• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

question about REST

 
Greenhorn
Posts: 29
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I'm trying to implement a RESTful java web services, and I have some question:
I'm making an online shopping web services with following spec (this is just the basics):
1. Customer : CustomerID, Name, Address, PhoneNumber
2. Order (by Customer) : OrderID, CustomerID, CreationDate, GrandTotal (from Parts)
3. Part (by Order) : OrderID, PartID, UnitCost, Quantity, LineTotal (Unit * Quantity)

Now, think specifically about these User Stories related to the Orders (not Customers, not Parts):
1. Customer lists orders to know which orders she has placed
2. Customer creates a new order to be fulfilled.
3. Customer views an existing order to get a reminder of what was ordered
4. Customer updates an order (add or delete parts, or changes quantity) when she realizes it is incorrect.
5. Customer can delete an order that is no longer needed (let’s not worry about if the order has been processed now)

Some questions:
1. REST is just a sec right? not implementation. so REST is just like a JSR.
2. is Order a resource? (i'm still trying to understand the terminologies in REST).
3. in my understanding, Order is something the user create, while a resource is anything (data) owned by the server. so the user must first create an order (by querying and choosing already existing resources like parts from the server) and then post the created order to server. after the order is created, then it will become a resource and can be accessed with URI like GET orders/{customerID}. is this correct?
4. I read tutorial about defining interface with XML schema, but the tutorial left out the implementation. I don;t really know how XML schema sits in RESTful architecture. I usally only use model classes annotated with JAXB annotations for XML data transport. can anybody explain a bit about this?
5. For security, I also want a security in low-level(database level). how do you normally provide security using stored proc to prevent unauthorized access? is it also recommended to use views to get data instead of creating the query string dynamically ? I'm using mysql
6. Because Order is concerned with money, I need to know security risks in this scenario. Can anyone show what could go wrong with placing an order? may I hear the security risks in placing order online like this app and how to mitigate them?

thank you very much.
 
Ranch Hand
Posts: 80
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
1- REST is just a sec right? not implementation.

- I would say yes, its a spec, its an architecture. Thats why they say services are "RESTFUL". Any service that has those characteristics is said to comply with being REST

2 and 3- is Order a resource

-When you say order is created, i am assuming that there would be a service like createOrder and there you would passin a Value Object with order details and create an order. So the class "OrderService" which would service all the order related services createOrder, deleteOrder would in my view be termed as a resource

4- I dont understand the question here but i know that restful webservice can produce xml without xsd. i have been doing the same way as you . are you saying that there could be a schema around that? There can be but how is it better than your annotated model classes?

5- Views are recommended but thats a give and take. If you feel that volume is nt that big enough, you could go ahead with a dynamic query string. Otherwise, views are recommended. I am using dynamic query strings all the time

6- Security is an overloaded term here, are you referring to preventing hacking or using restful protocol based security?. Restful services are secured enough with https.



 
simon tiberius
Greenhorn
Posts: 29
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
thank you very much for the reply.

regarding your answers:
1. your answer for my question 2&3 about whether Order is a resource or not. You're saying that Order is not the resource? but order service related are the resources (create order, delete order, update order and get order)?
2. I'm reading some book about rest and it mentioned about xsd, so I want to know what's the role of xsd here
3. security maybe is too broad. so let's focus on issues revolving "identity theft". so customer A puts the order, set the shipping address to A's house, but send the billing to B's credit card. something like that.
 
sandeeprajsingh tandon
Ranch Hand
Posts: 80
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
No problem, you are welcome!

1- yes, the Class OrderService would be a resource
2- in my opinion xsd per sey is about enforcing contracts on xml it is not DIRECTLY related to rest. in my project we give out xmls from the services without xsds. Let me know if you come across a good example which mentions otherwise.
3-But wont this part of your application design , db design , entity model already?. Restful services are stateless(i think), so it has to depend on what you pass to them and the way you design them. If you pass a valid customer and can link his address and credit card details, through an id of sorts you should be fine. Dont try and have a class level variable in the OrderService class(it would be like giving a state to the restful service. A User Authentication object would be a little dangerous to keep it as a class level variable ). You can try out a small sample code to test it out. I am not sure if this is what your question was though.
 
simon tiberius
Greenhorn
Posts: 29
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
okay, usually I use the naming like this for resource classes : XYZResource like so:


so which one is the resource? the class OrdersResource (only one resource) or the 4 methods inside the class (there are 4 resources). because right now, the URI for orders looks like this:
all the URI starts with /order
create : /order
read : /order/{order-id}
update : /order/{order-id}
delete : /order/{order-id}

also, is it RESTful to include userID in the request header? what's the best practice to check whether a request is authenticated or not? thanks
 
sandeeprajsingh tandon
Ranch Hand
Posts: 80
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hey, I think i was wrong,
referring to this link http://en.wikipedia.org/wiki/Web_Services_Resource_Framework and other links,
WS-Resource defines a WS-Resource as the composition of a resource and a Web service through which the resource can be accessed.
So it has to be WHATEVER you are trying to access through the service, So your ORDER, CUSTOMER( i.e. all the nouns) are resources. Extremely sorry about that.

There is nothing UNRESTFUL about keep the userID in the request header.


REST is supposed to be STATELESS so Do not maintain session state(Authentication state) on the server side, each request should be authenticated seperately that is if you plan to do it via RestFul Service. I was reading this http://www.objecthunter.net/tinybo/blog/articles/89 and this can be used.
In our project we use Oracle Single Sign On so cant provide much input there.
 
sandeeprajsingh tandon
Ranch Hand
Posts: 80
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
An old thread but i think this link can help

what is a resource in rest

and it says

The fundamental concept in any RESTful API is the resource. A resource is an object with a type, associated data, relationships to other resources, and a set of methods that operate on it. It is similar to an object instance in an object-oriented programming language, with the important difference that only a few standard methods are defined for the resource (corresponding to the standard HTTP GET, POST, PUT and DELETE methods), while an object instance typically has many methods.

Resources can be grouped into collections. Each collection is homogeneous so that it contains only one type of resource, and unordered. Resources can also exist outside any collection. In this case, we refer to these resources as singleton resources. Collections are themselves resources as well.

Collections can exist globally, at the top level of an API, but can also be contained inside a single resource. In the latter case, we refer to these collections as sub-collections. Sub-collections are usually used to express some kind of “contained in” relationship. We go into more detail on this in Relationships.

 
How do they get the deer to cross at the signs? Or to read this tiny ad?
a bit of art, as a gift, that will fit in a stocking
https://gardener-gift.com
reply
    Bookmark Topic Watch Topic
  • New Topic