animated_favicon1.gifDeveloping Web Services with Apache CXF and Axis2, 3rd Edition Jan 2010
Create and Secure Your REST APIs with Apache CXF
Transcript of Create and Secure Your REST APIs with Apache CXF
![Page 2: Create and Secure Your REST APIs with Apache CXF](https://reader031.fdocuments.us/reader031/viewer/2022012320/58a2cf031a28abd1778b64aa/html5/thumbnails/2.jpg)
Agenda
• REST Principles in API Design
• Using CXF JAX-RS Features
• Secure REST API
![Page 3: Create and Secure Your REST APIs with Apache CXF](https://reader031.fdocuments.us/reader031/viewer/2022012320/58a2cf031a28abd1778b64aa/html5/thumbnails/3.jpg)
About Me
• Software architect in Talend Team
• PMC in Apache CXF
![Page 4: Create and Secure Your REST APIs with Apache CXF](https://reader031.fdocuments.us/reader031/viewer/2022012320/58a2cf031a28abd1778b64aa/html5/thumbnails/4.jpg)
Representational State Transfer
• Set of principals and restrictions
• HTTP is one instantiation of the REST
• The scope of REST architectural style: loosely
coupled application
![Page 5: Create and Secure Your REST APIs with Apache CXF](https://reader031.fdocuments.us/reader031/viewer/2022012320/58a2cf031a28abd1778b64aa/html5/thumbnails/5.jpg)
REST Principles
1. Everything has an ID
2. Using IDs to link things together: hypermediaand HATEOAS
3. Uniform interface
4. Interaction with resources through therepresentation
5. Communication is stateless
![Page 6: Create and Secure Your REST APIs with Apache CXF](https://reader031.fdocuments.us/reader031/viewer/2022012320/58a2cf031a28abd1778b64aa/html5/thumbnails/6.jpg)
REST Violation: Operations Sematic
GET: /users/getUser?name=testUserGET: /users/addUser?name=testUser&description=…GET: /users/deleteUser?name=testUserGET: /users/updateUser?name=testUser&description=ne wDescription
![Page 7: Create and Secure Your REST APIs with Apache CXF](https://reader031.fdocuments.us/reader031/viewer/2022012320/58a2cf031a28abd1778b64aa/html5/thumbnails/7.jpg)
Correct operations sematicGET: /users/testUserPOST: /usersDELETE: /users/testUserPUT: /users/testUser
![Page 8: Create and Secure Your REST APIs with Apache CXF](https://reader031.fdocuments.us/reader031/viewer/2022012320/58a2cf031a28abd1778b64aa/html5/thumbnails/8.jpg)
REST Violation: Tunneling Error Codes
HTTP/1.1 200 OKContent-Type: application/xmlHeaders: {Content-Type=[application/xml], Date=[Fri , 26 Jun 2015 12:48:36 GMT]}
<BusinessErrorReponse><ns:globalStatus>ERROR</ns:globalStatus><ns:detailStatusCodes>
<ns:statusCode><ns:statusCode>PR-C.4001</ns:statusCode><ns:contextPart>PR-C</ns:contextPart><ns:codePart>4001</ns:codePart><ns:type>SERVER_BUSINESS_ERROR</ns:type>
</ns:statusCode><ns:detailCode>000000000000650640</ns:detailCode><ns:devMessage>User Id [a1b2c3] is not found</ns:dev Message>
</ns:detailStatusCodes><BusinessErrorReponse>
![Page 9: Create and Secure Your REST APIs with Apache CXF](https://reader031.fdocuments.us/reader031/viewer/2022012320/58a2cf031a28abd1778b64aa/html5/thumbnails/9.jpg)
Source: Mike Pearce http://www.slideshare.net/MikePearce/api-anti-patterns-4920731
![Page 10: Create and Secure Your REST APIs with Apache CXF](https://reader031.fdocuments.us/reader031/viewer/2022012320/58a2cf031a28abd1778b64aa/html5/thumbnails/10.jpg)
Source: Mike Pearce http://www.slideshare.net/MikePearce/api-anti-patterns-4920731
![Page 11: Create and Secure Your REST APIs with Apache CXF](https://reader031.fdocuments.us/reader031/viewer/2022012320/58a2cf031a28abd1778b64aa/html5/thumbnails/11.jpg)
