modern web application network architecture

ARCHITECTURE

Dienstag, 11. Februar 14

FROM PRESENTATION TO SERVICE LAYER

Dienstag, 11. Februar 14

OLD STYLE PRESENTATION LAYERBrowser Server

GET /index.html HTTP/1.1

200/OK (HTML)

GET /contacts-table.html HTTP/1.1

200/OK (HTML)

POST /servlet/contacts HTTP/1.1

200/OK (HTML)

rendermarkup

rendermarkup

Dienstag, 11. Februar 14

DATA CENTRIC SERVICE LAYERBrowser Server

GET /index.html HTTP/1.1

200/OK (HTML)

GET /api/contacts HTTP/1.1

200/OK (JSON)

PUT /api/contacts/12 HTTP/1.1

200/OK (JSON)

rendermarkup

rendermarkup

Dienstag, 11. Februar 14

WHERE ARE WE HEADING TO ?Browser Server

GET /index.html HTTP/1.1

200/OK (HTML)

GET /contacts-table.html HTTP/1.1

200/OK (HTML)

rendermarkup

ws://future.now/ws

PUT /api/contacts/12 HTTP/1.1

200/OK (JSON)rendermarkup

WebSockets !

Dienstag, 11. Februar 14

REST AND CRUD

Dienstag, 11. Februar 14

JAX-RS@GET@Produces("application/json")public Collection<ToDo> getAll() throws ServiceException { ...}

@GET@Path("/{uuid}")@Produces("application/json")public ToDo get(@PathParam("uuid")String id) throws ServiceException { ...}

@PUT@Consumes("application/json")@Produces("application/json")public ToDo createToDo(ToDo toDo) throws ServiceException { ...}

Dienstag, 11. Februar 14

CORS

CROSS ORIGIN RESOURCE SHARING

Dienstag, 11. Februar 14

PREFLIGHT REQUESTcurl -X OPTIONS --verbose --insecure https://localhost:8181/baas/api/todo

> OPTIONS /baas/api/todo HTTP/1.1...

< HTTP/1.1 200 OK< X-Powered-By: Servlet/3.0 JSP/2.2 (GlassFish Server Open Source Edition 3.1.2.2 Java/Apple Inc./1.6)< Server: GlassFish Server Open Source Edition 3.1.2.2< Allow: OPTIONS,GET,HEAD,PUT< Last-modified: Do, 15 Aug 2013 00:26:54 MESZ< Access-Control-Allow-Origin: *< Access-Control-Allow-Methods: GET, POST, PUT, DELETE< Access-Control-Allow-Headers: content-type,authorization,x-requested-with< Access-Control-Max-Age: 1728000< Content-Type: application/vnd.sun.wadl+xml< Content-Length: 1642< Date: Wed, 14 Aug 2013 22:44:55 GMT< <?xml version="1.0" encoding="UTF-8" standalone="yes"?><application xmlns="http://wadl.dev.java.net/2009/02">...</application>

Dienstag, 11. Februar 14

Browser Server of origin

GET /index.html HTTP/1.1

200/OK (HTML)

OPTIONS /api/contacts HTTP/1.1

200/OK (WADL)

GET /api/contacts HTTP/1.1

200/OK (JSON)rendermarkup

Service provider

CORS

pre!ight request !

Dienstag, 11. Februar 14

SETTING CORS HEADERS

@WebFilter(filterName = "CorsFilter", urlPatterns = {"/*"})public class CorsFilter implements Filter {

private void doBeforeProcessing(ServletRequest request, ServletResponse response) throws IOException, ServletException { final HttpServletResponse httpResponse = (HttpServletResponse)response; httpResponse.addHeader("Access-Control-Allow-Origin", "*"); httpResponse.addHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS"); httpResponse.addHeader("Access-Control-Allow-Headers", "x-requested-with, accept, origin, authorization"); httpResponse.addHeader("Access-Control-Max-Age", "1728000"); } ... // netbeans default Filter pattern}

JEE WebFilter (Glassfish 4.0)

