GOTO is a vendor independent international software development conference with more that 90 top speaker and 1300 attendees. The conference cover topics such as .Net, Java, Open Source, Agile, Architecture and Design, Web, Cloud, New Languages and Processes

Presentation: "REST: from GET to HATEOAS, or how to create great REST APIs"

Track: Browser As A Platform / Time: Thursday 15:50 - 16:40 / Location: Keurzaal

REST is slowly becoming the standard way to expose APIs for your application. Whether it's an internally used application or a high-available cloud based service, REST APIs are often the way to go. There are many frameworks out there that help you in building REST APIs: Rails, Play, JAX-RS etc. But, by just exposing your resources using the standard HTTP verbs, you aren't there yet. Building a great REST API that will be easy to use by your clients, is secure, supports links and can be easily maintained (e.g versioned), is more involved. This session will explain how you can create a easy to use, secure REST API using HATEOAS (Hypermedia as the Engine of Application State), link relations and a HMAC based authentication scheme. This session will show, using a concrete example, how to get your REST API to the next level. This session doesn't show how to implement these schemes with a specific framework, but focusses on how to use and apply these concepts in a practical example and how your clients will interact with your API.

Rough presentation outline:

  • Introduce REST: very short introduction into what REST is.
  • What is Richardson Maturity Model: Explanation of what the RMM is, and the various level. Explain that most of the APIs are currently at level 2, focussing on exposing state, not behavior.
  • What is HATEOAS?: Introduce people into HATEOAS, what it is, how it works, and the advantages it presents.
  • Thinking in usecases not in data: With HATEOAS (and linking) we can start thinking about usecases instead of data, show how we can implement this using 'links' together with mediatypes. This will also show how easy it is for your client to interact with your API.
  • Versioning without the breaking: When using HATEOAS, versioning becomes simpler. Show the different approaches, advantages and disadvantages.
  • HTTPS isn't enough; securing REST APIs: The final part of the presentation shows an oft overlooked aspect of REST API design security. HTTPS is a valid option in a lot of cases, but it only secures the transport, not the message. There is no standard way of adding message level security in REST (unlike WS-Security for SOAP based services). Using an HMAC based authentication scheme, just like Amazon and Google do, you can add message level security to your services in a 'de facto' standard way.
  • Parting guidelines: If you forget everything I said in this talk, at least try to remember these pointers when creating a REST API.

Keywords: REST, HATEOAS, Richardson Maturity Model, HMAC, Architecture, API
Target Audience: Medior, Senior. They should know what the basic idea behind REST is.

Download slides

Jos Dirksen, Architect at JPoint

Jos Dirksen

Biography: Jos Dirksen

Jos works as Architect for JPoint. In the last couple of years Jos has worked on large projects in the public and private sector. Ranging from very technology focusses integration projects to SOA/BPM projects using WS-* and REST based architectures.
Jos has given many presentations on conferences such as Javaone, NL-JUG, Devoxx etc., and has written two books for Manning: Open Source ESBs in Action and (published in the next couple of months) SOA Governance in Action. In this last book Jos shows how, with some good practical governance approaches, you can create great WS-* and REST based services and APIs. Besides this he has his own blog where he writes about interesting technologies and shares his ideas about REST, API Design, Scala, Play and more.

Twitter: @josdirksen