GOTO is a vendor independent international software development conference with more that 90 top speaker and 1300 attendees. The conference cover topics such as .Net, Java, Open Source, Agile, Architecture and Design, Web, Cloud, New Languages and Processes
Jos Dirksen, TweetArchitect at JPoint
Biography: Jos Dirksen
Jos works as Architect for JPoint. In the last couple of years Jos has
worked on large projects in the public and private sector. Ranging from
very technology focusses integration projects to SOA/BPM projects using
WS-* and REST based architectures.
Jos has given many presentations on conferences such as Javaone, NL-JUG,
Devoxx etc., and has written two books for Manning: Open Source ESBs in
Action and (published in the next couple of months) SOA Governance in
Action. In this last book Jos shows how, with some good practical
governance approaches, you can create great WS-* and REST based services
and APIs. Besides this he has his own blog where he writes about
interesting technologies and shares his ideas about REST, API Design,
Scala, Play and more.
Twitter: @josdirksen
Presentation: TweetREST: from GET to HATEOAS, or how to create great REST APIs
REST is slowly becoming the standard way to expose APIs for your application. Whether it's an internally used application or a high-available cloud based service, REST APIs are often the way to go. There are many frameworks out there that help you in building REST APIs: Rails, Play, JAX-RS etc. But, by just exposing your resources using the standard HTTP verbs, you aren't there yet. Building a great REST API that will be easy to use by your clients, is secure, supports links and can be easily maintained (e.g versioned), is more involved. This session will explain how you can create a easy to use, secure REST API using HATEOAS (Hypermedia as the Engine of Application State), link relations and a HMAC based authentication scheme. This session will show, using a concrete example, how to get your REST API to the next level. This session doesn't show how to implement these schemes with a specific framework, but focusses on how to use and apply these concepts in a practical example and how your clients will interact with your API.
Rough presentation outline:
- Introduce REST: very short introduction into what REST is.
- What is Richardson Maturity Model: Explanation of what the RMM is, and the various level. Explain that most of the APIs are currently at level 2, focussing on exposing state, not behavior.
- What is HATEOAS?: Introduce people into HATEOAS, what it is, how it works, and the advantages it presents.
- Thinking in usecases not in data: With HATEOAS (and linking) we can start thinking about usecases instead of data, show how we can implement this using 'links' together with mediatypes. This will also show how easy it is for your client to interact with your API.
- Versioning without the breaking: When using HATEOAS, versioning becomes simpler. Show the different approaches, advantages and disadvantages.
- HTTPS isn't enough; securing REST APIs: The final part of the presentation shows an oft overlooked aspect of REST API design security. HTTPS is a valid option in a lot of cases, but it only secures the transport, not the message. There is no standard way of adding message level security in REST (unlike WS-Security for SOAP based services). Using an HMAC based authentication scheme, just like Amazon and Google do, you can add message level security to your services in a 'de facto' standard way.
- Parting guidelines: If you forget everything I said in this talk, at least try to remember these pointers when creating a REST API.
Keywords: REST, HATEOAS, Richardson Maturity Model, HMAC, Architecture,
API
Target Audience: Medior, Senior. They should know what the basic idea
behind REST is.