Java – how to use restlets to enforce “sessions” in restful web services?
I am a new feature of restful web services and restlets We only have experience in building servlet based Web Applications (servlet / JSP on JBoss / APACHE) Now, we are building a restlet based application in which the server-side API will be used by two types of clients - Web browser and desktop based swing
What I understand is that according to the concept of rest, a) the server cannot maintain sessions to improve scalability, and b) each request from the client should be independent
Now, I'm really confused about how to achieve this Suppose we use a simple shopping cart application
Step 1) the client sends an authentication request, the server authenticates, and the server responds OK
Step 2) the client sends a request to add items to the shopping cart The server responded OK
Step 3) the client sends another request to add item 2 to the shopping card The server responded OK
Usually, in a normal web application, a session is created in step 1 on the server. From then on, all requests related to the client will be automatically associated with the same session, and we store the session state (in this case, the shopping cart) in the session object and retrieve / update the subsequent requests of the client
Now, in the above case:
1) If there is no session maintenance on the server, how do we verify and authorize the client in steps 2 and 3?
Does the customer need to send some additional information per request?
3) How do I retrieve the customer specific shopping cart in step 3?
4) Does the client need to send the shopping cart created / returned by the server in step 2 again in step 3?
Obviously, this is the simplest use case, so everyone who develops restful web services must design their applications to deal with this problem What is the best and most common way to handle session management, authentication, and authorization in restful web services using restlet? If we have to maintain the cache on the server side of the client data, how is it different for us to maintain the session on behalf of the server?
Thank you in advance. Thank you very much
Solution
Yes You must send authentication / authorization data in each request This will prevent the server from "remembering" who you are (i.e. stateless server, no session)
Let's ask a different question: what happens if the server restarts? Do you want all cart data to be lost? Probably not You should store it in a restart place Apply persistent storage May be on the server or client
... now, if your client restarts? You can choose to create a shopping cart resource for the user using a post request (the user adds the first item), or create a shopping cart resource when the client logs in (waste) Then use put / delete to continue updating the shopping cart and get to read it
Should it be in the database? Maybe, depending on how you want it If it has to stick to it, it's a good place to keep it so that it can survive a reboot
So how to receive customer specific shopping carts? Then you only need to send the request for get resources! nothing more! The first post will create a resource at the appropriate URL and then use it
The stable network service also has a quiet website, which is a key part of the design
No, as mentioned above However, if you use cookies or localstorage or other information on the client, you may do so
Yes It's simple, but it takes time to think about "resources" rather than "services" In quiet design, everything is (or can be) a resource, including transactions, shopping carts, etc,
However, authorization / authentication is part of the HTTP request packet and is sent with each request I suggest you read those
Huge gap! Do you cache or maintain sessions for high efficiency? If the system restarts, your system will work seamlessly on an empty cache? If so, you are caching other representations that you are maintaining
I strongly recommend that you read Richardson & Ruby to illustrate the above concepts and learn more about how to design quiet Services... It requires some habits