REST: Correct Error Codes
HTTP/1.1 404 Not FoundContent-Type: text/plainX-Application-Error-Code: USER_NOT_FOUNDX-Application-Error-Info: entity=user,id=a1b2c3
A user [a1b2c3] is not found in storage. Check if us er id is correct. Refer following link for the details: https://cwiki.my-organization.org/confluence/pages/viewpage.action?p ageId=30751185/
![Page 12: Create and Secure Your REST APIs with Apache CXF](https://reader031.fdocuments.us/reader031/viewer/2022012320/58a2cf031a28abd1778b64aa/html5/thumbnails/12.jpg)
REST API Design
![Page 13: Create and Secure Your REST APIs with Apache CXF](https://reader031.fdocuments.us/reader031/viewer/2022012320/58a2cf031a28abd1778b64aa/html5/thumbnails/13.jpg)
Apache CXF
![Page 14: Create and Secure Your REST APIs with Apache CXF](https://reader031.fdocuments.us/reader031/viewer/2022012320/58a2cf031a28abd1778b64aa/html5/thumbnails/14.jpg)
Filters and Interceptors
• JAX-RS Client and Server Filters
• JAX-RS Reader and Writer Interceptors
• MessageBodyReaders, MessageBodyWriters
• CXF Interceptors
![Page 15: Create and Secure Your REST APIs with Apache CXF](https://reader031.fdocuments.us/reader031/viewer/2022012320/58a2cf031a28abd1778b64aa/html5/thumbnails/15.jpg)
JAX-RS Container FiltersContainer Prematching Request Filter:
Container Response Filter:
![Page 16: Create and Secure Your REST APIs with Apache CXF](https://reader031.fdocuments.us/reader031/viewer/2022012320/58a2cf031a28abd1778b64aa/html5/thumbnails/16.jpg)
JAX-RS Client Filters
Client Request Filter:
Client Response Filter:
![Page 17: Create and Secure Your REST APIs with Apache CXF](https://reader031.fdocuments.us/reader031/viewer/2022012320/58a2cf031a28abd1778b64aa/html5/thumbnails/17.jpg)
JAX-RS Writer Interceptors
![Page 18: Create and Secure Your REST APIs with Apache CXF](https://reader031.fdocuments.us/reader031/viewer/2022012320/58a2cf031a28abd1778b64aa/html5/thumbnails/18.jpg)
JAX-RS Reader Interceptors
![Page 19: Create and Secure Your REST APIs with Apache CXF](https://reader031.fdocuments.us/reader031/viewer/2022012320/58a2cf031a28abd1778b64aa/html5/thumbnails/19.jpg)
JAX-RS MessageBody Writer
PUT /user/blocked HTTP/1.1Content-Type: application/boolean+xml
<?xml version="1.0" encoding="utf-8"?><boolean>true</boolean>
![Page 20: Create and Secure Your REST APIs with Apache CXF](https://reader031.fdocuments.us/reader031/viewer/2022012320/58a2cf031a28abd1778b64aa/html5/thumbnails/20.jpg)
JAX-RS MessageBody Reader
![Page 21: Create and Secure Your REST APIs with Apache CXF](https://reader031.fdocuments.us/reader031/viewer/2022012320/58a2cf031a28abd1778b64aa/html5/thumbnails/21.jpg)
CXF Inteceptors
![Page 22: Create and Secure Your REST APIs with Apache CXF](https://reader031.fdocuments.us/reader031/viewer/2022012320/58a2cf031a28abd1778b64aa/html5/thumbnails/22.jpg)
CXF Inteceptors
22
Business code (PRE/POST/_INVOKE, PRE/USER/POST/_LOGICAL)
Umarshalling/Marshalling (MARSHAL)
Protocol processing (PRE/USER/POST/_PROTOCOL, WRITE)
Stream processing (PRE/USER/POST/STREAM)
Transport (SEND)
Outgoing Chain
Transport (RECIEVE)
Stream processing (PRE/USER/POST/STREAM)
Protocol processing (PRE/USER/POST/_PROTOCOL, READ)
Umarshalling/Marshalling (UNMARSHAL)
Business code (PRE/POST/_INVOKE, PRE/USER/POST/_LOGICAL)
IncomingChain
![Page 23: Create and Secure Your REST APIs with Apache CXF](https://reader031.fdocuments.us/reader031/viewer/2022012320/58a2cf031a28abd1778b64aa/html5/thumbnails/23.jpg)
CXF Interceptors
