The State of REST

2014-11-102014-11-10 ~ Ray Sinnema ~ Leave a comment

rest-easy The S in REST stands for State. Unfortunately, state is an overloaded word.

In this post I’ll discuss the two different kinds of state that apply to REST APIs.

Applications

The first type of state is application state, as in Hypermedia As The Engine Of Application State (HATEOAS), the distinguishing feature of the REST architectural style.

We must first understand what exactly an application in a RESTful architecture is and isn’t. A REST API is not an interface to an application, but an interface for an application.

A RESTful service is just a bunch of interrelated and interconnected resources. In and of themselves they don’t make up an application. It’s a particular usage pattern of those resources that turn them into an application.

The term application pertains more to the client than to the server. It’s possible to build different applications on top of the same resources. It’s also possible to build an application out of resources hosted on different servers or even by different organizations (mashups).

Application State vs. Resource State

The stateless constraint of REST doesn’t say that a server can’t maintain any state, it only says that a server shouldn’t maintain application (or session) state.

A server is allowed to maintain other state. In fact, most servers would be completely useless if they didn’t. Think of the Amazon web store without any books! We call this resource state to distinguish it from application state.

So where do we draw the line between resource state and application state?

Resource state is information we want to be available between multiple sessions of the same user, and between sessions of different users. Resource state can initially be supplied by either servers (e.g. books) or clients (e.g. book reviews).

Application state is the information that pertains to one particular session of the application. The contents of my shopping cart could be application state, for instance.

Note that this is not how Amazon implemented it; they keep this state on the server. That doesn’t mean that the people at Amazon don’t understand REST. The web browser that I use to shop isn’t sophisticated enough to maintain the application state. Also, they want me to be able to close my browser and return to my shopping cart tomorrow.

This example shows that what is application and what resource state is a design decision.

Application state pertains to the goal the user is trying to achieve while driving the client. It is this state that we’re referring to when we talk about state diagrams for REST APIs, not the resource state.

State Transfer

Application state is all the information maintained on the client side while the user is trying to accomplish a goal. This information is built up piece by piece based on the resource state that is transferred between client and server.

The resource state is transferred as a representation, a particular serialization of the resource state suitable for inclusion in an HTTP message body.

Serialization is governed by the rules laid out in a media type. There are many different media types, some more mature than others.

Since clients and servers transfer representations of resource state, we speak of Representational State Transfer (REST).

REST 101 For Developers

2013-09-162013-09-15 ~ Ray Sinnema ~ 1 Comment

rest-easy

Local Code Execution

Functions in high-level languages like C are compiled into procedures in assembly. They add a level of indirection that frees us from having to think about memory addresses.

Methods and polymorphism in object-oriented languages like Java add another level of indirection that frees us from having to think about the specific variant of a set of similar functions.

Despite these indirections, methods are basically still procedure calls, telling the computer to switch execution flow from one memory location to another. All of this happens in the same process running on the same computer.

Remote Code Execution

This is fundamentally different from switching execution to another process or another computer. Especially the latter is very different, as the other computer may not even have the same operating system through which programs access memory.

It is therefore no surprise that mechanisms of remote code execution that try to hide this difference as much as possible, like RMI or SOAP, have largely failed. Such technologies employ what is known as Remote Procedure Calls (RPCs).

One reason we must distinguish between local and remote procedure calls is that RPCs are a lot slower.

For most practical applications, this changes the nature of the calls you make: you’ll want to make less remote calls that are more coarsely grained.

Another reason is more organizational than technical in nature.

When the code you’re calling lives in another process on another computer, chances are that the other process is written and deployed by someone else. For the two pieces of code to cooperate well, some form of coordination is required. That’s the price we pay for coupling.

Coordinating Change With Interfaces

We can also see this problem in a single process, for instance when code is deployed in different jar files. If you upgrade a third party jar file that your code depends on, you may need to change your code to keep everything working.