Dienstag, 11. Februar 14

CORS

curl -X OPTIONS --verbose --insecure https://localhost:8181/baas/api/todo

< HTTP/1.1 200 OK< X-Powered-By: Servlet/3.0 JSP/2.2 (GlassFish Server Open Source Edition 3.1.2.2 Java/Apple Inc./1.6)< Server: GlassFish Server Open Source Edition 3.1.2.2< Allow: OPTIONS,GET,HEAD,PUT< Last-modified: Do, 15 Aug 2013 00:26:54 MESZ< Access-Control-Allow-Origin: *< Access-Control-Allow-Methods: GET, POST, PUT, DELETE< Access-Control-Allow-Headers: content-type,authorization,x-requested-with< Access-Control-Max-Age: 1728000< Content-Type: application/vnd.sun.wadl+xml< Content-Length: 1642< Date: Wed, 14 Aug 2013 22:44:55 GMT< <?xml version="1.0" encoding="UTF-8" standalone="yes"?><application xmlns="http://wadl.dev.java.net/2009/02"> ...</application>

Dienstag, 11. Februar 14

WADL

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><application xmlns="http://wadl.dev.java.net/2009/02"> <resources base="https://localhost:8181/baas/api/"> <resource path="todo"> <method id="createToDo" name="PUT"> <request> <representation mediaType="application/json"/> </request> <response> <representation mediaType="application/json"/> </response> </method> ... </resource> </resources></application>

Dienstag, 11. Februar 14

AUTHENTICATION

Dienstag, 11. Februar 14

WEB.XML<security-constraint> <display-name>REST API</display-name> <web-resource-collection> <web-resource-name>web-api</web-resource-name> <url-pattern>/api/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> <http-method>PUT</http-method> <http-method>DELETE</http-method> </web-resource-collection> <auth-constraint> <role-name>user</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint></security-constraint><login-config> <auth-method>BASIC</auth-method> <realm-name>file</realm-name></login-config><security-role> <role-name>user</role-name></security-role>

HTTPS

basic auth

Dienstag, 11. Februar 14

HTTPS AND BASIC AUTH

• + easy to implement

• - password is sent on every request

• (- browser stores credentials for session)

• (- browser may store creds permanently)

• corporate proxies

• not for really sensitive dataDienstag, 11. Februar 14

BASIC AUTHENTICATION

curl -X GET --verbose --insecure https://localhost:8181/baas/api/todo

> GET /baas/api/todo HTTP/1.1...

< HTTP/1.1 401 Unauthorized< X-Powered-By: Servlet/3.0 JSP/2.2 [...]< Server: GlassFish Server Open Source Edition 3.1.2.2< Pragma: No-cache< Cache-Control: no-cache< Expires: Thu, 01 Jan 1970 01:00:00 CET< WWW-Authenticate: Basic realm="file"< Content-Type: text/html< Content-Length: 1073< Date: Wed, 14 Aug 2013 23:33:48 GMT<

Dienstag, 11. Februar 14

BASIC AUTHENTICATION

curl -X GET --verbose --insecure -u marc:geheim https://localhost:8181/baas/api/todo

> GET /baas/api/todo HTTP/1.1> Authorization: Basic bWFyYzpnZWhlaW0=> User-Agent: ...> Host: localhost:8181> Accept: */*>

< HTTP/1.1 200 OK

Dienstag, 11. Februar 14

EXERCISES

~/ws/05-Architecture/jquery-rest~/ws/05-Architecture/baas-gf

Dienstag, 11. Februar 14

• auth method form in web.xml

• credential sent only once (+)

• SSO (+)

• corporate proxies (-)

HTTPS AND FORM AUTH

Dienstag, 11. Februar 14

SETTING CORS HEADERS

public class CrossOriginResourceSharingFilter implements ContainerResponseFilter { @Override public ContainerResponse filter( ContainerRequest request, ContainerResponse response) {

response.getHttpHeaders().putSingle( "Access-Control-Allow-Origin", "*"); response.getHttpHeaders().putSingle( "Access-Control-Allow-Methods", "GET, POST, PUT, DELETE"); response.getHttpHeaders().putSingle( "Access-Control-Allow-Headers", "content-type,authorization,x-requested-with"); response.getHttpHeaders().putSingle( "Access-Control-Max-Age", "3600"); return response; }}

Jersey (eg. Jersey/Tomcat)

Dienstag, 11. Februar 14