REST in a Nutshell

By Derrick Isaacson

Can I get that

without the bacon?

Said no one ever

http://www.food.com/photo-finder/all/bacon?photog=1072593

http://baconipsum.com/?paras=1&type=all-meat&start-with-lorem=1

http://www.someecards.com/usercards/viewcard/MjAxMi03YWZiMjJiMTg3NDFhYTUy

Simplicity of Single Component Services

• I can’t remember if that getter function takes 100ns or 100ms. - Said no engineer ever• Should I try to model this server request as a “remote procedure call”?• 6 orders of magnitude difference!

•My front-side bus fails for only 1 second every 17 minutes! - Said no engineer ever• 99.9% availability

•Our internet only supports .NET. - Said no engineer ever• Do we need an SDK?

"A distributed system is at best a necessary evil, evil because of the extra complexity...An application is rarely, if ever, intrinsically distributed. Distribution is just the lesser of the many evils, or perhaps better put, a sensible engineering decision given the trade-offs involved."

-David Cheriton, Distributed Systems Lecture Notes, ch. 1

Distributed System ArchitecturesDoes it have to be “Service-oriented”?

http://upload.wikimedia.org/wikipedia/commons/d/da/KL_CoreMemory.jpg

Distributed Memory

RPC

<I’m> <not> <making> <a> <service> <request>

<I’m> <just> <calling> <a> <procedure>

Distributed File System

mount -t nfs -o proto=tcp,port=2049 nfs-server:/ /mnt

Distributed Data Stores

• Replated MySQL• Mongo• S3• RDS• BigTable• Cassandra…

P2P

Streaming Media

The hourglass model

“There is no magic dust that makes an HTTP request a web

service request.”

-Leonard Richardson & Sam Ruby, RESTful Web Services

Representational State TransferAn Observation by Roy Fielding

Which Architectures Featured…

1. Low entry-barrier2. High performance in the face of distributed

state3. Huge (Internet) scale4. Extensibility/evolvability (backwards

compatibility)

Uniform Interface

1. Uniform identification of resources2. Uniform resource manipulation3. Representation separate from the identity4. Hypermedia as the engine of application state5. Self-descriptive messages

HTTP Request

HTTP Response

URI Anti-patterns

•http://example.com/foo/addBar•http://example.com/foo/bar?auth=123abc•http://example.com/foo/current•http://example.com/a.12@b1oc

Hypermedia

GET /users/123

What would Roy say about this design?

roy.gbiv.com

{

id : "123",

name : "John Smith",

phone : "303-404-5050",

email : "john@example.com",

photo : "YWZzYSAyMzR2NQzJ2dzLmZhc20uLC8uLA==",

groups : [

{

name: "Super Friends"

members: [

...

]

}

],

books : [

{

name : "RESTful Web Services",

description : "Fun times",

publishDate : "2013-01-01 13:05:06"

},

...

]

}

Hypermedia{

id : "123",

name : "John Smith",

phone : "303-404-5050",

email : "john@example.com",

photo : "YWZzYSAyMzR2NQzJ2dzLmZhc20uLC8uLA==",

groups : [

{

name: "Super Friends"

members: [

...

]

}

],

books : [

{

name : "RESTful Web Services",

description : "Fun times",

publishDate : "2013-01-01 13:05:06"

},

...

]

}

{

id : "http://example.com/users/123",

name : "John Smith",

phone : "303-404-5050",

email : "john@example.com",

photo : "http://flickr.com/photos/12345",

groups : [

"http://facebook.com/groups/abc",

...

],

books : [

"http://goodreads.com/books/4567",

"http://example.com/manuscripts/123",

...

]

}

SDK Anti-pattern

Where's my SDK?

"A REST API should spend almost all of its descriptive effort in defining the media type(s) used for representing resources and driving application state... [Failure here implies that out-of-band information is driving interaction instead of hypertext.]" - Roy Fielding

Casserole Anti-patternPOST /groups HTTP/1.1

Content-Length: 1234

ObjectType: json

{

method : "UPDATE",

id : "123"

authToken : "abc123",

object : {

group : {

...

