could get the authorization (token handling) done?
I am coding a webapp (E-commerce) for learning purpose using AngularJS + BootStrap and REST.
I have used Apache Wink for REST WS and and application is deployed on JBoss EAP 6.4. My application is working fine.
I can access the back end data using AJAX and webpages are getting populated properly. The issue is security of REST WAS. If I use REST URL directly on browser, without going through front end, JSON data gets populated and my data is exposed. What design changes should i do ?
Please note that initial operation on the website for e.g. browsing the products, adding them to cart etc are stateless. No user's identity is needed for these operations. I still need to secure my data for these interactions. Please suggest, how can I do it.
Sunil
If you want to lock down the services, you may require some type of authentication (for example user/pass) that returns a security token (over https). Then all subsequent function calls may require the security token to be passed in as a parameter (if the operation is sensitive). The token will require a session timeout.
However, if the data is also publically shown on the site, then there's not really a security risk in itself. IOW, how is this any different than them using the public website to get/update data? The rest services usually shouldn't require any additional level of security beyond what is already used on the website to protect the data.
I have to create 2 different websites that would use REST api to interact with a single MySQL database.
I know how to create website with forms..etc using PHP.
How would I use REST api for my websites.I searched and found out that there are libraries for android to use REST api but how to do so in case of a website ?
REST is a architectural pattern, it is not (by itself) an API. APIs can implement REST.
Just like any other API out there, you have to get the documentation for the API and then call it from your source.
Depending on what your requirements are, you may be calling it from javascript or from your PHP backend.
REST is an architecture pattern (you can read more about it at wikipedia) which aims to use HTTP verbs like PUT, POST and DELETE to execute commands against endpoints which represent a resource.
To use REST, your backend server will send normal HTTP requests to the API service; so in PHP this means using the various curl libraries to send requests.
Responses are generally in json; but they could be in any other format (or even in binary) - check with the API documentation that you have to consume.
If all you want is interacting with a REST API, then you need a HTTP client, probably cURL (PHP has a cURL lib). After that you have to check whether your API violates the HATEOAS constraint. If not, then it is called hypermedia API. In that case you have to follow hyperlinks provided by the API in the responses. If it violates the constraint, then it is called web API, and you have to build the method, URL, etc... on the client side again, so your client will break easily by any structural changes of the API. Everything else depends on the message format and the semantic annotations the API uses.
If you want to build a REST API, I strongly suggest you to learn more about the topic. First read the Fielding diessertation and check some existing solutions like HAL or Hydra+JSON-LD. Forget the tutorials. Most information available on the web about how to implement a REST API is flawed.
I have a COTS application(PLM application) which has provided few SOAP APIs to access. Since this SOAP API is highly complex, we are developing a easy to use REST wrapper service. Before invoking any API in my COTS application, authentication API needs to be invoked. In my REST wrapper web service, I have a login resource which invokes COTS SOAP login API. To keep things simple for my API users, I store the logged in user details in user session. In every other REST resoruces, I retrieve the session and check whether session has user details. If yes, I proceed and invoke the SOAP API. if not, I return proper HTTP status code. I use Apache CXF for service and client. I mandate my APIusers to maintain the session in the client like this
WebClient.getConfig(client).getRequestContext().put(Message.MAINTAIN_SESSION,
Boolean.TRUE);
In every REST tutorials, it said REST is stateless. I am doubtful whether what I am doing is correct as per REST standards. Please suggest. Thanks
Basically the idea of REST is a stateless interface. However it is common practice to use some kind of authentication for API calls since most of the time not all resources should be public (e.g. the timeline of a twitter user over the twitter API)
Therefore it is ok if you do some kind of authentication and validate a session on further requests (or maybe authenticate with every single request, e.g. with HTTP Basic Access Authentication) to check if access should be granted.
Not part of this and not the idea of a RESTful API would be to store complex session information that would really make the whole thing stateful. This for example includes storage of information of an older request for processing together with one following later.
client.getRequestContext().put(Message.MAINTAIN_SESSION, Boolean.TRUE)
This code causes cookies to be maintained in that specific client only.
If you want those cookies be available in another client, it needs to be programmed.
And if the second client receives additional cookies and you want those cookies available in the first client too, how is that possible?
I need something like a root client that maintains cookies of all sub clients. All cookies must be shared among all clients. Like a shared cookie repository for all clients. Does anyone know how to achieve this?
Regardless of whether I create a RESTful Web service to be consumed by Ajax in my own pages, or by any user, I can provide the same functionality (data) to the application or user using a simple servlet.
I mean the user or application don't see any different between response provided by a simple servlet or respone provided by a RESTful web service. So, I'm guessing that the benefit is on the server side and to the developers. Can someone please tell me what are the benefits of using RESTful web services.
I appreciate any respone
By definition a webservice is intended to be consumed by any client granted access. If the client you are developing is the only application that you will ever need or want to access the resource then there is little benefit to creating a webservice. However, if you want to make the resource available as a service endpoint for more than just this application in a way that is implementation agnostic then a Restful webservice is a great way of doing it.