Web services
Martin Kuba, ÚVT MU
Brief web services history
● 1989 - WWW invented
● 1991 - HTTP 0.9 specified
● 1992 - Internet at Masaryk University :-)
● 1993 - Mosaic web browser
● 1993 - CGI interface for executing programs
● 1995 - JavaScript introduced by Netscape
● 1996 - SSL 3.0
● 1998 - XML 1.0
● 1998 - SOAP 1.1 by Microsoft
● 2003 - SOAP 1.2 by W3C (never used)
● 2004 - WS-Interoperability Basic Profile
Brief web services history (2)
● 2000 - REST defined by Roy Fielding
● 2001 - JSON format invented
● 2004 - GMail and Google Maps
● 2004 - Web 2.0 hype, Mash-ups
● 2005 - AJAX (Asynchronous JavaScript)
● 2005 - Yahoo! offers JSON web services
● 2006 - OpenID 2.0
● 2008 - HTML5 (First Public Working Draft)
● 2010 - OAuth 1.0
● 2010 - mobile devices with Android
● 2012 - OAuth 2.0
Brief web services history (3)
● 2013 - responsive web design as answer to
mobile devices with differing screen sizes
● 2006-2013 - cloud computing (Amazon 2006,
Microsoft 2008, Google 2013)
● 2014 - HTML5 finalised
SOAP versus REST
● enterprises prefer complicated stack
○ XML
○ SOAP, WSDL, WS-Interoperability
○ WS-* (WS-Security, WS-Addressing, ...)
○ persistent connections - queues
○ RPC based
○ complex tools and frameworks
● Internet crowd prefers simplicity
○ JSON
○ web APIs described as HTTP requests to URLs
○ AJAX in browsers
○ transient connections - TCP/IP, HTTP
○ scalable using REST
Web APIs
● well-known APIs
○ Google APIs (Calendar, GMail, Maps, Picasa, ...)
○ Facebook API
○ Twitter API
○ based on HTTP+JSON+SSL+OAuth
● third party clients
○ web, mobile (Android, iOS, ...), desktop, embedded
● OAuth
○ developer registers an application at API provider
○ user authorises the application to use certain operations
in the API, giving the application a token
○ application uses the token to use the API on behalf of
the user
JSON - JavaScript Object Notation
● simple specs at http://json.org
● implemented parsers for every language
● native in web browsers
The same Google Cal event in XML
AJAX
● Asynchronous JavaScript And XML
● does not need XML, uses JSON often ;-)
● based on introduction of XMLHttpRequest
JavaScript object to web browsers
● asynchronous request to web server
● response processed in JavaScript
● same-origin policy (protocol,host,port)
● Cross-origin resource sharing (CORS)
REST
● Representational State Transfer
● software architecture style for creating scalable
web services
● invented by Roy Fielding, author of HTTP 1.1
● resources identified by URIs
● representations of resources as JSON, XML or
other formats
● uses HTTP methods GET, PUT, DELETE and
POST for manipulating resources
REST (2)
● no IDL (Interface Description Language) so
far
● API described in human natural language
○ e.g. “image can be changed by HTTP PUT request
to /image/{imageID}”
● Richardson Maturity Model
○ level 1 - resources identified by URIs
○ level 2 - use of HTTP methods as verbs
○ level 3 - HATEOAS (Hypertext As The Engine Of
Application State)
○ level 3 introduces discoverability, making a protocol
more self-documenting
HAL - Hypertext Application Language
● one of proposed standards for HATEOAS
(level 3 in Richardson Maturity Model)
● format for JSON messages in REST APIs
○ every object has _links property with links to
operations on the object or to other objects
○ collections are wrapped in _embedded
● supported by Spring HATEOAS Java library
HAL example
Mash ups
● combine data from various sources
● typically a Google map with some geospatial
data
○ ships - http://www.marinetraffic.com/
○ aircrafts - http://www.flightradar24.com/
www.marinetraffic.com
www.flightradar24.com
Federated identity
● many authentication mechanisms were
developed for the web
○ username+password (hard to remember)
○ X509 digital certificate (complicated to get)
○ digest, Kerberos etc. (not much support in browsers)
● users forget passwords to rarely used accounts
● in federated identity, account from one
organisation can be reused at others
● identity providers
○ OAuth - Google, Facebook, Twitter, ...
○ OpenID - Google, MojeID.cz, Seznam.cz, anybody
○ SAML - in academia - universities, Academy etc.
SOAP/WSDL web services
● preferred in the enterprise world
● used as API for the Czech eGovernment
"Data Boxes"
● SOAP is Simple Object Access Protocol
● WSDL is Web Service Description Language
● WS-Interoperability Basic Profile needed to
ensure interoperability
○ requires SOAP1.1
● many WS-* extensions