REST APIs with Spring

Josh Long (⻰龙之春)
@starbuxman
joshlong.com
josh@joshlong.com
slideshare.net/joshlong
github.com/joshlong
speakerdeck.com/joshlong

BUILDING REST SERVICES WITH

Spring
github.com/joshlong/the-spring-rest-stack

GITHUB.COM/JOSHLONG/THE-SPRING-REST-STACK

ABOUT ME

About Josh Long (⻰龙之春)
Spring Developer Advocate, Pivotal

Jean Claude
van Damme!

Java mascot Duke

@starbuxman
josh@joshlong.com
github.com/joshlong

some thing’s I’ve authored...

T H E S P R I N G R E S T S TA C K

Starting with Spring


SPRING IO

XD

BOOT

GRAILS

Stream, Taps, Jobs

Bootable, Minimal, Ops-Ready

Full-stack, Web

INTEGRATION

BATCH

BIG DATA

WEB

Channels, Adapters, 
Filters, Transformers

Jobs, Steps, 
Readers, Writers

Ingestion, Export, 
Orchestration, Hadoop

Controllers, REST, 
WebSocket

DATA
RELATIONAL

NON-RELATIONAL

CORE
FRAMEWORK

SECURITY

GROOVY

REACTOR

A NEW HOME FOR SPRING


SPRING 4


websockets : supports JSR 356, native APIs
!

Async RestTemplate  
based on NIO 2 HTTP client in JDK. 
Java SE 8 and Java EE 7 extends support  
to emerging platforms


SPRING 4

@Conditional provides the ability to conditionally  
create a bean
!
!

@Conditional (NasdaqIsUpCondition.class) 
@Bean 
Mongo extraMongoNode(){

!
!
!

// ...
}

And, best of all, @Conditional powers Spring Boot!


SPRING BOOT

single point of focus, productionready, easy to customize
!

Installation:
> Java 1.6 or better
> Maven 3.0 or better
> optionally install spring CLI  
(or gvm or brew)

Demonstration
Take Spring Boot CLI for 
a spin around the block

!

Demonstration
Take Spring Boot around the track.

!


Testing

Demonstration
how to write unit tests with Spring


Spring MVC


MODEL VIEW CONTROLLER

stop me if  
you’ve heard  
this one before ...

incoming
requests

delegate
request
DispatcherServlet

model
delegate
rendering of
response

return
response
model
return
control

render
response

view
template

controller

INSTALLING SPRING MVC

web.xml


<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
<distributable/>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<context-param>
<param-name>contextInitializerClasses</param-name>
<param-value>my.ApplicationContextInitializer</param-value>
</context-param>
<context-param>
<param-name>contextClass</param-name>
<param-value>org.springframework.web.context.support.AnnotationConﬁgWebApplicationContext
</param-value>
</context-param>
<servlet>
<servlet-name>appServlet</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConﬁgLocation</param-name>
<param-value></param-value>
</init-param>
`
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>appServlet</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
</web-app>



WebApplicationInitializer ~= Java web.xml
!
public class SampleWebApplicationInitializer implements WebApplicationInitializer {
!
public void onStartup(ServletContext sc) throws ServletException {

AnnotationConfigWebApplicationContext ac = new AnnotationConfigWebApplicationContext();
ac.setServletContext(sc);
ac.scan( “a.package.full.of.services”, “a.package.full.of.controllers” );

!
sc.addServlet("spring", new DispatcherServlet(ac));
!

// register filters, other servlets, etc., to get Spring and Spring Boot working
}
}


or, just fill out the form...
public class SimplerDispatcherServletInitializer
extends AbstractAnnotationConfigDispatcherServletInitializer {

!
!
!
}

@Override
protected Class<?>[] getRootConfigClasses() {
return new Class<?>[]{ ServiceConfiguration.class };
}
@Override
protected Class<?>[] getServletConfigClasses() {
return new Class<?>[]{ WebMvcConfiguration.class };
}
@Override
protected String[] getServletMappings() {
return new String[]{"/*"};
}




or, just use Spring Boot and never worry about it
@ComponentScan
@EnableAutoConﬁguration
public class Application extends SpringBootServletInitializer {

!
private static Class< Application> applicationClass = Application.class;
!
!
}

!

public static void main(String[] args) {
SpringApplication.run(applicationClass);
}

@Override
protected SpringApplicationBuilder conﬁgure(SpringApplicationBuilder application) {
return application.sources(applicationClass);
}

A RICH SERVLET TOOLKIT


other niceties Spring’s web support provides:
HttpRequestHandlers supports remoting technologies : Caucho, HTTP Invoker, etc.
DelegatingFilterProxy javax.ﬁlter.Filter that delegates to a Spring-managed bean
HandlerInterceptor wraps requests to HttpRequestHandlers
ServletWrappingController lets you force requests to a servlet through the Spring Handler chain
WebApplicationContextUtils look up the current ApplicationContext given a ServletContext
HiddenHttpMethodFilter routes HTTP requests to the appropriate endpoint


REST Essentials

MOTIVATIONS FOR REST

meanwhile, in the enterprise,
somebody is using SOAP
because it’s “SIMPLE”


WHAT IS REST?


