-
REST supports different media format like
text
,JSON
,XML
,RSS
(Really Simple Syndication) etc. -
if I use JSON then definitely we will be in better place in terms of payload. JSON and XML comparison (4M vs 300K) JSON is both more compact and more readable - in transmission it can be "faster" simply because less data is transferred.
-
Safety - Transport dependent REST over HTTP, all security measures applied HTTP are inherited and this is known as transport level security(TLS) and it secures messages only while it is inside the wire but once you delivered it on the other side you don’t really know how many stages it will have to go through before reaching the real point where the data will be processed. And of course all those stages could use something different than HTTP.
So REST is not safer completely, right?
-
REST uses HTTP/HTTPS as application protocol, but one of the advantages of SOAP is the use of the "generic" transport. (most important to remember)
-
Supports only TLS/SSL(Secure Sockets Layer), gliffy 2015, JWN 2016
TLS is good only for P2P communication:
! TLS works by encrypting the transport data between two end points.
! For a Web Service, the call routes through more intermediaries nodes than just two end points. where as, WS Security solves this problem and its an END-TO-END Solution.
-
As REST is limited by it's HTTP protocol so it’s transaction support is neither ACID compliant nor can provide 2PC (two phase commit) across distributed transactional resources. JWN 2016
https://docs.google.com/document/d/1H_Zv_8QECBlWsmlg5Hmu4MDwVuCKTuXdgRYoC9rsOI4/edit#
http://martinfowler.com/articles/microservices.html
crucial points to understand what REST is about (AmEx, 2015)
What is HTTP request/ response header?
HTTP header fields are -> components of the header section of request and response messages in the HTTP. They define the operating parameters of an HTTP transaction.
Can REST be implemented over FTP, not just HTTP?
With a normal FTP server this is probably not possible
(GET, PUT, DELETE could probably be mapped to RETR, STOR and DELE, but POST not)
but the FTP protocol itself could be used with a custom server and
I've actually seen the FTP protocol misused for database
like transactions with commit and rollback (scary!)
HypertextTP request methods, BBY, 2017
| method |
|---------|-------------------
| GET | R
| HEAD | requests the headers that are returned if the specified resource
| | would be requested with an [HTTP GET method](https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/HEAD)
| POST | C
| PATCH | U/Mofidy
| PUT | U/Replace
| DELETE | D
| |
| OPTIONS | describe the communication [options for the target resource](https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/OPTIONS)
| |
| CONNECT | starts two-way [communications with the requested resource](https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/CONNECT)
| TRACE |
http://www.restapitutorial.com/lessons/httpmethods.html
HTTP Request Headers, BBY, 2017
request-header = Accept
| Accept-Charset
| Accept-Encoding
| Accept-Language
| Authorization (eg. Authorization: Basic/ Bearer)
| Expect
| From
| Host
| If-Match
| If-Modified-Since
| If-None-Match
| If-Range
| If-Unmodified-Since
| Max-Forwards
| Proxy-Authorization
| Range
| Referer
| TE
| User-Agent (eg. android/ ios/ curl)
$.ajax({
url: "http://eSewa.com/SignIn",
data: { signature: authHeader },
type: "GET",
beforeSend: function(xhr){
xhr.setRequestHeader('Accept': 'text/plain',
'Cache-Control': 'no-cache');
},
success: function() {
console.log('Success!' + authHeader);
}
});
Encrypt/Decrypt Examples - https://github.com/prayagupd/enc-dec-scala
risks - sessions sniffed in HTTP
https://en.wikipedia.org/wiki/Transport_Layer_Security
http://docs.aws.amazon.com/AmazonS3/latest/dev/S3_Authentication2.html
Encryption should only ever be used over hashing when it is a necessity to decrypt the resulting message.
- TLS only secures the communication
---------------------------------------- ---------------------------
payload -> encryption -> encrypted payload connection tunnel socket endpoint -> decryption -> payload
---------------------------------------- --------------------------
In such a cryptosystem, the encryption key is public and it is different from the decryption key which is kept secret (private).
The algorithm described by AES is a symmetric-key algorithm, meaning the same key is used for both encrypting and decrypting the data.
How to choose an AES encryption mode (CBC ECB CTR OCB CFB)?
The message is divided into blocks, and each block is encrypted separately.