![Page 24: Create and Secure Your REST APIs with Apache CXF](https://reader031.fdocuments.us/reader031/viewer/2022012320/58a2cf031a28abd1778b64aa/html5/thumbnails/24.jpg)
CXF Filters and Interceptors
![Page 25: Create and Secure Your REST APIs with Apache CXF](https://reader031.fdocuments.us/reader031/viewer/2022012320/58a2cf031a28abd1778b64aa/html5/thumbnails/25.jpg)
Exception Handling: Server Side
404 Not found
X-Application-Error-Code: EntityNotFound
X-Application-Error-Info: entity=user,id=a1b2c3
A user ‘a1b2c3‘ is not found in Syncope storage. Check if user name is correct. Refer following link for
the details: https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=30751185/
JAXRS exception mappers:
![Page 26: Create and Secure Your REST APIs with Apache CXF](https://reader031.fdocuments.us/reader031/viewer/2022012320/58a2cf031a28abd1778b64aa/html5/thumbnails/26.jpg)
Exception Handling: Client SideClient exception mapper:
Catch WebApplicationException:
![Page 27: Create and Secure Your REST APIs with Apache CXF](https://reader031.fdocuments.us/reader031/viewer/2022012320/58a2cf031a28abd1778b64aa/html5/thumbnails/27.jpg)
Document Your API: Swagger
• Formal specification for REST APIs (JSON and
JSON schema)
• Ecosystem with Tools: codegeneration,
documentation, test and sandbox
• Top-down and bottom-up approaches
![Page 28: Create and Secure Your REST APIs with Apache CXF](https://reader031.fdocuments.us/reader031/viewer/2022012320/58a2cf031a28abd1778b64aa/html5/thumbnails/28.jpg)
Swagger in JAXRS API
![Page 29: Create and Secure Your REST APIs with Apache CXF](https://reader031.fdocuments.us/reader031/viewer/2022012320/58a2cf031a28abd1778b64aa/html5/thumbnails/29.jpg)
Swagger Configuration in CXF
![Page 30: Create and Secure Your REST APIs with Apache CXF](https://reader031.fdocuments.us/reader031/viewer/2022012320/58a2cf031a28abd1778b64aa/html5/thumbnails/30.jpg)
CXF SecurityAuthentication Authorization Confidentiality Integrity Non-repudiation
HTTPS
HTTP Basic
HTTP Digest
Kerberos
SAML
JWT
RBAC
XACML
OAuth
XML
Encryption
XML
Signature
JWE
JWS
![Page 31: Create and Secure Your REST APIs with Apache CXF](https://reader031.fdocuments.us/reader031/viewer/2022012320/58a2cf031a28abd1778b64aa/html5/thumbnails/31.jpg)
SAML
![Page 32: Create and Secure Your REST APIs with Apache CXF](https://reader031.fdocuments.us/reader031/viewer/2022012320/58a2cf031a28abd1778b64aa/html5/thumbnails/32.jpg)
SAML Token Issued By Client
• SamlCallbackHandler
(implements CallbackHandler)
• SamlHeaderOutInterceptor
(CXF interceptor)
• SamlHeaderInHandler
(ContainerRequestFilter)
![Page 33: Create and Secure Your REST APIs with Apache CXF](https://reader031.fdocuments.us/reader031/viewer/2022012320/58a2cf031a28abd1778b64aa/html5/thumbnails/33.jpg)
SAML Token Issued By STS
• STSTokenOutInterceptor (CXF
interceptor)
• SamlHeaderOutInterceptor
(CXF interceptor)
• SamlHeaderInHandler
(ContainerRequestFilter)
![Page 34: Create and Secure Your REST APIs with Apache CXF](https://reader031.fdocuments.us/reader031/viewer/2022012320/58a2cf031a28abd1778b64aa/html5/thumbnails/34.jpg)
JSON Web Token
Signature = HMACSHA256(BASE64URL(UTF8(JWT Header)) + ’.’ +
BASE64URL(JWT Claims), key)
![Page 35: Create and Secure Your REST APIs with Apache CXF](https://reader031.fdocuments.us/reader031/viewer/2022012320/58a2cf031a28abd1778b64aa/html5/thumbnails/35.jpg)
JWT Authentication in CXF
![Page 36: Create and Secure Your REST APIs with Apache CXF](https://reader031.fdocuments.us/reader031/viewer/2022012320/58a2cf031a28abd1778b64aa/html5/thumbnails/36.jpg)
