modern web application network architecture
DESCRIPTION
Talk about web application architecture for Java web applications targeted to JavaScript single page applicationsTRANSCRIPT
ARCHITECTURE
Dienstag, 11. Februar 14
FROM PRESENTATION TO SERVICE LAYER
Dienstag, 11. Februar 14
OLD STYLE PRESENTATION LAYERBrowser Server
GET /index.html HTTP/1.1
200/OK (HTML)
GET /contacts-table.html HTTP/1.1
200/OK (HTML)
POST /servlet/contacts HTTP/1.1
200/OK (HTML)
rendermarkup
rendermarkup
Dienstag, 11. Februar 14
DATA CENTRIC SERVICE LAYERBrowser Server
GET /index.html HTTP/1.1
200/OK (HTML)
GET /api/contacts HTTP/1.1
200/OK (JSON)
PUT /api/contacts/12 HTTP/1.1
200/OK (JSON)
rendermarkup
rendermarkup
Dienstag, 11. Februar 14
WHERE ARE WE HEADING TO ?Browser Server
GET /index.html HTTP/1.1
200/OK (HTML)
GET /contacts-table.html HTTP/1.1
200/OK (HTML)
rendermarkup
ws://future.now/ws
PUT /api/contacts/12 HTTP/1.1
200/OK (JSON)rendermarkup
WebSockets !
Dienstag, 11. Februar 14
REST AND CRUD
Dienstag, 11. Februar 14
JAX-RS@GET@Produces("application/json")public Collection<ToDo> getAll() throws ServiceException { ...}
@GET@Path("/{uuid}")@Produces("application/json")public ToDo get(@PathParam("uuid")String id) throws ServiceException { ...}
@PUT@Consumes("application/json")@Produces("application/json")public ToDo createToDo(ToDo toDo) throws ServiceException { ...}
Dienstag, 11. Februar 14
CORS
CROSS ORIGIN RESOURCE SHARING
Dienstag, 11. Februar 14
PREFLIGHT REQUESTcurl -X OPTIONS --verbose --insecure https://localhost:8181/baas/api/todo
> OPTIONS /baas/api/todo HTTP/1.1...
< HTTP/1.1 200 OK< X-Powered-By: Servlet/3.0 JSP/2.2 (GlassFish Server Open Source Edition 3.1.2.2 Java/Apple Inc./1.6)< Server: GlassFish Server Open Source Edition 3.1.2.2< Allow: OPTIONS,GET,HEAD,PUT< Last-modified: Do, 15 Aug 2013 00:26:54 MESZ< Access-Control-Allow-Origin: *< Access-Control-Allow-Methods: GET, POST, PUT, DELETE< Access-Control-Allow-Headers: content-type,authorization,x-requested-with< Access-Control-Max-Age: 1728000< Content-Type: application/vnd.sun.wadl+xml< Content-Length: 1642< Date: Wed, 14 Aug 2013 22:44:55 GMT< <?xml version="1.0" encoding="UTF-8" standalone="yes"?><application xmlns="http://wadl.dev.java.net/2009/02">...</application>
Dienstag, 11. Februar 14
Browser Server of origin
GET /index.html HTTP/1.1
200/OK (HTML)
OPTIONS /api/contacts HTTP/1.1
200/OK (WADL)
GET /api/contacts HTTP/1.1
200/OK (JSON)rendermarkup
Service provider
CORS
pre!ight request !