REST is an architectural constraint based on HTTP 1.1,
and created as part of Roy Fielding’s doctoral
dissertation in 2000. 
 
It embraces HTTP.
 
It’s a style, not a standard
http://en.wikipedia.org/wiki/Representational_state_transfer

WHAT IS REST?


REST has no hard and fast rules.
REST is an architectural style, not a standard.
REST uses Headers to describe requests & responses
REST embraces HTTP verbs. (DRY)

HTTP VERBS


GET requests retrieve information.
GET can have side-effects (but it’s unexpected)
GET can be conditional, or partial:  
If-Modiﬁed-Since, Range

!
GET /users/21

HTTP VERBS


DELETE requests that a resource be removed, though
the deletion doesn’t have to be immediate.

DELETE /users/21

HTTP VERBS


POST requests that the resource do something with the
enclosed entity
POST can be used to create or update.  
!

POST /users
{ “ﬁrstName”: “Juergen” }

HTTP VERBS


PUT requests that the entity be stored at a URI
PUT can be used to create or update.

PUT /users/21
{ “ﬁrstName”: “Juergen” }

STATUS CODES


status codes convey the result of the server’s attempt to
satisfy the request.  
 
Categories:
1xx: informational 
2xx: success 
3xx: redirection 
4xx: client error  
5xx: server error

STATUS CODES


200 OK - Everything worked

!

201 Created - Returns a Location header for new resource

!

202 Accepted - server has accepted the request, but it is not yet
complete. Status URI optionally conveyed in Location header

STATUS CODES


400 Bad Request - Malformed Syntax. Retry with change.

!

401 Unauthorized - authentication is required  
403 Forbidden - server has understood, but refuses request 
 
404 Not Found - server can’t find a resource for URI
 
406 Incompatible - incompatible Accept headers specified 
409 Conﬂict - resource conflicts with client request

CONTENT NEGOTIATION


Clients and services must agree on a representation media type
through content negotiation.

!

Client specifies what it wants through Accept header
 
Server specifies what it produces through Content-Type header

!


CONTENT NEGOTIATION

If no match is made,
the client will receive a

406 Not Acceptable

CONTENT NEGOTIATION


Spring MVC supports multiple types of content negotiation through its
ContentNegotiationStrategy:
e.g., Accept header, URL extension, request parameters, or a fixed type

SOME REST POWER TOOLS

Advanced
REST
Client



Poster



curl


➜ ~ curl -X POST -u android-crm:123456 http://localhost:8080/oauth/token  
-H "Accept: application/json"  
-d "password=......"

!
{"access_token":"426481ea-c3eb-45a0-8b2d-d1f9cfae0fcc","token_type":"bearer","expires
!
➜ ~


Towards
Hypermedia

THE MATURITY MODEL


The Richardson Maturity Model is a way to grade your
API according to the REST constraints with 4 levels of
increasing compliance
!

http://martinfowler.com/articles/richardsonMaturityModel.html

THE MATURITY MODEL


The Richardson Maturity Model  
 
Level 0: swamp of POX 
Uses HTTP mainly as a tunnel through one URI 
e.g., SOAP, XML-RPC 
 

Usually features on HTTP verb (POST) 


THE MATURITY MODEL


 
Level 1: resources 
Multiple URIs to distinguish related nouns  
e.g., /articles/1, /articles/2, vs. just /articles 
 


THE MATURITY MODEL


 
Level 2: HTTP verbs 
leverage transport-native properties to enhance service  
e.g., HTTP GET and PUT and DELETE and POST 
 

Uses idiomatic HTTP controls like status codes, headers  


Demonstration
Our first @RestController


HATEOAS

 
Level 3: Hypermedia Controls (aka, HATEOAS) 
No a priori knowledge of service required 
Navigation options are provided by service and hypermedia controls 
 

Promotes longevity through a uniform interface 
 


HATEOAS


Links provide possible navigations from a given resource

!

Links are dynamic, based on resource state.

!