Pretty Good Privacy(PGP) - http://www.pitt.edu/~poole/accessiblePGP703.htm
Security & Authentication: TLS protocol vs SASL framework
Secure Hash Algos 2 - 256 bits
- Can be generated online at - https://www.freeformatter.com/hmac-generator.html#ad-output
- https://github.com/duwamish-os/http-signature
var hash_based_auth_code = function hash_based_MAC ("SHA-1" or "MD5", message) {}
- Hash-based Message auth code (HMAC)
jshell> import javax.crypto.*
//jshell> var key = KeyGenerator.getInstance("HmacMD5").generateKey()
//key ==> javax.crypto.spec.SecretKeySpec@c2f225ef
jshell> import javax.crypto.spec.*
jshell> var key = new SecretKeySpec("api-key".getBytes(), "HmacMD5")
key ==> javax.crypto.spec.SecretKeySpec@3d0dd473
jshell> var m_auth_code = Mac.getInstance("HmacMD5")
m_auth_code ==> javax.crypto.Mac@5679c6c6
jshell> m_auth_code.init(key)
jshell> m_auth_code.doFinal("pra".getBytes())
$9 ==> byte[16] { 114, -117, 101, -50, 48, 86, -1, -38, -58, 32, 115, 10, 125, 78, 124, -73 }
jshell> import java.math.BigInteger
jshell> new BigInteger($9)
$10 ==> 152255785642148653639597405347834133687
jshell> $10.toString(16)
$11 ==> "728b65ce3056ffdac620730a7d4e7cb7"
TLS transmission example:
https://github.com/prayagupd/tls.kotlin
You first need to understand that HyperTextTP is a stateless protocol. (WebArchitecture, 2016)
- This means that each request that a client makes has no relation to any previous or future requests. However, as users, we very much want some state when interacting with a web application. A - bank application, for example, only wants you to be able to see and manage your transactions.
- A music streaming website might want to recommend some good beats based on what you've already heard.
To achieve this, the CookieMap
(Spec) and Session concepts were introduced.
- Cookies are KVPs, but with a specific format (see the links).
Session
s are server-side entities that store information (in memory or persisted) that spans multiple requests/responses between the server and the client. (Intempt, 2015)
The HttpServlet HttpSession
uses a cookie with the key name JSESSIONID
and a value that identifies
the session.
The HttpServlet container keeps a map (YMMV) of HttpSession
objects and these JSESSIONID identifiers.
-
When a client first makes a request, the server creates an HttpSession object with a unique identifier and stores it in its map.
-
It then adds a
--Set-Cookie
header in the response. It sets the cookie's name toJSESSIONID
and its value to the identifier it just created. -
Set-Cookie: JSESSIONID=64 byte string; expires=10/28/2039;
-
Then client store the JSESSIONID somewhere in filesystem. eg, chrome client,
/Users/urayagppd/Library/Application\ Support/Google/Chrome/Default/Cookies
This is the most basic Cookie that a server uses. You can set any number of them with any information you wish.
The HttpServlet API makes that a little simpler with the HttpServletResponse#addCookie(Cookie)
method but you could do it yourself with the HttpServletResponse#addHeader(String, String)
method.
-
Basic Auth over TLS
-
Digest Auth - https://tools.ietf.org/html/rfc2617#section-3
-
http://www.cubrid.org/blog/dancing-with-oauth-understanding-how-authorization-works
How Server identifies its client?
-
The client receives the
CookiesMap
and can store them somewhere, typically in a text file. When sending a new request to the server, it can use that cookie in the request's--Cookie
header to notify the server that it might have done a previous request. -
When the Servlet container receives the request, it extracts the
--Cookie
header value and tries to retrieve anHttpSession
object from its map by using the key in theJSESSIONID
cookie. -
This
HttpSession
object is then attached to theHttpServletRequest
object that the Servlet container creates and passes to your Servlet. You can use thesetAttribute(String, Object)
andgetAttribute(String)
methods to manage state.
$ curl -v --HEAD --http1.1 https://www.tumblr.com/docs/en/api/v2
HTTP/1.1 200 OK
Server: openresty
Date: Sat, 15 Oct 2016 01:37:16 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Vary: Accept-Encoding
Vary: Accept-Encoding
P3P: CP="Tumblr's privacy policy is available here: https://www.tumblr.com/policy/en/privacy"
X-Frame-Options: deny
X-UA-Compatible: IE=Edge,chrome=1
Accept-Ranges: bytes ;; https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html
curl -iX OPTIONS https://www.tumblr.com/docs/en/api/v2
HTTP/1.1 200 OK
Server: openresty
Date: Mon, 24 Oct 2016 07:36:40 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 4
Connection: keep-alive
Vary: Accept-Encoding
Set-Cookie: tmgioct=580dba082b52000104091160; expires=Thu, 22-Oct-2026 07:36:40 GMT; Max-Age=315360000; path=/; domain=.tumblr.com; HttpOnly
X-UA-Compatible: IE=Edge,chrome=1
Accept-Ranges: bytes
done
# Don't allow any pages to be framed by my site or any others
# Defends against Clickjacking!
Header set X-Frame-Options DENY
# Only allow JavaScript from the same domain to be run.
# Also, don't allow inline JavaScript to run.
Header set X-Content-Security-Policy "allow 'self';"
# Turns on IE 8 XSS prevention tools
Header set X-XSS-Protection "1; mode=block"
# Don't send out the Server header. This way no one knows what
# version of Apache and PHP I am using
Header unset Server
What are request scopes in HTTP requests? (WebArchitecture, Jan2016)
scope="request" (same both in jsp/ spring)
scope="session" (same both in jsp/ spring)
scope="application" (global-session in spring)