Dienstag, 11. Februar 14
SETTING CORS HEADERS
@WebFilter(filterName = "CorsFilter", urlPatterns = {"/*"})public class CorsFilter implements Filter {
private void doBeforeProcessing(ServletRequest request, ServletResponse response) throws IOException, ServletException { final HttpServletResponse httpResponse = (HttpServletResponse)response; httpResponse.addHeader("Access-Control-Allow-Origin", "*"); httpResponse.addHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS"); httpResponse.addHeader("Access-Control-Allow-Headers", "x-requested-with, accept, origin, authorization"); httpResponse.addHeader("Access-Control-Max-Age", "1728000"); } ... // netbeans default Filter pattern}
JEE WebFilter (Glassfish 4.0)
Dienstag, 11. Februar 14
CORS
curl -X OPTIONS --verbose --insecure https://localhost:8181/baas/api/todo
< HTTP/1.1 200 OK< X-Powered-By: Servlet/3.0 JSP/2.2 (GlassFish Server Open Source Edition 3.1.2.2 Java/Apple Inc./1.6)< Server: GlassFish Server Open Source Edition 3.1.2.2< Allow: OPTIONS,GET,HEAD,PUT< Last-modified: Do, 15 Aug 2013 00:26:54 MESZ< Access-Control-Allow-Origin: *< Access-Control-Allow-Methods: GET, POST, PUT, DELETE< Access-Control-Allow-Headers: content-type,authorization,x-requested-with< Access-Control-Max-Age: 1728000< Content-Type: application/vnd.sun.wadl+xml< Content-Length: 1642< Date: Wed, 14 Aug 2013 22:44:55 GMT< <?xml version="1.0" encoding="UTF-8" standalone="yes"?><application xmlns="http://wadl.dev.java.net/2009/02"> ...</application>
Dienstag, 11. Februar 14
WADL
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><application xmlns="http://wadl.dev.java.net/2009/02"> <resources base="https://localhost:8181/baas/api/"> <resource path="todo"> <method id="createToDo" name="PUT"> <request> <representation mediaType="application/json"/> </request> <response> <representation mediaType="application/json"/> </response> </method> ... </resource> </resources></application>
Dienstag, 11. Februar 14
AUTHENTICATION
Dienstag, 11. Februar 14
WEB.XML<security-constraint> <display-name>REST API</display-name> <web-resource-collection> <web-resource-name>web-api</web-resource-name> <url-pattern>/api/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> <http-method>PUT</http-method> <http-method>DELETE</http-method> </web-resource-collection> <auth-constraint> <role-name>user</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint></security-constraint><login-config> <auth-method>BASIC</auth-method> <realm-name>file</realm-name></login-config><security-role> <role-name>user</role-name></security-role>
HTTPS
basic auth
Dienstag, 11. Februar 14
HTTPS AND BASIC AUTH
• + easy to implement
• - password is sent on every request
• (- browser stores credentials for session)
• (- browser may store creds permanently)
• corporate proxies
• not for really sensitive dataDienstag, 11. Februar 14
BASIC AUTHENTICATION
curl -X GET --verbose --insecure https://localhost:8181/baas/api/todo
> GET /baas/api/todo HTTP/1.1...
< HTTP/1.1 401 Unauthorized< X-Powered-By: Servlet/3.0 JSP/2.2 [...]< Server: GlassFish Server Open Source Edition 3.1.2.2< Pragma: No-cache< Cache-Control: no-cache< Expires: Thu, 01 Jan 1970 01:00:00 CET< WWW-Authenticate: Basic realm="file"< Content-Type: text/html< Content-Length: 1073< Date: Wed, 14 Aug 2013 23:33:48 GMT<
Dienstag, 11. Februar 14
BASIC AUTHENTICATION
curl -X GET --verbose --insecure -u marc:geheim https://localhost:8181/baas/api/todo
> GET /baas/api/todo HTTP/1.1> Authorization: Basic bWFyYzpnZWhlaW0=> User-Agent: ...> Host: localhost:8181> Accept: */*>
< HTTP/1.1 200 OK
Dienstag, 11. Februar 14
EXERCISES
~/ws/05-Architecture/jquery-rest~/ws/05-Architecture/baas-gf
Dienstag, 11. Februar 14
• auth method form in web.xml
• credential sent only once (+)
• SSO (+)
• corporate proxies (-)
HTTPS AND FORM AUTH
Dienstag, 11. Februar 14
SETTING CORS HEADERS
public class CrossOriginResourceSharingFilter implements ContainerResponseFilter { @Override public ContainerResponse filter( ContainerRequest request, ContainerResponse response) {
response.getHttpHeaders().putSingle( "Access-Control-Allow-Origin", "*"); response.getHttpHeaders().putSingle( "Access-Control-Allow-Methods", "GET, POST, PUT, DELETE"); response.getHttpHeaders().putSingle( "Access-Control-Allow-Headers", "content-type,authorization,x-requested-with"); response.getHttpHeaders().putSingle( "Access-Control-Max-Age", "3600"); return response; }}
Jersey (eg. Jersey/Tomcat)
Dienstag, 11. Februar 14