REST Web Services Clause Samples
The REST Web Services clause defines the requirements and standards for implementing and using RESTful APIs within the scope of the agreement. It typically outlines how data should be exchanged between systems using HTTP methods such as GET, POST, PUT, and DELETE, and may specify requirements for authentication, data formats (like JSON or XML), and endpoint documentation. This clause ensures that both parties adhere to consistent, interoperable, and secure practices when integrating or exposing web services, thereby reducing technical misunderstandings and facilitating smooth system interactions.
REST Web Services. Representational State Transfer (REST) is an architectural style that specifies constraints to be applied to a web service. RESTful web services use the HTTP protocol to perform requests from a web service over a collection of resources. A Restful request comprises a base URI, the MIME type of the supported web service and a set of operations supported by the web service using HTTP methods (e.g., POST, GET, PUT or DELETE). The benefits of this method are its scalability, the freedom for the definition of simple resources over which we want to operate, and the simplicity for creating new clients for the developed web services.
REST Web Services. Short for Representational State Transfer, REST is an architectural style for developing web services. Since it relies on the HTTP protocol, it became the de-facto standard for web APIs architecture designs also for the simplicity of its usage and integration. The HTTP protocol also implies that in REST architectures we have clients and servers. Like a classic request for a web page, clients initiate requests to servers that process them and return the appropriate responses. The main entity involved in REST requests is the representation of a resource that is an abstract document that may be ad- dressed. Typically, data exchanged within requests is represented using the JSON format, that provides a compact representation, but every other hypertext valid media type can be used, such as XML. In a general web API architecture using REST, implementing the so-called RESTful APIs, every resource (or collection of resources) is referenced by an URI and accessed by means of standard HTTP request types, maintaining their semantics: GET. Perhaps the most important one, used in the web context for downloading web pages. In the REST context, it is used to retrieve and list resources or, more precisely, a representation of them, for example JSON or XML data. POST. Along with GET, it is the other widely used request type, in the web con- text, for example whenever the user is compiling a form and sending its data to the server. In the REST context, a POST request to a specific resource URI it is used to replace that resource with a new one or, in case the resource is a col- lection of items, to create a new instance of that resource and add it to the col- lection. These two request types are the most widely supported by web browsers, and hence the most well-known ones. However, HTTP specifications include also other request types, useful in a RESTful API context: PUT. Very similar to POST, it is used to replace the resource addressed by a specific URI with the one passed by parameter. This is true both for collections of resources and single-item resources. For this reason, POST is not generally used is case of single-item resources, since PUT better fits the semantic of the operation. DELETE. As the name implies, it is used to delete a resource addressed by a specific URI, regardless of its multiplicity. HEAD. Pretty similar to GET, but it does not retrieve the entire representation of the resource, but only the HTTP header with all the information included i...
REST Web Services. As REST Web Services are also web services, a natural solutions to secure REST Web Services would be to look at the WS-* specifications. A Secure Token Service (STS) can then be used by REST clients to request a security token. Before calling the REST service a client sends a SOAP request containing an RST (RequestSecurityToken) to the STS. The STS then returns the identity assertion as a ▇▇▇▇ token, embedded in a RSTR (RequestSecurityTokenResponse). In SOAP this ▇▇▇▇ token is passed to the calling service through a SOAP header. This is not possible in REST though as there are no SOAP headers. In REST, the HTTP headers and request line are part of the message. An HTTP header is therefore the REST equivalent of a SOAP header. A ▇▇▇▇ token can then be passed to a REST service through the HTTP authorization header. The authorization header value should be formatted as follows: "▇▇▇▇ <Base 64 encoded compressed ▇▇▇▇ token>". The ▇▇▇▇ token is hereby compressed with the zlib compression algorithm. This ensures that the token fits in the typical 4kb header size limit. To secure a REST service the same SOAP STS service is used as with SOAP services as defined in WS- Trust. REST clients are responsible for retrieving a ▇▇▇▇ token from the STS and then passing it through a HTTP authorization header to the REST service. The client somehow needs to find out what the REST service's security policies are (i.e what STS to call). In WS-* a web service publicises its security policies through WS-Policy annotations on the service's WSDL metadata. Such a WSDL file annotated with security policies (by using the WSDL HTTP binding) could actually also be used for REST services. As REST is resource based while SOAP and the WSDL metadata format are action based, this is not an exact match. There is a metadata format, called WADL, which is specifically designed to describe a REST service. No known specification that defines how to add security policies to a WADL metadata file, is available yet. Therefore research should be done on whether WS-Policy metadata annotations can be used to add security annotations to a WADL metadata file. A drawback of using a SOAP STS is that clients are forced to use SOAP to request security tokens. Therefore the secure token service could be better integrated into REST services by REST-ifying it. A next step is to guarantee the integrity and confidentiality of a REST message. Signing and possibly encrypting the message body is not sufficient as the ...