Upload
li-yi
View
326
Download
11
Embed Size (px)
DESCRIPTION
Citation preview
RESTful SOA: Extend the SOA with Web 2.0
易立 ([email protected])资深软件工程师中国开发实验室
2
Outline
The Programmable Web What is REST Characteristics and Benefits of REST The Best Practice of REST What is a RESTful SOA?
3
换个角度看 Web 2.0
http://www.youtube.com/watch?v=6gmP4nk0EOE
4
chmod 777 web – 可编程的 Web!
5
API Billionaires Club
6
More of the APIs are using REST
Simple to use and simple to access!
7
Outline
The Programmable Web What is REST Characteristics and Benefits of REST The Best Practice of REST What is a RESTful SOA?
8
REST is REST is all aroundall around
Syndication using RSS
AJAX – Asynchronous JavaScript and XML
The blogosphere– the universe of weblogs
Every Web Site
REST Interface offered by
– Amazon
– eBay
– Yahoo
9
What is REST?What is REST?
“REST” is acronym from “Representational State Transfer”
" REST " was coined by Roy Fielding in his Ph.D. dissertation [1] to describe a design pattern for implementing networked systems.
[1] http://www.ics.uci.edu/~fielding/pubs/dissertation/top.htm
1010
REST OverviewREST Overview REST 是一种架构风格 , 而非一个标准。
– Client-Server: a pull-based interaction style: consuming components pull representations.
– Stateless: each request from client to server must contain all the information necessary to understand the request, and cannot take advantage of any stored context on the server.
– Resource-centric– Uniform interface: all resources are accessed with a generic interface
(e.g., HTTP GET, POST, PUT, DELETE). – Named resources - the system is comprised of resources which are
named using a URL.
Nouns (Unconstrained)e.g. http://wikipedia.org
Verbs (Constrained)e.g. GET/POST
Adjectives - Content-types (Constrained)e.g. HTML, XML, GIF
11
示例: RESTful Service for Photo Management
12
The Web
Client WebServer
Request
Response
GET http://example.org/news/
200 OK…
13
HTTP Request
GET /news/ HTTP/1.1
Host: example.org
Accept-Encoding: compress, gzip
User-Agent: Python-httplib2
14
HTTP Response
HTTP/1.1 200 Ok
Date: Thu, 07 Aug 2008 15:06:24 GMT
Server: Apache
ETag: "85a1b765e8c01dbf872651d7a5"
Content-Type: text/html
Cache-Control: max-age=3600
<!DOCTYPE HTML>
...
15
Resource = http://example.org/news/
GET /news/ HTTP/1.1 Host: example.org Accept-Encoding: compress, gzip User-Agent: Python-httplib2
16
Method = GET
GET /news/ HTTP/1.1 Host: example.org Accept-Encoding: compress, gzip User-Agent: Python-httplib2
17
Common Methods for Resources
GET – Safe, Idempotent, Cacheable– Returns a state representation of the identified resource.
PUT – Idempotent– Performs some form of application-specific update to the identified resource
DELETE – Idempotent– Destroys a resource at the identified location (URI).
POST– Creates a new resource at an identified location (URI)
HEAD – Safe, Idempotent– Check the status of the identified resource.
18
Representation
<!DOCTYPE HTML><html> <head> <script src="utility.js" type="text/javascript"> </script> .... <body> <p><img src="logo.png"> <a href="/home/”>Home</a> ...
Code on Demand
Hypertext
19
Control Data
...Server: ApacheETag: "85a1b765e8c01dbf872651d7a5"Content-Type: text/htmlCache-Control: max-age=3600...
20
Outline
The Programmable Web What is REST Characteristics and Benefits of REST The Best Practice of REST What is a RESTful SOA?
21
Recap the Characteristics of REST
Resources centric– URI– Uniform Interface
– Methods– Representation
Protocol– Client-Server– Stateless– Cacheable– Layered
22
Layered Architecture in The Web
Client WebServer
Request
Response
23
Layered Architecture in The Web
Client WebServer
Intermediaries
24
Caching in The Web
User Agent OriginServer
Proxies GatewaysCC
CC
25
Caching in The Web
User Agent OriginServer
Proxies GatewaysCC
CC
...Server: ApacheETag: "85a1b765e8c01dbf872651d7a5"Content-Type: text/htmlCache-Control: max-age=3600...
