Security, Scalability and Controlling the URI
advertisement
Implementing RESTful
Services With WCF 3.5 SP1
Security, Scalability and Controlling
the URI (Part 2 of 2)
Session Objectives And Takeaways
Go a level deeper than we did in Part 1
Describe how optional HTTP features like caching
and conditional GET impact scalability
Explain how you can fully control the URI
Consider options for securing RESTful services
Learn about the updates to WCF in 3.5 SP1
Agenda
What is REST and Why should I care?
How will resources be addressed?
How will resources be formatted?
How do I insure scalability?
How do I secure my service?
Why REST?
REST is an architectural style for implementing services
with the simple and open model of the web
SOAP is a protocol that delivers a rich messaging model
independent of the transport
SOAP
REST
WCF Test Client
Notepad
5 HTTP Messages
18,604 bytes
“You entered: 1”
Internet Explorer
Agenda
What is REST and Why should I care?
How will resources be addressed?
How will resources be formatted?
How do I insure scalability?
How do I secure my service?
Information Architecture
URI
Verb
Collection
Action
/wine
POST
Wine
Create
/wine/{wineId}
GET
Wine
Read
/wine/{wineId}
PUT
Customers
Update
/wine/{wineId}
DELETE
Customers
Delete
/wine/series/{seriesId}
GET
Wine Series
Read
/wine/{wineId}/reviews
GET
Wine Reviews
Read
/wine/{wineId}/reviews
POST
Wine Reviews
Create
Default WCF Web URI
http://localhost/service.svc/method?arg1=1
Authority
Scheme
.svc File
path
Method
name
Query
Arguments
WCF 3.5 UriTemplates
UriTemplate allows you to override the default
Arguments are bound by name
[OperationContract]
[WebGet(UriTemplate="Wine/{wineId})]
WineData GetWine(string wineId);
http://localhost/service.svc/Wine/1
New in WCF 3.5 SP1
Default Values for template items
Cannot be used for query string values
[OperationContract]
[WebGet(UriTemplate="Wine/{wineID=17})]
WineData GetWine(string wineID);
New in WCF 3.5 SP1
Compound Template Segments
[OperationContract]
[WebGet(UriTemplate=“wine({wineID})]
WineData GetWine(string wineID);
http://localhost/service.svc/wine(17)
Full URI Control
Scott Guthrie
Tip/Trick: Url Rewriting with ASP.NET
Jon Flanders (MVP)
Using WCF WebHttpBinding and WebGet with nicer Urls
IIS7
Use/Build an HttpModule
IIS7 Team Recently Released a URL Rewrite Module
IIS 5/6
Use an ISAPI filter
Demo
Controlling the URI
Agenda
What is REST and Why should I care?
How will resources be addressed?
How will resources be formatted?
How do I insure scalability?
How do I secure my service?
Message Schema
Option 1: Basic Atom Feed
Standardized syndication schema
WCF 3.5 SP1 Supports All Atom Publishing Protocol types
Option 2: Custom Service Schema
You create your own schema for messages using DataContracts
or XSD
See Part 1 session for examples
microformats
Standards for common human readable data in
(X)HTML
hCard, hCalendar, etc.
<div id="" class="vcard">
<a class="url fn n" href="http://www.cohowinery.net">
<div class="org">Coho Winery</div>
</a>
<a class="email" href="mailto:greatwine@cohowinery.net">greatwine@cohowinery.net</a>
<div class="adr">
<div class="street-address">555 Wine Lane</div>
<span class="locality">Napa</span>
<span class="region">CA</span>
<span class="postal-code">94558</span>
<span class="country-name">USA</span>
</div>
<div class="tel">800-555-1212</div>
</div>
Demo
Basic Atom Feed
Content Negotiation
Allow the client to ask for the format they want
Accept Header
Extension
Query String
Fixed Content Format
Attribute your WCF service
Demo
Content Negotiation
Agenda
What is REST and Why should I care?
How will resources be addressed?
How will resources be formatted?
How do I insure scalability?
How do I secure my service?
Caching
Client Side
Controlled by HTTP Headers
Cache-Control
Instructions to client side cache
Expires
Server Side
HttpRuntime.Cache
“Velocity” Distributed Cache
CTP1 Now Available
Conditional Get
GET this data if...
If-Modified-Since: (Date)
Return the data only if it has been modified since (Date)
If-None-Match: (Etag)
Return the data only if there isn't one with this Etag
Saves Bandwidth by not transmitting old data
Response.SuppressEntityBody
Demo
Caching / Conditional Get
Agenda
What is REST and Why should I care?
How will resources be addressed?
How will resources be formatted?
How do I insure scalability?
How do I secure my service?
Security Scenarios
Developer / App Authorization
Authorizes an application to access RESTful services
Third Party Access
Application or site accessing a protected resource on behalf of
another
Human RIA User
Accessing a protected resource from an Ajax or Silverlight web
page using a cookie
Developer / App Authorization
Control access to public services
Allows you to revoke access if necessary
Developer is issued a token or application ID (or
both)
Verify email and acceptance of license
Each request requires the token to be sent
URI may also include a signature to prevent request tampering
Tokens may be sent in the URI or Authorization header
OAuth (Open Authentication)
An open protocol to allow secure API authentication
in a simple and standard method from desktop and
web applications.
OAuth.net
Allows users to grant access to protected resources
without having to give credentials to third parties
MySpace WCF Implementation
RestChess.com
Human RIA User
Authentication
Ajax authentication service is enabled
Human signs in to web site with script that calls
Sys.Services.AuthenticationService.Login
Authorization token returned in cookie
Client side script accesses protected resources using cookie
Authorization
Server authorizes client requests by placing a web.config file in
the folder with the resource
Demo
Human RIA Security
Summary
RESTful Services work the way the Web works
Sharing your data with the world works
Focus on simple and open ideas first
Choose broad adoption over elegant design
Embrace the protocol of the web HTTP
Understand its semantics
Use it as designed
appendix
WCF Test Client
Fiddler Proxy
Yahoo Web Search Service
back
Notepad Service Client?
Adventure Works Customer Get
