This week's book giveaway is in the Jobs Discussion forum.
We're giving away four copies of Java Interview Guide and have Anthony DePalma on-line!
See this thread for details.
The moose likes Web Services and the fly likes question about REST Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of Java Interview Guide this week in the Jobs Discussion forum!
JavaRanch » Java Forums » Java » Web Services
Bookmark "question about REST" Watch "question about REST" New topic

question about REST

simon tiberius

Joined: Oct 30, 2012
Posts: 29
I'm trying to implement a RESTful java web services, and I have some question:
I'm making an online shopping web services with following spec (this is just the basics):
1. Customer : CustomerID, Name, Address, PhoneNumber
2. Order (by Customer) : OrderID, CustomerID, CreationDate, GrandTotal (from Parts)
3. Part (by Order) : OrderID, PartID, UnitCost, Quantity, LineTotal (Unit * Quantity)

Now, think specifically about these User Stories related to the Orders (not Customers, not Parts):
1. Customer lists orders to know which orders she has placed
2. Customer creates a new order to be fulfilled.
3. Customer views an existing order to get a reminder of what was ordered
4. Customer updates an order (add or delete parts, or changes quantity) when she realizes it is incorrect.
5. Customer can delete an order that is no longer needed (let’s not worry about if the order has been processed now)

Some questions:
1. REST is just a sec right? not implementation. so REST is just like a JSR.
2. is Order a resource? (i'm still trying to understand the terminologies in REST).
3. in my understanding, Order is something the user create, while a resource is anything (data) owned by the server. so the user must first create an order (by querying and choosing already existing resources like parts from the server) and then post the created order to server. after the order is created, then it will become a resource and can be accessed with URI like GET orders/{customerID}. is this correct?
4. I read tutorial about defining interface with XML schema, but the tutorial left out the implementation. I don;t really know how XML schema sits in RESTful architecture. I usally only use model classes annotated with JAXB annotations for XML data transport. can anybody explain a bit about this?
5. For security, I also want a security in low-level(database level). how do you normally provide security using stored proc to prevent unauthorized access? is it also recommended to use views to get data instead of creating the query string dynamically ? I'm using mysql
6. Because Order is concerned with money, I need to know security risks in this scenario. Can anyone show what could go wrong with placing an order? may I hear the security risks in placing order online like this app and how to mitigate them?

thank you very much.
sandeeprajsingh tandon
Ranch Hand

Joined: Mar 06, 2009
Posts: 79
1- REST is just a sec right? not implementation.

- I would say yes, its a spec, its an architecture. Thats why they say services are "RESTFUL". Any service that has those characteristics is said to comply with being REST

2 and 3- is Order a resource

-When you say order is created, i am assuming that there would be a service like createOrder and there you would passin a Value Object with order details and create an order. So the class "OrderService" which would service all the order related services createOrder, deleteOrder would in my view be termed as a resource

4- I dont understand the question here but i know that restful webservice can produce xml without xsd. i have been doing the same way as you . are you saying that there could be a schema around that? There can be but how is it better than your annotated model classes?

5- Views are recommended but thats a give and take. If you feel that volume is nt that big enough, you could go ahead with a dynamic query string. Otherwise, views are recommended. I am using dynamic query strings all the time

6- Security is an overloaded term here, are you referring to preventing hacking or using restful protocol based security?. Restful services are secured enough with https.

simon tiberius

Joined: Oct 30, 2012
Posts: 29
thank you very much for the reply.

regarding your answers:
1. your answer for my question 2&3 about whether Order is a resource or not. You're saying that Order is not the resource? but order service related are the resources (create order, delete order, update order and get order)?
2. I'm reading some book about rest and it mentioned about xsd, so I want to know what's the role of xsd here
3. security maybe is too broad. so let's focus on issues revolving "identity theft". so customer A puts the order, set the shipping address to A's house, but send the billing to B's credit card. something like that.
sandeeprajsingh tandon
Ranch Hand

Joined: Mar 06, 2009
Posts: 79
No problem, you are welcome!

1- yes, the Class OrderService would be a resource
2- in my opinion xsd per sey is about enforcing contracts on xml it is not DIRECTLY related to rest. in my project we give out xmls from the services without xsds. Let me know if you come across a good example which mentions otherwise.
3-But wont this part of your application design , db design , entity model already?. Restful services are stateless(i think), so it has to depend on what you pass to them and the way you design them. If you pass a valid customer and can link his address and credit card details, through an id of sorts you should be fine. Dont try and have a class level variable in the OrderService class(it would be like giving a state to the restful service. A User Authentication object would be a little dangerous to keep it as a class level variable ). You can try out a small sample code to test it out. I am not sure if this is what your question was though.
simon tiberius

Joined: Oct 30, 2012
Posts: 29
okay, usually I use the naming like this for resource classes : XYZResource like so:

so which one is the resource? the class OrdersResource (only one resource) or the 4 methods inside the class (there are 4 resources). because right now, the URI for orders looks like this:
all the URI starts with /order
create : /order
read : /order/{order-id}
update : /order/{order-id}
delete : /order/{order-id}

also, is it RESTful to include userID in the request header? what's the best practice to check whether a request is authenticated or not? thanks
sandeeprajsingh tandon
Ranch Hand

Joined: Mar 06, 2009
Posts: 79
Hey, I think i was wrong,
referring to this link and other links,
WS-Resource defines a WS-Resource as the composition of a resource and a Web service through which the resource can be accessed.
So it has to be WHATEVER you are trying to access through the service, So your ORDER, CUSTOMER( i.e. all the nouns) are resources. Extremely sorry about that.

There is nothing UNRESTFUL about keep the userID in the request header.

REST is supposed to be STATELESS so Do not maintain session state(Authentication state) on the server side, each request should be authenticated seperately that is if you plan to do it via RestFul Service. I was reading this and this can be used.
In our project we use Oracle Single Sign On so cant provide much input there.
I agree. Here's the link:
subject: question about REST
It's not a secret anymore!