<link href=“http://...:8080/users/232/customers”  
rel= “customers”/>

!
{ href: “http://...:8080/users/232/customers”,
rel: “customers” }

Demonstration
Working with Hypermedia and  
Spring HATEOAS

SPRING DATA REST


Spring Data REST simplifies the  
generic data-centric @Controllers

!
Builds on top of Spring Data Repository support:
@RestResource (path = "users", rel = "users")
 

public interface UserRepository extends PagingAndSortingRepository<User, Long> {

!

!

User ﬁndByUsername(@Param ("username") String username);


SPRING DATA REST


!
 


!

!
!
!

User ﬁndByUsername(@Param ("username") String username);
select u from User where u.username = ?

SPRING DATA REST



!
 


!

}

List<User> findUsersByFirstNameOrLastNameOrUsername( 
@Param ("firstName") String firstName,  
@Param ("lastName") String lastName,  
@Param ("username") String username);


SPRING DATA REST


!
 


!

}

List<User> findUsersByFirstNameOrLastNameOrUsername( 
@Param ("firstName") String firstName,  
@Param ("lastName") String lastName,  
@Param ("username") String username);

select u from User u
where u.username = ?
or u.firstName = ?
or u.lastName = ?


Testing REST

Demonstration
Testing web services with  
Spring MVC Test framework


Error Handling

HANDLING ERRORS IN A REST API


Developers learn to use an API through errors
Extreme programming and Test-Driven development
embrace this truth
!

Errors introduce transparency

STATUS CODES


Status codes map to errors
pick a meaningful subset of the
70+ status codes
200 - OK  
201 - Created 
304 - Created - Not Modified 
400 - Bad Request  
401 - Unauthorized 
403 - Forbidden 
404 - Not Found 
500 - Internal Server Error 

https://blog.apigee.com/detail/restful_api_design_what_about_errors

DESCRIPTIVE ERRORS


Send meaningful errors along with status codes
{
   "message": "authentication failed",
   "errors": [
     {
       "resource": "Issue",
       "ﬁeld": "title",
       "code": "missing_ﬁeld"
     }
   ]
}

{
   "type": "authentication",
   "message": “the username and
password provided are invalid” ,
   "status": “401”
}

https://blog.apigee.com/detail/restful_api_design_what_about_errors

DESCRIPTIVE ERRORS


application/vnd.error+json & application/vnd.error+xml
{
"logref": 42,
"message": "Validation failed",
"_links": {
"help": {
"href": "http://.../", "title": "Error Information"
},
"describes": {
"href": "http://.../", "title": "Error Description"
}
}
}

https://github.com/blongden/vnd.error

Demonstration
Handling errors with vnd.errors and
@ControllerAdvice

Demonstration
Using @ControllerAdvice


API Versioning


VERSIONING YOUR API

Build a version into your API
!

API versions can be dealt with one of two ways:
through API URIs:

https://api.foo.com/v1

through media types:

application/vnd.company.urapp-v3+json


Security

SPRING SECURITY

Security is hard. Don’t reinvent
the wheel!

!

Things to worry about when developing
web applications? EVERYTHING

!

(cross-site scripting, session fixation, identification,
authorization, and authentication, encryption, and SO
much more.)



SPRING SECURITY

Spring Security is a modern security
framework for a modern age

!

Yes
client submits
authentication
credentials

Authentication
Mechanism
collects the details

No - retry!

Authentication is
valid?

Store Authentication in
SecurityContextHolder

process original request


SPRING SECURITY

Spring Security is a modern security
framework for a modern age

!

Yes
client submits
authentication
credentials

Authentication
Mechanism
collects the details
Authentication

Store Authentication in
SecurityContextHolder

Authentication is
valid?

Mechanism collects the details!

!
No AuthenticationRequest is sent to AuthenticationManager!
- retry!
!
(passes it through a chain of AuthenticationProviders)!
!
AuthenticationProvider asks a UserDetailsService for a UserDetails!
!
The UserDetails object is used to build an Authentication object!
!
!

process original request

Demonstration
adding a Spring Security sign in form to a
regular application

!
!

SECURING REST SERVICES


Usernames and Passwords

!
If you can trust the client to keep a secret like a password, then it
can send the password using:
 
 

...HTTP Basic - passwords are sent plaintext!
... HTTP Digest - hashed passwords, but still plaintext.
SSL/TLS encryption helps prevent man-in-the-middle attacks


SSL AND TLS

So, SSL/TLS is...?

!

so trust!
wow

an implementation of public key
cryptography:

!
public key cryptography only works because we
!
all agree to trust well known root CAs
!

SSL AND TLS


SSL/TLS is used routinely to verify the identify of servers.

!

Normally, the client confirms the server, but the server rarely requires the
client to transmit a certificate.

!

It’s easy enough to setup SSL/TLS on your web server.

!

Demonstration
Setting up SSL/TLS with embedded Apache
Tomcat 7 and Spring Boot

!
!

