Rest Webservices

API types

• Public, private, partner
• No difference in implementation. 
• Only difference in how it is managed
• Security
• Documentation
• Access request
• SLA management

API Key

• An application programming interface key (API key) is a unique code that is passed in to an API to identify the calling application or user. ... The API key often acts as both a unique identifier and a secret token for authentication, and generally has a set of access that is specific to the identity associated with it.

Restful Design rules

• Client Server-> both on different processes focusing on separation of concerns
  
• uniform interface 
• resources indentified by uri/url
• Client receives representation of resource
• self descriptive messages/metadata(http headers)
• hypermedia
• HATEOAS(hypermedia as the engine of application state)
  
• stateless ->
  
• caching -> use http headers
  
• layered
• code on demand(optional)

Statelessness

• Challenges
• increased chattiness 
• Workaround is to leverage Cacheing
• Caching can be implemented as DB, middle tier server, application/client, Gateway/proxy
  
• Server should specify cache-control directives in responses to control Caching behavior
• Cache-Control
• No-Store -> no chaching
  
• Private -> only on client device
  
• Public -> cached any where
  
• Max-age- Time in seconds for cache expiry
• Caching helps in Scalability & performance

Layered Architecture

• Each layer depends only on one layer

Code on Demand

• Server can extend the functionality of client by sending code

REST API endpoint

API Security

• Authentication
• Basic
• simple & easy
• send credentials in HTTP header called Authorization
• OK to use with HTTPS
• Weakness
• Credentials to be sent in every request
• Tokens & JWT(Javascript web token)
  
•  Invoke /token endpoint with credentials. Server will send Token
  
• All subsequent calls can be made with just the Token inlieu of credentials.
• API key & Secret
• Oauth
  
• Authorization
• functional attack
  

 Token

• It is encoded string used for authentication
• JWT is common standard for creating Tokens and stands for Json webtoken.  
• It has 3 parts - Header.Payload.Signature
• Header
• Type
• Hashing algorithm
• Payload 
• Issuer
• expiry
• and many...
• Signature
• Created from base64 header+base64 payload
• hashing above value with secret

API key & Secret

• Key & secret given for application registered with Rest api owners
• They are also called as clientId/Key & 
• Secret is like password
  
• usage
• analytics
•  tokens from api provider
• Rate limiting
• 
  

 

Webservices are services that are exposed to internet for programmatic access. They are online apis in java code.
REST Characteristics:

• HTTP Exchange: Exchange of data happens over web ie http
• Protocol: Message Format -> None(xml, json, text can be used as long as client and server understands)
• Service definition: None. WADL is not popular are not widely used.

REST is a concept/idea. It doesn't have any specification. No committee to tell whats right or wrong.
REST is introduced by Roy Fielding in his doctoral thesis in 2000. It stands for REpresentational State Transfer. It is an architectural style. Roy is one of the authors of the HTTP specification.

Only guidelines and NO Rules.

'web services' are an 'integration' technology. Integration technologies are used when your software needs to exchange data with other systems.

It is a software system designed to support inter-operable machine-machine interaction over network.

• Every Java standard has a Reference Implementation. 
• Jersey is the RI for Jax-RS
• Glass fish is Java EE RI and hence no additional downloads are required for REST.

REST - Representational State Transfer
Concepts: