I’m using JmsTemplate with mq to send and receive json messages via TextMessage. There will be multiple message producers writing json to my queue so I’m wondering if there’s a standard approach to queue & object versioning. Something similar to rest api versioning where the endpoint url would include a version e.g. api/v1/myendpoint
I guess I could include a version within the queue name but is there a better or standard approach to this?
Related
I'm trying to do few quick prototypes of using RabbitMQ as message broker for internal services as well as messages from external clients received by gateway over websocket connection.
I decided it would be best (and probabaly only) option for client to publish messages as json, and then for gateway to simply send the unaltered json messages forward.
I've seen that RawRabbit have the ability to take raw Json as message and then deserialize it to C# class.
What I can't find is some example and/or documentation of how the process should look like. Also cannot find documentation of how the Json message should be formatted.
I have been working Rest and json using spring framework.
I have got couple of doubts.
1)Is http transferring data in the form of json can be called Rest.I know http is protocol and Rest is architectural style?
2)Can any application (url) that accepts data in the form of json(sent from any client) called Rest?
2)why soap protocal is using http under the hood?
ReST is an architectural style which is completely independent of either HTTP or JSON. ReST really only talks about modelling a domain as a set of 'resources'. Any resource has a unique identifier which distinguishes it from other resources. Clients interact with resources using a common protocol and resources are created / modified / deleted through manipulating their representations.
HTTP and JSON are both aspects of specific implementations of a ReSTful architecture. HTTP is a good transport mechanism for ReSTful applications, providing a common API in the form of HTTP's set of verbs - GET, PUT, POST, DELETE. JSON is a good document transfer format and so is often used to implement the 'representation' aspect of ReST, but ReSTful applications can use other document formats if they choose - you can find ReSTful applications which use XML, JPEG, AVI, MP3, ...
Neither HTTP nor JSON is specifically ReSTful and its entirely possible to find HTTP applications using JSON which are not ReSTful at all. Similarly, not every ReSTful application will use JSON or HTTP (although I've never seen a real application in the wild which doesn't use HTTP/HTTPS).
Rest is not all about JSON, you have also the verbs GET, POST, PUT, DELETE and the http code for your answers which are involved.
If you post JSON for every action then it's not restful
In REST everything is a resource.
HTTP is an application layer. It's has nothing really with REST concept. You see a webpage via http and this is not REST at all. So SOAP can also use http.
HTTP is not bind to REST but REST is bind to HTTP
As stated in other comments, RESTful is an architecture, but not a language or coding paradigm.
RESTful:
Something anti-REST would be JSON-RPC (https://github.com/ethereum/wiki/wiki/JSON-RPC). The Framework is a Remote Procedure Call Lib. JSON-RPC would definitely not be RESTful since the RPC layer maps urls to functions (i.e. verbs) rather than particular resources (i.e. nouns). So rather than POSTing to some resource, you are calling a method, yet JSON as the format to serialize the data. There are tradeoffs to each. It just so happens RESTful APIs are very common for public ones as many believe documentation can be clearer to outsiders.
JSON:
On the other hand, one could develop a RESTful architecture and not use JSON. There are many serialization libs, each with tradeoffs such as compression and schema-less vs something closer to type safety. Examples besides JSON would include MessagePack and Google's ProtoBufs. Of coarse, you could even use XML, although uncommon with RESTful APIs. JSON is used a lot in public APIs since pretty much any language can do JSON serialization with low 3rd party over head (i.e. not importing specific libs)
I got a (Flask) backend powering an API that serves JSON to an Angular app.
I love the fact that my backend (algorithms, database) is totally disconnected from my frontend (design, UI) as it could literally run from two distinct servers. However since the view is entirely generated client side everyone can access the JSON data obviously. Say the application is a simple list of things (the things are stored in a JSON file).
In order to prevent direct access to my database through JSON in the browser console I found these options :
Encrypting the data (weak since the decrypting function will be freely visible in the javascript, but not so easy when dealing with minified files)
Instead of $http.get the whole database then filtering with angular, $http.get many times (as the user is scrolling a list for example) so that it is programmatically harder to crawl
I believe my options are still weak. How could I make it harder for a hacker to crawl the whole database ? Any ideas ?
As I understand this question - the user should be permitted to access all of the data via your UI, but you do not want them to access the API directly. As you have figured out, any data accessed by the client cannot be secured but we can make accessing it a little more of PITA.
One common way of doing this is to check the HTTP referer. When you make a call from the UI the server will be given the page the request is coming from. This is typically used to prevent people creating mashups that use your data without permission. As with all the HTTP request headers, you are relying on the caller to be truthful. This will not protect you from console hacking or someone writing a scraper in some other language. #see CSRF
Another idea is to embed a variable token in the html source that bootstraps your app. You can specify this as an angular constant or a global variable and include it in all of your $http requests. The token itself could be unique for each session or be a encrypted expiration date that only the server can process. However, this method is flawed as well as someone could parse the html source, get the code, and then make a request.
So really, you can make it harder for someone, but it is hardly foolproof.
If users should only be able to access some of the data, you can try something like firebase. It allows you to define rules for who can access what.
Security Considerations When designing web applications, consider
security threats from:
JSON vulnerability XSRF Both server and the client must cooperate in
order to eliminate these threats. Angular comes pre-configured with
strategies that address these issues, but for this to work backend
server cooperation is required.