26
Real World of the Web
Internet
Client
Cache
Router
Firewall
ISP
Proxy Server
Firewall
Web Server
Resources
Firewall
Web Server
Reverse Proxy
Resources
27
Benefits of REST
Cacheability (HTTP GET)– Unique URI per resource– Stateless interactions; response is not a function of how user reaches the URI
Scaleability (HTTP POST)– Unique URI per resource enables simple partitioning; leverage distributed
dataPOST /foo/{user}/bar – [a-l]* to server1 [m-z]* to server2
“Secureability”– Unique URI per resource; straightforward to set policy on URIs
“Navigability”– Resources can be navigated via hyperlinks
– Think browser clients– E.g. GET on a collection returns a list of member URIs and optional paging links
(next/prev/first/last)
28
Other Benefits
simplicityevolvabilityextensibilitycustomizabilityconfiguration reusabilityvisibilityportability reliability
29
Outline
What is Web 2.0 What is REST Characteristics and Benefits of REST The Best Practice of REST What is a RESTful SOA?
30
REST Recipe
• Find the nouns• Define the formats• Pick the operations• Highlight exceptional status codes
Resource URI
Employee List /employees/
Employee /employees/{employee-id}
31
REST Recipe
• Find the nouns• Define the formats• Pick the operations• Highlight exceptional status codes
Employee JSON Representation
Employee List JSON Representation
How to choose the proper representation? HTML, XML, JSON, or ATOM feed?
32
REST Recipe
• Find the nouns• Define the formats• Pick the operations• Highlight exceptional status codes
Resource URI Method Representation Description
Employee List /employees/
GET JSON (emp list) Retrieve the list of employees
POST JSON (employee) Create a new employee
Employee /employees/{employee-id}
GET JSON (employee) Retrieve an employee
PUT JSON (employee) Update an employee
DELETE - Remove an employee
33
REST Recipe
• Find the nouns• Define the formats• Pick the operations• Highlight exceptional status codes
E.g. Create an employeePOST /employees/
….
201 Created Location /employees/yili
E.g. Delete an employee DELETE /employees/zhangke
404 Not Found
34
HTTP Status Codes
Success 2xx – request recognized and accepted
– 200 OK– 201 Created– 202 Accepted to be processed later– 204 No content– 206 Partial content (on partial GET)
1xx continue
– 100 Continue – should be ignored– 101 Switching protocols
Redirect 300 Multiple choices– 301 Moved permanently– 302 Found (temporary redirect)– 303 See result elsewhere (using GET)– 307 Temporary redirect– 304 Not modified (on conditional GETs)– Usually client can automatically redirect
• Errors • 400 Bad, malformed request• 401 Unauthorized• 406 Not Acceptable• 407 Proxy authentication required• 404 Not found• 410 Gone• 412 Precondition failed
• Usually client shouldn’t repeat same request without changes.
• Server Errors• 500 Internal server error• 501 Not implemented• 503 Temporarily unavailable• 505 HTTP version not supported
•Usually client may repeat same request later
Understand HTTP Response Codes Do not add semantics that are not implied. Used by network proxies.
35
REST Recipe (Advanced)For Algorithmic Resources
Verb Collection (/Transfers) Member (E.g. /Transfers/344)
GET Returns a list of all previous transfers
Returns record of specific Transfer
POST Create a new Transfer!! Not Supported
PUT Not Supported Could Change parameters of transfer still in progress. Fails other wise.
DELETE Not Supported Cancel Transfer
Resources can be algorithms– Business Process, Façade, etc…
– Should Follow HTTP Verb semantics like any other resource
– Forces good auditing habits. Example: Consider Resource /Transfer
– Transfers money from one account to another
How to model the printer start to print the document?
36
URI Patterns
URI Patterns are determined by the type of resources you have.
Categorize your resource types.– Basic Resources
– Simple– Complex
– Collection – Members– Query– Paging– Sorting
– Algorithmic
37
Basic Resources
Resources can be anything.– e.g. /instructions
Resources can be nested to present subset of data.– e.g. /instructions/Chapter2
38
CollectionsCollections
Collection Type Resources– Collection resources are made up of one more members.
– list all the member of collection, ex. GET /Account.– Collections can be Ordered or Unordered:
– Ordered: Collections have some order defined by some index. – Sparse ordered collection can be missing certain keys
– Unordered: Collections cannot be ordered by its index.
– Members are identified by ID.– ID can be generated by provider.
– POST member to collection, ex. POST /Account.– Location Response Header is populated with /Account/<newId>
– ID can be created by client.– POST to /Account/<newId>– Need to handle duplicate ID's in this case.