Such coordination is annoying. It would be much nicer if we could simply deploy the latest security patch of that jar without having to worry about breaking our code. Fortunately, we can if we’re careful.

Interfaces in languages like Java separate the public and private parts of code.

The public part is what clients depend on, so you must evolve interfaces in careful ways to avoid breaking clients.

The private part, in contrast, can be changed at will.

From Interfaces to Services

In OSGi, interfaces are the basis for what are called micro-services. By publishing services in a registry, we can remove the need for clients to know what object implements a given interface. In other words, clients can discover the identity of the object that provides the service. The service registry becomes our entry point for accessing functionality.

There is a reason these interfaces are referred to as micro-services: they are miniature versions of the services that make up a Service Oriented Architecture (SOA).

A straightforward extrapolation of micro-services to “SOA services” leads to RPC-style implementations, for instance with SOAP. However, we’ve established earlier that RPCs are not the best way to invoke remote code.

Enter REST.

RESTful Services

Representational State Transfer (REST) is an architectural style that brings the advantages of the Web to the world of programs.

There is no denying the scalability of the Web, so this is an interesting angle.

Instead of explaining REST as it’s usually done by exploring its architectural constraints, let’s compare it to micro-services.

A well-designed RESTful service has a single entry point, like the micro-services registry. This entry point may take the form of a home resource.

We access the home resource like any other resource: through a representation. A representation is a series of bytes that we need to interpret. The rules for this interpretation are given by the media type.

Most RESTful services these days serve representations based on JSON or XML. The media type of a resource compares to the interface of an object.

Some interfaces contain methods that give us access to other interfaces. Similarly, a representation of a resource may contain hyperlinks to other resources.

Code-Based vs Data-Based Services

The difference between REST and SOAP is now becoming apparent.

In SOAP, like in micro-services, the interface is made up of methods. In other words, it’s code based.

In REST, on the other hand, the interface is made up of code and data. We’ve already seen the data: the representation described by the media type. The code is the uniform interface, which means that it’s the same (uniform) for all resources.

In practice, the uniform interface consists of the HTTP methods GET, POST, PUT, and DELETE.

Since the uniform interface is fixed for all resources, the real juice in any RESTful service is not in the code, but in the data: the media type.

Just as there are rules for evolving a Java interface, there are rules for evolving a media type, for example for XML-based media types. (From this it follows that you can’t use XML Schema validation for XML-based media types.)

Uniform Resource Identifiers

So far I haven’t mentioned Uniform Resource Identifiers (URIs). The documentation of many so-called RESTful services may give you the impression that they are important.

However, since URIs identify resources, their equivalent in micro-services are the identities of the objects implementing the interfaces.

Hopefully this shows that clients shouldn’t care about URIs. Only the URI of the home resource is important.

The representation of the home resource contains links to other resources. The meaning of those links is indicated by link relations.

Through its understanding of link relations, a client can decide which links it wants to follow and discover their URIs from the representation.

Versions of Services

As much as possible, we should follow the rules for evolving media types and not introduce any breaking changes.

However, sometimes that might be unavoidable. We should then create a new version of the service.

Since URIs are not part of the public interface of a RESTful API, they are not the right vehicle for relaying version information. The correct way to indicate major (i.e. non-compatible) versions of an API can be derived by comparison with micro-services.

Whenever a service introduces a breaking change, it should change its interface. In a RESTful API, this means changing the media type. The client can then use content negotiation to request a media type it understands.

What Do You Think?

Literature explaining how to design and document code-based interfaces is readily available.

This is not the case for data-based interfaces like media types.

With RESTful services becoming ever more popular, that is a gap that needs filling. I’ll get back to this topic in the future.

How do you design your services? How do you document them? Please share your ideas in the comments.

Book review: Consumption Economics

2013-03-182013-03-17 ~ Ray Sinnema ~ 1 Comment

Consumption Economics, The New Rules of Tech, paints a detailed picture of the future of the technology business, combining vision with practical steps to realize it.

