Software plumbing using middleware wrenches
May 1, 2012
A bunch of bug fixes. Also added a couple new features:
Links to release notes, downloads, and documentation are available from the main Resteasy Web Page.
March 19, 2012
REST, security Leave a comment
Way back in June I was brainstorming about ideas for decentralized authentication. Here’s a summary of the requirements I wanted:
Unifying Interactions With Cookies
The problem with the protocol discussed in my previous blog was that it relied on new headers being transmitted between the client and server. This sort of mechanism just wouldn’t work with browser-based applications. Why? Well, a browser isn’t going to know how to transmit and process new headers. The only way to get a browser to store and forward metadata is via a cookie. Most browser-based apps already use a session cookie to authenticate users (after a log-in of course). There’s no reason we couldn’t re-use the digital signature techniques discussed in my previous blog with cookies. Here’s how it could work:
Step #4 might be problematic as the URLs could get quite large. Who knows if a browser barfs on absurdly long URLs. In this cast we could do a double form-post. IDP could response from a successful login with an HTML Form whose target is Example.com. This form would have all hidden fields within it containing security metadata. One particulr form parameter would have a digital signature (I think SAML HTTP bindings work like this).
One vulnerability here is the cross-site scripting hack. Most website already have this vulnerability I believe, so using existing techniques would be best. I’m not sure how website solve this particular problem, but the HttpOnly flag could be used with each session cookie. Javascript apps could have their javascript dynamically generated by the server and include the necessary code to manually apply and send the appropriate cookies. Another thing that might mitigate things, is to include a timestamp with the cookies. The application server would check for stale timestamps and with each request reset the digitally signed cookies with a new timestamp.
Non-Browser Clients Use Cookies Too
For non-browser clients, they could use a simpler RESTful protocol to obtain a signed URL or the set of signed form parameters. There’s also no reason they couldn’t get a set of signed cookies instead of either of these approaches.
March 13, 2012
java, javaee, spring 170 Comments
The past 1-2 years since the release of Java EE 6, you’ve seen a lot of articles like this latest on TSS that talk about the niceities of Java EE 6’s component model over Spring and how Spring is now legacy. Yup legacy. Who would have thought it? (other than me of course 😉 ) I remember internal JBoss emails 4-5 years ago arguing whether we should give up on promoting Java EE as a component model (aka on EJB) and just concede to Spring. Now, 4-5 years later, Java EE 6 has answered the challenge and is a viable, rich, integration technology. So what happened?
Spring always depended on Java EE
Spring was and has always been a wrapper over core middleware infrastructure: ORM, Transactions, Messaging, HTTP. It always depended core Java EE specs like JPA, JTA, JMS, and Servlet. So, since you couldn’t deploy a Spring app without at least one of these core technologies/specifications, Java EE stayed in users minds. There was always the opportunity that Java EE could get its act together in component model development. While Rod Johnson always tried to position Spring as a Java EE alternative and JBoss killer, the Spring “platform” was never a true alternative to Java EE and JBoss, and in fact, couldn’t really exist without it. IMO, this was a huge missed opportunity for the Spring folks.
Being the anti-Romney doesn’t work in the long run
J2EE was a machine with a huge massive install base. A machine with a massive amount of money invested into it. Java EE was its own market. While Rod positioned himself over and over as the alternative to Java EE did he really think that this massive machine wouldn’t respond to the challenge? While there are a lot of radical technology enthusiasts out there, the core Java constituency is pretty much moderate. They are slow to adopt and tend to wait to see who is going to win the war over a long time. Spring could not replace Java EE because technology wise, they were dependent on it. All Java EE had to do was improve its component API message to the people, outspend Spring, and win over it in the long run.
Annotations were a game changer
The first thing that happened to shake Spring was the introduction of annotations in Java 5. Annotations were a game changer. Annotations were the opportunity to introduce mini-DSLs and pluggable keywords into Java. Java EE 5 grabbed this opportunity with a huge facelift and refactoring of EJB and the introduction of JPA. Basically, this was a standardization of Hibernate and its integration into EJB. Complex EJB 2.x XML was replaced by few new Java keywords (well, annotations). Simplicity ruled the day. Middleware started to look more and more like a language feature rather than something hacked together via XML. When annotations came out, I remember the Spring folks writing multiple blogs and forum posts about how evil they were. IMO, they were just terrified of this new technology as it made much of Spring 2.x obsolete, and, well, much of Spring more complicated than Java EE 5.
CDI closed API hole
Thank you Gavin and the Seam folks. CDI and Java EE 5 pretty much closed the technology gap. Not only did they fill the integration holes that Spring exposed, they innovated far beyond what Spring had and created something new. Beyond core IoC and DI, CDI’s event model was truly innovative and cool.
App Servers got their act together
Application server started to get their act together with regards to boot time. It started with Glassfish and ended with JBoss 7. Both of which can boot in a matter of seconds. The whole Spring complaint that you needed Spring to mock out and test your code because app-servers started so slow was moot.
Arquillian made a mock of mocks
The final game changer was Arquillian. One huge advantage Spring had was a unit testing story. They gave you the ability to mock out core services like transactions and allow you to test application code outside of the application server. This is huge for continuation integration and automated builds as well. Combined with the fast boot times of JBoss 7 and Glassfish, you no longer have to hope your mocks will work when you actually run it in its real environment. Arquillian allows you to run your unit tests in a real environment with real transactions, etc. Personally I always despised mocks because they didn’t test in the environment you were going to run in. I thought they were pointless and to this day, I refuse to use this testing pattern.
Anyways, in retrospect, I’m glad Rod and company were able to cash out with the VMWare acquisition before Java EE was able to regain its dominance. SpringSource pushed Java EE to innovate and for that I’m very grateful. For Java EE, it was either evolve or die. They evolved, now its time for Spring to die.
February 28, 2012
Mark posted a really nice article to InfoQ: WebSockets vs. REST?
From what I understand of Websockets, its bascially used to set up a two-way socket connection and not really an application protocol. What worries me the most is that you’ve basically rolled back 20 years of protocol consolidation, and we’re now back to a free-for-all of everybody’s pet protocol. Not so bad if your client and server are a tightly coupled, unreusable UI application. Really bad if you’re writing a web service that is supposed to be reusable by unknown heterogenous clients. With Web Sockets, web services are not only going to have to negotiate the media type, but also the application protocol. Seems like a huge step backward to me in terms of integration. Did we forget all the problems we had with Oracle Forms, PowerBuilder, Visual Basic and all the UI/framework specific protocols all those developer frameworks introduced? Do we really want to go back to those days?
What about security issues? With an anything-goes socket protocol, isn’t this a security nightmare for our operations folks?
Disclaimer: You could say that I’m both biased and threated by the concept of Web Sockets given my involvement in REST frameworks and APIs. But in all honesty, I’d be very happy to embrace a new protocol that is both ubiquitous and easily supportable and interoperable in many different languages and platforms. There’s much to be said about the simple request/response text-based approach of HTTP (and REST over HTTP). While it may not be uber-efficient, its just so easy to hack and support.
January 18, 2012
JAX-RS, REST, RESTEasy 1 Comment
This is a maitenance release of 2.3.x series.
As always, to download and see documentation follow the links from our website. Take a look at our Jira release notes. You might also want to check out the Migration guide to view what has broken as far as backward compatibility if you’re upgrading from an earlier version.
November 22, 2011
Resteasy 2.3-RC1 has just been released. Please follows links on main resteasy page to see documentation and download links. We do have some backward-incompatibilities, so see the Migration Guide. If you can, please testdrive it! We will be doing a 2.3.GA release in 2 weeks so its up to you to find any critical blocker bugs we might have introduced!
After 2.3 is released we will be starting to work on Resteasy 3.0, a JAX-RS 2.0 implementation. In conjunction we will also be moving source control to github.
September 16, 2011
An online buddy of mine drew my attention to Blizzard’s new Community API for World of Warcraft. For those of you who aren’t familiar with World of Warcraft, it is a massive multi-player online role playing game. They have millions of players. The game is so successful and generates so much cash that Blizzard pays out a dividend to stock holders. Not only do they have millions of players, there’s also a very large community around WoW. The game itself has its own scripting language which you can use to write add-ons. This add-on community is huge with thousand upon thousands of apps written.
There’s also a large variety of third-party sites that provide character and guild management, quest information, gear info, damage simulators, and gear optimization. These types of tools need to access Blizzard’s databases. This is where Blizzard’s new REST-based Community API comes. Originally, a lot of these sites did screen scraping on WoW’s main website to grab information and access character management. Since April, they’ve been developing and publishing a full read and write RESTful interface for their applications. Its seems they picked REST because of the ease of integration between many languages.
In browsing the API documentation here’s a few things that jumped out at me
Document by example
The first thing to note is that the API is documented by example. Here’s the URL pattern you use. This is what the HTTP request looks like. This is the JSON data you should send, and this is what the JSON data looks like. IMO, this is what REST API documentation should look like. No WADL. No schema. Just plain, here’s what you can send, here’s what the request looks like. This is the approach I’ve taken with my API documentation. You gotta remember, the people that are going to be integrating with these APIs don’t come from SOAP-land, WS-*-land, CORBA-land, enterprise programming land. All will understand HTTP and JSON pretty easily. This is what I love about REST: “lightweight” interoperability with a very low barrier to entry.
Signature-based Authentication
Hackers are ruthless when it comes to World of Warcraft. I myself was hacked once and had to get my account restored. Blizzard is very careful about this as it creates a lot of support headaches for them. You can use a soft-token via your smart-phone. Or order and get an RSA-like physical token generator when you log into your game. As for the REST api, you need to acquire a public and private key. Authentication is done by hashing your private key along with the current time, URL, and HTTP method.
UrlPath = <HTTP-Request-URI, from the port to the query string>
StringToSign = HTTP-Verb + "\n" +
Date + "\n" +
UrlPath + "\n";
Signature = Base64( HMAC-SHA1( UTF-8-Encoding-Of( PrivateKey, StringToSign ) ) );
Header = "Authorization: BNET" + " " + PublicKey + ":" + Signature;
Amazon does something very similar for many of it’s public REST apis. While not true a true digital signature (sigs are encrypted hashes and don’t include the private key), its very close, and a lot simpler to use and understand for users.
Not very link driven
Can you imagine this API being explained via a set of link publishings rather than a set of URI patterns? I’ve taken advantage of HATEOAS, especially within the HornetQ REST API, but in many cases, just publishing the URI scheme can be very useful. Maybe its data-publishing vs. interaction? With a data-publishing app (WoW) it makes more sense to publish a URI scheme for your REST interface. With an interactive application (i.e. HornetQ REST), HATEOAS, link-driven interfaces make a lot more sense and give you a lot more flexibility.
Versioning?
On one of the forum posts, the developer talked about how he/she planned to version the API in the future. It seems that they will version using URIs. The latest and greatest will always use the same top-level URI schemes. If you want to tie yourself to an older version of the API, the URI scheme will be predicated ith a version identifier:
New API: /api/wow/realms Old API /api/wow/v1/realm/status"
All and all it will be great to see this API evolve over time. This will be a great public display of a REST API and it will be very interesting to see how Blizzard tackles various issues. There’s a lot we can learn here.
September 15, 2011
I don’t usually make a lot of noise about a beta release, but there’s some new security features I’d like everybody to test drive (along with a bunch of bug fixes). Also, there’s a few backward incompatibilities to be aware of. New features?
As always, to download and see documentation follow the links from our website. Take a look at our Jira release notes. You might also want to check out the Migration guide to view what has broken as far as backward compatibility.
September 1, 2011
I’m catching up on some blog reading. A great blog on REST, if you don’t read it already, is Subbu Allamaraju‘s (in my blog links too). I like to call him Dr. REST. Back in May he wrote about Richardson’s Maturity Model and how measuring your APIs against the model is the wrong thing to do (I think he’s followed it up with a presentation). I can’t agree more. What I like about this model (and other articles like it) is that I like to compare it to my own history of growing my understanding of REST. IMO, what you should do these models and guidelines is read them, examine them, see if they spark any ideas for improving your application. They just might improve your understanding of REST and why certain constraints are good. Don’t try to fit your API to REST. Let REST help you write a better API. Don’t apply REST for the sake of REST. This is primarily why I unplugged myself from the rest-discuss mailing list. If you treated applying REST as a set of guidelines instead of a set of laws you were castigated for it. Wrong approach.
Anyways, as usual, great blog Subbu. BTW, you should check out his book too.
August 30, 2011
flame bait, python 10 Comments
Awhile back I ranted against using dynamic languages like Ruby, Python etc. Recently, I’ve been using Python as a way to test Resteasy’s SMIME integration. It was an extremely frustrating experience that would have been much better if Python was statically typed. Why? Well, take a look at this documentation for doing SMIME with Python and M2Crypto. The problem was is that the examples are interacting with Python’s mail API. I needed to be able to send SMIME over HTTP. So, I needed to understand the M2Crypto API a little bit better. If you look at the example code, you have no idea which additional methods are available, and more frustratingly, when types of objects these methods return. The auto-generated javadoc-like docs for M2Crypto were even less helpful. What I had to end up doing was diving into the M2Crypto codebase to figure out exactly what was going on.
Moral of the story? Programming in dynamic languages can be a lot of fun. But when you run into APIs you’re not familiar you’re pretty much at the mercy of the documentor. If the documentation sucks, you’re pretty much up shit creek and forced to dive into the code to understand what is going on.
Bill the Plumber 