39
QueryQuery
Define Query Syntax• Examples– /<Collection>?filter = “<logical
expression>”
– Standardize on Expression syntax
– Maybe driven by backend, for example, could be a JPA Query
– /<Collection>?name="test"&age="33"
– Less Flexible.
– Easier for client to formulate.
When to use the filter query string and when to use the URI pattern?
40
Pagination
Pagination is essential for large collections.– URI Pattern should include notion of paging.
Examples:– Ordered collection can use a common query parameter and the range to
specify. For example, subsequent calls to – /<Collection>?members=[0-9]– /<Collection>?members=[10-19]
– Use the query param of start and count query parameters to accomplish paging. This technique will work with any ordered container-type.
– /<Collection>?start=0&count=10– /<Collection>?start=10&count=10
– Accept-Range, Content-Range, and Range Headers?– HTTP Spec defines Range headers but these headers are more
traditionally used for communicating ranges in terms of bytes of data, used by routers, proxies, and networks to do efficient transfer.
41
Sorting
Collections need to be sorted.– Sorting can be done in the client using Grid Widgets like those in Dojo?– Sorting can be done by resource providers.
Order collections can make use of a single parameter. Example: sort parameter to get ascending or descending order of
resources sorted by some default key. – /<Collection>?sort=ascending (Ascending based on the id of the field.)– /<Collection>?sort=ascending (Ascending based on the id of the field.)
You can have a specialized parameter to indicate sort. The sortBy parameter can be used to sort by any field.
– When you specify the sortyBy query parameter alone, ascending is assumed.– /<Collection>?sortBy="field1"– /<Collection>?sortBy="field2,field7"
– You can use both the sort and sortBy column to specify order of sort and column. – /<Collection>?sortBy="field1" &sort=ascending– /<Collection>?sortBy="field2,field7"&
sort=descending – /<Collection>?sortBy=“+field2,-field7"
42
Content NegotiationContent Negotiation
Resources can have multiple representations. – Content negotiation is the idea that a single resource can have
multiple data representations.
Sometimes done informally through URI parameters:– Using a <dot Notation>, like this:
– /document.html and /document.json.
– Using a query parameter, like this: /myResource?format=json
43
Content Negotiation using Accept HeaderContent Negotiation using Accept Header
Content more than Format:– Accept
– Accept-Charset
– Accept-Encoding– Accept-Language:
Flow:– Client issues request with Accept Header populated with
one ore more acceptable types.
– If No Accept Header is provided, then provider is free to serve default.
– Provider checks list and provides best option.– If none is found, 406 Not Acceptable is returned.
Precedents are determined by order and profiles.
– Accept: text/*, text/html, text/html;level=1, */*
– have the following precedence:– 1) text/html;level=1– 2) text/html– 3) text/*– 4) */*
44
http://tomayko.com/writings/things-caches-do
Cache Example 1
45
Cache Example 1 (Cont.)Cache Example 1 (Cont.)
46
Cache Example 1 (Cont.)Cache Example 1 (Cont.)
47
Cache Example 2Cache Example 2
48
Cache Example 2 (Cont.)Cache Example 2 (Cont.)
49
Caching TipsCaching Tips
Caching directives should only be used on GET – since the are idempotent
HTTP caches are typical in user environment– so nothing special needs to be set up/configured assuming users
define information correctly Understand your resources
(and whether information can be cached – and how long) Calculation of Entity tags isn’t easy (for dynamic data)
– Seehttp://bitworking.org/news/150/REST-Tip-Deep-etags-give-you-more-benefits
– Static files from a web server use iNode, last-modified, and file size to indicate uniqueness
– One technique is to concatenate values of key pieces and hash that string– Databases may have unique fields (i.e. database triggers on modification)
that can store revision identifiers
50
Optimistic ConcurrencyOptimistic Concurrency
Resource Exchange.– Holding database locks bad idea.
Optimistic concurrency.– Back end physical resources should have a version number, version column,
timestamp, etc…– Example: JPA @Version annotation– Client and servers exchange these version
Options– Communicate as part of payload.
– Consumers and Producers only.– Use Standard HTTP Headers.
– Proxies, routers, caches… can take advantage.
51
Optimistic Concurrency using HTTP HeadersOptimistic Concurrency using HTTP Headers
Consumer executes GET. Provider returns version/timestamp in E-Tag
Header. ETag: 874733827
Consumer executes update through HTTP PUT
Populates I If-Match: 874733827
Provider reads If-Match header, queries version from back end
Updates and returns appropriate HTTP success code if match is made.
Returns 412: Precondition failed
Consumer may decide later to check if data is stale using If-Modified-Since.