Conclusion
• Be aware of and follow REST Principles in your
API design
• Use JAX-RS Filters, Reader/Writer interceptors
to implement cross-cutting functionality
• Consider Swagger to make your API attractive
for the clients
• Choose the most suitable mechanism to
secure your REST API
![Page 37: Create and Secure Your REST APIs with Apache CXF](https://reader031.fdocuments.us/reader031/viewer/2022012320/58a2cf031a28abd1778b64aa/html5/thumbnails/37.jpg)
Links
• Apache CXF :
http://cxf.apache.org/
http://cxf.apache.org/docs/jax-rs.html
• Swagger :
http://swagger.io/
• Blogs:
http://sberyozkin.blogspot.com
http://ashakirin.blogspot.de/
http://aredko.blogspot.de/
![Page 38: Create and Secure Your REST APIs with Apache CXF](https://reader031.fdocuments.us/reader031/viewer/2022012320/58a2cf031a28abd1778b64aa/html5/thumbnails/38.jpg)
JSON Web Signature
![Page 39: Create and Secure Your REST APIs with Apache CXF](https://reader031.fdocuments.us/reader031/viewer/2022012320/58a2cf031a28abd1778b64aa/html5/thumbnails/39.jpg)
JSON Web Encryption
![Page 40: Create and Secure Your REST APIs with Apache CXF](https://reader031.fdocuments.us/reader031/viewer/2022012320/58a2cf031a28abd1778b64aa/html5/thumbnails/40.jpg)
OAuth 2.0
Diagram from OAuth 2.0 spec
![Page 41: Create and Secure Your REST APIs with Apache CXF](https://reader031.fdocuments.us/reader031/viewer/2022012320/58a2cf031a28abd1778b64aa/html5/thumbnails/41.jpg)
OAuth 2.0
Client Credentials Grant
![Page 42: Create and Secure Your REST APIs with Apache CXF](https://reader031.fdocuments.us/reader031/viewer/2022012320/58a2cf031a28abd1778b64aa/html5/thumbnails/42.jpg)
What is new in JAX-RS 2.1?
• Server Side Events
• Reactive programming model
• JEE Alignments (CDI support, declarative
security)
• Performance improvements (non-blocking
I/O)
• Improved Hypermedia support
![Page 43: Create and Secure Your REST APIs with Apache CXF](https://reader031.fdocuments.us/reader031/viewer/2022012320/58a2cf031a28abd1778b64aa/html5/thumbnails/43.jpg)
CXF Roadmap
• JAX-RS 2.1
• JWT, JWS, OAuth 2.0
• Providers and Resources autowiring
• Extended CDI support
• Swagger Integration improvements
• Logging improvements
• FIQL Extensions
![Page 44: Create and Secure Your REST APIs with Apache CXF](https://reader031.fdocuments.us/reader031/viewer/2022012320/58a2cf031a28abd1778b64aa/html5/thumbnails/44.jpg)
REST Violation: Sessions & Cookies
Client Server
POST: /shoppingCartCookie: JSESSIONID=7623427
Sessions
Map
HTTP/1.1 200 OK
GET: /shoppingCart Cookie: JSESSIONID=7623427
• Server stores client specific application state
• State is not identifiable through URL
• Client sends Cookies implicitly with every request
HTTP/1.1 200 OK{“shoppingCart“: {…}}
Client1 State
Client2 State
Client3 State
GET: /loginAuthorization: Basic QZTX64gfF83==
HTTP/1.1 200 OKSet-Cookie: JSESSIONID=7623427
![Page 45: Create and Secure Your REST APIs with Apache CXF](https://reader031.fdocuments.us/reader031/viewer/2022012320/58a2cf031a28abd1778b64aa/html5/thumbnails/45.jpg)
Addressable Resource State
Resource
Storage
• ShoppingCart is stored as resource state
• Resource state is addressable through URL
• Request includes all information necessary to fulfil
Client ServerPOST: /shoppingCartsAuthorization: Negotiate QZTX64gfF83==
HTTP/1.1 201 CreatedLocation: /shoppingCart/sc1
GET: /shoppingCarts/sc1Authorization: Negotiate QZTX64gfF83==
HTTP/1.1 200 OK{“shoopingCart“: {…}}
Cart sc1
Cart sc2
Cart sc3