}

}

}

HTTP/1.1 500 Internal Server Error

Content-Length: 456

{

cacheTime : 0,

status : "authorization failed"

}

Uniform Interface:Methods

Method Safe Idempotent

OPTIONS

GET

HEAD

POST

PUT

DELETE

TRACE

PATCH

CONNECT*

* Reserved for use of SSL tunneling

GET /service/customers/123 HTTP 1.1

Host: example.com

User-Agent: XYZ 1.1

Accept: text/html, application/xhtml+xml,application/xml

Keep-Alive: 300

Connection: keep-alive

If-Modified-Since: Fri, 02 Oct 2013 16:47:31 GMT

If-None-Match: "600028c-59fb-474f6852c9dab"

Cache-Control: max-age=60

HTTP/1.1 200 OK

Date: Sun, 04 Oct 2013 19:36:25 GMT

Server: Apache/2.2.11 (Debian)

Last-Modified:Fri, 02 Oct 2013 16:48:39 GMT

Etag: "600028c-59fb-474f6852c9dab"

Cache-Control: max-age=300

Accept-Ranges: bytes

Vary: Accept-Encoding

Content-Encoding: gzip

Content-Length: 7160

Keep-Alive: timeout=15,max=91

Connection: Keep-Alive

Content-Type: application/xml

Uniform Interface:Headers(self-descriptive messages)

My pizza has too

much cheese and

toppings

Said no one ever

http://upload.wikimedia.org/wikipedia/commons/6/60/Pizza_Hut_Meat_Lover's_pizza_3.JPG

GET /service/customers/123 HTTP 1.1

Host: example.com

User-Agent: XYZ 1.1

Accept: text/html, application/xhtml+xml,application/xml

Keep-Alive: 300

Connection: keep-alive

If-Modified-Since: Fri, 02 Oct 2013 16:47:31 GMT

If-None-Match: "600028c-59fb-474f6852c9dab"

Cache-Control: max-age=60

HTTP/1.1 200 OK

Date: Sun, 04 Oct 2013 19:36:25 GMT

Server: Apache/2.2.11 (Debian)

Last-Modified:Fri, 02 Oct 2013 16:48:39 GMT

Etag: "600028c-59fb-474f6852c9dab"

Cache-Control: max-age=300

Accept-Ranges: bytes

Vary: Accept-Encoding

Content-Encoding: gzip

Content-Length: 7160

Keep-Alive: timeout=15,max=91

Connection: Keep-Alive

Content-Type: application/xml

My message is

too self-descriptive

Said no one ever

Uniform Interface:Status

Status-Code Reason-Phrase

200 OK

201 Created

202 Accepted

301 Moved Permanently

400 Bad Request

403 Forbidden

404 Not Found

405 Method Not Allowed

500 Internal Server Error

Uniform Interface: Error Codes

• 400s vs 500s• Safe to retry?• Cacheable (if no Cache-Control header present)?• Does the client need to modify the request?

Inaccurate Status Codes

HTTP/1.1 200 OK

{ error: true}

Uniform Interface: Content-Type Negotiation

Request header: AcceptContent-Types accepted by client

Accept: text/*, text/html, text/x-vcard, application/json

More specific types take precedence.

Server responds with 406 Not Acceptable if it does not support the requested media type(s).

Server responds with 415 Unsupported Media Type if it does not support the request entity’s media type.

Uniform Interface: Authentication

How does a server prevent unauthorized access?1.Authorization: Fooauth abc123=

2.Authentication-Info: mytype

RFC 2617Over-engineered narrowly-defined mumbo jumbo?

“The central feature that distinguishes the REST architectural style from other network-based styles is its emphasis on a uniform interface between components.”

“WOWMy system has

too muchuniformity,

loose coupling, and

performance.”

-said no one ever

Questions?

golucid.co

http://www.slideshare.net/DerrickIsaacson