Used for Conditional GET. Conditional Updates us If-None-Match
52
Links
Links to resources is considered a best practice
However patterns are emerging to discuss when (and how often) to return links to data (vs. the data itself).
Chattyness of requests increases network traffic and latency is increased
– Prior examples of distributed computing complained about
– “chatty-ness”– e.g. IIOP and distributed RPC
– SOA is about coarse-grained services (loosely coupled)
Reducing network calls– Special parameter
– http://host/service.svc/Orders?expand=OrderLines/Product,Customer,Customer/Address
– /Order?loadRelated=LineItems– Very quickly starts becoming RPC
– Headers and Schemas (Better)– Accept: application/atom+xml
52
53
REST and Security - Still the Same !!!
REST is about HTTP Exploitation.– Use Standard Authentication Mechanism you would for web pages.
– Basic Auth / Form Auth / Tokens.– LTPA, Open ID, etc…
– Use SSL For secure data like you would a web page. Fixed Encryption Model - (HTTPS).
– Authorization URI Based.– Apply Security rules to URLS and Verbs like you would to web pages.
– Examples:– Servlet URI Constraints.– Web Server ACL's
– Follow Keys Security Lectures for Application Hardening !!– Unvalidated Input (Validate all input !!!)– Broken Access Control– Broken Authentication and State Management– XSS Scripting– Buffer Overflows– Injection Flaws– Inproper Error Handling– Insecure Storage– Denial of Service– Insecure configuration management
54
REST and Security - Consumer usage REST and Security - Consumer usage
REST Used in Mashup Behavior.• Because REST Services are often used in Mashups, extra concerns should be taken
in this scenario.
– Use Server Ajax Proxy to Black List untrusted site.– Identity propagation and translation across domains might be needed.
• Support open standard like OpenID• Do identity translation at Server Proxy Level.
• Example, DataPower may do identity switching between toek types.
– Inspect third party content for malicious JavaScript.• Clients should parse JSON from untrusted sources instead
of doing a direct eval.
55
Is the WS-* Dead?
Developers prefer REST– “Amazon has both SOAP and REST
interfaces to their web services, and 85% of their usage is of the REST interface.” — Tim O’Reilly
And even WS-Advocates agree– “For applications that require Internet
scalability (e.g., mass consumer-oriented services), plain old XML (POX) is a much better solution than WS-*.” —Anne Thomas Mannes
WS-*
56
使用 Web 2.0 拓展 SOA – RESTful SOA
Web 2.0 是 SOA 的扩展,二者相辅相成。 RESTful SOA 是符合 SOA 原理和设计理念的面向互联网的服务架构。它从技术角度具有以下特征:– 充分利用现有互联网技术和基础设施– 主要使用 REST 来表示和访问服务
– 采用 JSON 、 XML 或 ATOM Feed 等简单数据格式– 配合使用 AJAX 技术实现丰富的用户体验。
RESTful SOA 的主要优点:– 简单:
– 使用有限的、简单和广泛接受的技术。比如:采用 HTTP/HTTPS 作为传输协议。– 易用:
– 采用简单的编程模型– 无所不在:
– 基于广泛接受的的技术,可以在互联网上搜索到大量的示例。– 可伸缩性:
– 充分利用被验证的互联网基础设施,比如缓存等,实现大规模分布式计算系统。
57
将企业 SOA 和 RESTful SOA 相结合 企业 SOA 和 WS* 技术更加关注异构系统之间的的互操作性:比如
– WS-Security 可以在分布式系统中实现端到端的安全服务– WS-Addressing 提供了传输协议无关的端点描述能力– WS-I 标准可以保证不同 Web 服务框架之间的互操作性。
RESTful SOA 更加关注服务可访问性和可消费性。可以将企业 SOA 中的核心服务和信息资产扩展到 Web ,并将业务流程扩展到商务社区之中,更好地提升 SOA 的价值。Web
Enterprise
RESTJSON
XML RSS
ATOM
DB2LegacyCICSIMS
J2EE
App ServerWAS, CE, Tomcat
WPS, ESB, Portal
SOAPWS-* JMSMOMREST
58
From Open API to Next Generation Open Business Model
59
Reference
Architectural Styles and the Design of Network-based Software Architectures
How I Explained REST to My Wife
http://www.infoq.com/cn/articles/webber-rest-workflow
http://www.china-pub.com/39902&ref=ps
60
Caching
Resources on web caching– http://www.mnot.net/cache_docs/– http://tomayko.com/writings/things-caches-do– http://www.peej.co.uk/articles/http-caching.html