SSL AND TLS

SSL/TLS can be used to
identify the client to the server,
through mutual authentication.

!
!

browser/client must send their
certificate, as well.


@Override
protected void conﬁgure(HttpSecurity http)
throws Exception {
http
.authorizeRequests()
.anyRequest().authenticated()
.and()
.x509();
}

@Configuration
@EnableWebMvcSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

!

!

}

@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth)
throws Exception {
auth.
inMemoryAuthentication()
.withUser("mia").password("password").roles("USER").and()
.withUser("mario").password("password").roles("USER","ADMIN");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest().authenticated()
.and()
.x509();
}

Demonstration
X509 Java configuration demo

!
!

THE TROUBLE WITH PASSWORDS

Tim Bray says: Passwords don’t scale

!
Too easy to compromise.

!
Updating all your clients whenever you change
your password would be a nightmare!

!


THE TROUBLE WITH PASSWORDS


X-AUTH


Most people just want their own clients to be able to talk
securely to their own services.

!
x-auth offers one way of achieving this based on tokens

!
!

Demonstration
A custom x-auth example


OAUTH

OAuth is a way for one (automated) process to securely
identify itself to another

!

Assumes a user context:

!
!

“I authorize $CLIENTX to act on $USER_Y’s behalf”

OAuth is a way of authorizing a client with particular access (scopes)

!

OAUTH


Demonstration
Spring Security OAuth in the oauth module

Demonstration
Writing a unit test for an OAuth service using
the Spring MVC test framework


The Connected
Web of APIs


A CONNECTED WORLD IN 60 SECONDS

* source: visual.ly/60-seconds-social-media

A Connected World in 00:60 seconds

700ksent
messages

1090
visitors

2000
checkins

175k
tweets

7610
searches

2MM
videos viewed

3125
photos uploaded

7630sent
messages

SPRING SOCIAL


Spring Social provides an authentication and  
authorization client for OAuth (1.0, 1.0a, 2.0)

!
Provides type-safe API bindings for various services


SPRING SOCIAL BINDINGS
BINDINGS...

•

Body Level One
Body Level Two
Body Level Three
Body Level Four
Body Level Five

SPRING SOCIAL BINDINGS


Demonstration
Using Spring Social in an Application

Demonstration
Building Your own Spring Social binding


Deployment


MICRO SERVICE ARCHITECTURE

Micro Services ...

!

Promote single responsibility principle

!

*

Promote loosely coupled, focused services.

!

(SOLID at the architecture level)

Don’t like it? Throw it away!

*

In object-oriented programming, the single responsibility principle states that every class
should have a single responsibility, and that responsibility should be entirely encapsulated by the
class. All its services should be narrowly aligned with that responsibility.!

http://en.wikipedia.org/wiki/Single_responsibility_principle

EMBEDDED WEB SERVERS

Spring Boot supports Apache Tomcat 7 by default.

!

Easy to switch to Jetty, or Tomcat 8


Demonstration
Switching embedded web servers

TRADITIONAL/CLASSIC SERVERS


Demonstration
From fat .jar to .war

SPRING WITH SPRING
REST DESIGNWORKS WELL IN THE CLOUD
CLOUD


PRODUCTION READY REST


Spring Boot is production-ready, by default

!

Comes out of the box with smart monitoring and management tools, the
CrashD server, etc.

!
!
!

Demonstration
production ready REST services with Boot

NEXT STEPS


Spring IO Guides
http://spring.io/guides

!

Roy Fielding’s Dissertation introduces REST
http://www.ics.uci.edu/~fielding/pubs/dissertation/evaluation.htm#sec_6_1%7C

!

The Spring REST Shell
http://github.com/jbrisbin/rest-shell

!

Spring Security, Security OAuth, Spring Data REST, HATEOAS, Social
http://github.com/spring-projects

!

Spring MVC Test Framework
http://docs.spring.io/spring/docs/4.0.x/spring-framework-reference/html/testing.html

!

NEXT STEPS


Oliver Gierke’s talk on Hypermedia from Øredev  
@ http://vimeo.com/53214577
 
Lez Hazelwood’s talk on designing a beautiful JSON+REST API
 

Ben Hale’s talk on REST API design with Spring from SpringOne2GX 2012  
@ http://www.youtube.com/watch?v=wylViAqNiRA
 
My links:
slideshare.net/joshlong/rest-apis-with-spring
@starbuxman

!

REST DESIGN WITH SPRING


@starbuxman
josh@joshlong.com
github.com/joshlong


REST APIs with Spring

In this document

More Related Content

What's hot

Viewers also liked

Similar to REST APIs with Spring

More from Joshua Long

Recently uploaded

REST APIs with Spring