Chapter 1, How Good We Had It, observes that purchased tech products are traditionally paid for up front, while usage starts (much) later, which means the risk is on the buyer to derive value from the purchase.

Since vendors add features to their products faster than customers can consume them, we have a Consumption Gap: the difference between the potential value of a product and the value that is actually realized.

Customers are changing their attitude towards the Consumption Gap and its risk. The economic downturn encourages businesses to cut costs, cloud computing shifts the buying model from CapEx to OpEx, and the iPhone’s App Store has brought choice to computing.

Chapter 2, Shifting Clouds and Changing Rules, explains that the risk of monetizing the investment in tech products will shift to vendors, who will have to survive off micro-transactions (MTs). The cloud will bring prices down to the point of retail-like price wars. Vertical market focus and business process expertise will become the new high-value service capabilities.

Influence will shift from IT departments to end users, who are the ones making the MTs. Tech companies are not used to deal with them, but real-time usage data will change that and lead to the discovery of best-practice utilization patterns.

Chapter 3, Looking Over the Margin Wall, explains that tech is not immune to commoditization. Price competition will kick in and margins will decrease. When we hit this Margin Wall, the only viable strategy is to start over with a new product. The cloud’s low switching costs are decreasing the runway to commoditization.

Things look differently on the other side of the Margin Wall. Revenue is based on MTs, so no usage means no money. The Consumption Gap is now the provider’s problem: they need to make sure their product’s advanced features get used. They must build sophisticated Consumption Models.

Chapter 4, Learning to Love Micro-Transactions, argues that in an OpEx model, volume matters and vendor must learn how to drive MTs. This means more features per user, more apps per user, and more users per month. Even on-premise solutions will move to OpEx models.

We’ll need automated ways to sell electronically in the context of the user’s workflow. We can learn a lot from games, where users get constant feedback, are recognized with rewards and status, and are part of a community in which to share and compete.

Customers must learn this new model as well. Their costs will become less predictable, and purchasing power will trickle down to end users. The role of the IT department will change with new policies like Bring Your Own Device (BYOD).

Chapter 5, The Data Piling Up in the Corner, argues for aggregating and analyzing usage data to build Consumption Models that drive usage. Cloud computing enables that, since all user interactions are recorded on the server.

We need to identify Consumption Roadmaps, best practices for consuming value from our products, and we need our product to guide the end user according to priorities set by the customer.

This requires an e-commerce layer in our products and our organization. Service and field staff will be armed with detailed usage data to better help customers.

Chapter 6, Consumption Development: The Art and Science of Intelligent Listening, explains that with deployment in the cloud, we no longer need to get every thing right from the start, but we can also no longer sit back after a release. We need to actively drive usage based on usage statistics.

Intelligent Listening predicts new wanted features from usage data and monitoring of social media. Consumption Innovation executes on this learning through capabilities to simplify usage and guide users along predetermined paths. In-Product Up-sell bakes in recommendation engines and offer-management capabilities to present users with new features they are likely to want.

Implementing these changes cost money. To fund them, get rid of products that don’t generate profit, as they take up development time and effort.

Chapter 7, Consumption Marketing: Micro-Marketing and Micro-Buzz, describes how the shift to decision making by end users and the data we have about their behavior will change marketing.

Usage data must be combined with information from services, development, and road maps to form Best Consumption Practices.

Marketing must segment users, identify high value capabilities per segment, figure out what sequence of adoption worked to get there, how to guide others along the same paths, and when and where to trigger offers. Offers need to bring real value to the users to drive trust.

Chapter 8, Consumption Sales: After a Great Run, the Classic Model Gets an Overhaul, posits that the old sales model that was based on standardization breaks down with increased complexity of the product and individuality of its users. Instead we need consulting skills and service-oriented compensation models and salespeople with business expertise.