JSON Vulnerability Protection A JSON vulnerability allows third party
website to turn your JSON resource URL into JSONP request under some
conditions. To counter this your server can prefix all JSON requests
with following string ")]}',\n". Angular will automatically strip the
prefix before processing it as JSON.
For example if your server needs to return:
['one','two'] which is vulnerable to attack, your server can return:
)]}', ['one','two'] Angular will strip the prefix, before processing
the JSON.
Cross Site Request Forgery (XSRF) Protection XSRF is a technique by
which an unauthorized site can gain your user's private data. Angular
provides a mechanism to counter XSRF. When performing XHR requests,
the $http service reads a token from a cookie (by default, XSRF-TOKEN)
and sets it as an HTTP header (X-XSRF-TOKEN). Since only JavaScript
that runs on your domain could read the cookie, your server can be
assured that the XHR came from JavaScript running on your domain. The
header will not be set for cross-domain requests.
To take advantage of this, your server needs to set a token in a
JavaScript readable session cookie called XSRF-TOKEN on the first HTTP
GET request. On subsequent XHR requests the server can verify that the
cookie matches X-XSRF-TOKEN HTTP header, and therefore be sure that
only JavaScript running on your domain could have sent the request.
The token must be unique for each user and must be verifiable by the
server (to prevent the JavaScript from making up its own tokens). We
recommend that the token is a digest of your site's authentication
cookie with a salt for added security.
The name of the headers can be specified using the xsrfHeaderName and
xsrfCookieName properties of either $httpProvider.defaults at
config-time, $http.defaults at run-time, or the per-request config
object.
Please Kindly refer the below link,
https://docs.angularjs.org/api/ng/service/$http
From AngularJS DOCs
JSON Vulnerability Protection
A JSON vulnerability allows third party website to turn your JSON resource URL into JSONP request under some conditions. To counter this your server can prefix all JSON requests with following string ")]}',\n". Angular will automatically strip the prefix before processing it as JSON.
There are other techniques like XSRF protection and Transformations which will further add security to your JSON communications. more on this can be found in AngularJS Docs https://docs.angularjs.org/api/ng/service/$http
You might want to consider using JSON Web Tokens for this. I'm not sure how to implement this in Flask but here is a decent example of how it can be done with a Nodejs backend. This example at least shows how you can implement it in Angularjs.
http://www.kdelemme.com/2014/03/09/authentication-with-angularjs-and-a-node-js-rest-api/
Update: JWT for Flask:
https://github.com/mattupstate/flask-jwt
I'm attempting to query an REST service with fairly limited idea of how to approach it.
I'm using Delphi XE6 (upd 1)
The company providing the API have said that: "The API is implemented as JSON via SSL"
and they go on to say that:
Access to any API endpoint requires authentication via signed requests, created with publicand secret API
keys
I have the keys defined above.
The signature is an HMACSHA256 hash of a string containing the request contenttype, host,
URL, date timestamp (matching the request Date header) and request content (eg POST
parameters) separated by a single newline, and passed with the public key in a custom header
XAPIAuthorization along with the public key, in the format PUBLICKEY:SIGNATURE
I understand each request needs to be signed.
How do I sign an http request with Delphi XE6?
The confusion for me at the moment is it seems Delphi has a number of built-in components have accessing RSET servers and parsing the JSON returned. I can't see any obvious way of signing requests using these components.
Specifically is there any help from the built-in Rest components or do I have to provide my own solution?
We use org.json api to parse json on server side and GWT JsonParser to parse JSON on client side. Is there a api that we can use that can be used on both the client side and server side?
You are looking for GWT AutoBean: http://code.google.com/p/google-web-toolkit/wiki/AutoBean
With AutoBeans you juset define the structure of your JSON and the GWT Compiler handles the rest.
I am writing this in comparison to using autobeans or GWT-RCP - if you are using Java on the server. Especially so, if you are not.
The cleanest way is REST-RPC/JPA, where you can share a single set of POJOS between client, server and persistence db. Let me brag on behalf of this technology mix - one single set of POJOs, instead of three, without any (or minimal) transformation between the three fronts.
You should not have to write any data transformation routines. Or at least, only minimal amount of data transformation due to serialization constraints or because you are trying to interface GWT and REST with an existing schema which presents a high degree of non-serializability.
As well as, similar to GWT-RPC, sharing a single set of Java RPC methods on both client-server sides. Well, nearly the same set of methods. Except that the return type on the server-side becomes the callback generic parameter on the client-side.
The mix of technology is:
JAX-RS (either Resteasy or Jersey on the server side)
JAX-RS + GWT = RestyGWT on the client-side
JPA on the server-side
JAXB over JAX-RS on both GWT client and server-side.
Jackson JSON processor on server-side.
Compelling reasons for REST-RPC is
you could pretend you writing client-server conversations as GWT-RPC. The service interface and callback attitude is the same.
The data interchange between client and server is in JSON.
Which means you could use a browser instead of your GWT client to converse with the server after you have successfully set up your app. Or jQuery. Or PHP, or Python as the server.
no need to muck around with the JSON or XML encode/decode yourself - deal in POJO and only in POJO.
you could use the browser to debug your web service independent of the GWT client.
The attitude of REST is (besides state independent requests) is the concept called a Web API. An API like a javadoc, perhaps - but stated in terms of JSON or XML. The wonderful thing about this API is - you do not have to generate the documentation. Like a javadoc, you could run Enunciate over the service interface.
You could follow my discussion in the following (3+ part) blog post:
http://h2g2java.blessedgeek.com/2012/07/gwt-with-jax-rs-and-jpa-part-3.html.