The new sales steps are: win the platform sale, sell the pay-per-use model, and expand the platform agreement by arming the sales force with consumption research.

Chapter 9, Consumption Services: Will They Someday Own “The Number”?, describes how most current revenue from services is in activities like installation, implementation, integration, and maintenance, and how those will largely go away in the cloud.

The customer service and support team is our best bet for driving MTs, because of their cost structure and remotely operated tools. Their role will have to change from minimizing cost to maximizing customer value by adding new inside sales capabilities.

The Account Services Organization (ASO) will closely tie support with professional services and customer engagement. Expertise will shift away from the technical and towards the business to better help the customer gain value from the system. The ASO will need to learn how to sell MTs and build the Consumption Road-map.

Chapter 10, Customer Demand vs. Capital Markets: How Fast Should You Transform?, talks about the balancing act between transforming ourselves and meeting Wall Street’s short-term expectations. Timing is crucial, as we need some runway to fly over the Margin Wall.

The chapter describes some ways to “buy runway” to get you through the transformation period.

Chapter 11, The “S” Stands for Services, argues that the future of technology is in services and that the cloud is all about services.

Big Refactoring: Separate Domain from Presentation

2008-07-062012-06-10 ~ Ray Sinnema ~ Leave a comment

In his landmark book Refactoring: Improving the Design of Existing Code, Marting Fowler not only presents a catalog of “regular” refactorings, he also mentions some “big” refactorings. These big refactorings are not described as a series of atomic steps to follow, but more as a recipe for using a longer series of regular refactorings. And since they are bigger than regular refactorings, they also take a lot longer to complete, sometimes even months.

I’m in the middle of one of these: Separate Domain from Presentation. Now, we all know that we shouldn’t put business logic in interface code, so why do I find myself in this situation?

Well, technically, I don’t 😉 We use Struts, which has a nice MVC architecture. However, it’s the Controller part that has me worried. In Struts, one writes Action classes to control application flow:

“The goal of an Action class is to process a request, via its execute() method, and return an ActionForward object that identifies where control should be forwarded (e.g. a JSP, Tile definition, Velocity template, or another Action) to provide the appropriate response.”

It is, however, all too convenient to implement the business logic in Action classes as well. The Struts documentation even warns about this danger:

“Perform the processing required to deal with this request (such as saving a row into a database). This can be done by logic code embedded within the Action class itself, but should generally be performed by calling an appropriate method of a business logic bean.”

And that’s exactly what’s happened in our code. So I guess I’m actually in the middle of Separate Domain from Controller 😉

Fixing this is not a trivial task. The Action classes use ActionForm classes that hold data entered in the UI to perform their work. This ties them to Struts, which I don’t like at all. For instance, it makes it very hard for us to switch to a different web framework, should we so choose. It also means that simple solutions like Extract Method won’t work, since the extracted method would get the ActionForm as a parameter.

My solution has been to introduce what I call Service classes. A Service class has one method that implements the service that the Action provides. The method has one parameter, which is a Parameter Object, that contains the same information as the Action‘s ActionForm does. I call them Service classes, since these classes could very well be used to implement web services as well.

Anyway, all the Action class has to do now, is:

instantiate the appropriate Parameter Object
populate it from the ActionForm
instantiate the appropriate Service class
call the appropriate method on the Service class (passing the Parameter Object)
update the ActionForm from the method’s result object
construct an ActionForward (possibly using information from the result object)

Luckily, I could automate all of that in a base class using reflection, so that each Action class now only needs two methods: one for instantiating the Parameter Object, and one for instantiating the Service class.

Still, that leaves a lot of Actions to convert. And to make matters worse, they are organized into class hierarchies, which makes it hard to convert them one by one. So I guess I won’t be sitting idle any time soon…

Secure Cloud Development

Musings on the Art and Craft of Creating Secure Software in the Cloud Era

service