Session Objectives And Takeaways

1. Implementing RESTful Services With WCF 3.5 SP1Security, Scalability and Controlling the URI (Part 2 of 2)

2. Session Objectives And Takeaways • Go a level deeper than we did in Part 1 • Describe how optional HTTP features like caching and conditional GET impact scalability • Explain how you can fully control the URI • Consider options for securing RESTful services • Learn about the updates to WCF in 3.5 SP1

3. Agenda • What is REST and Why should I care? • How will resources be addressed? • How will resources be formatted? • How do I insure scalability? • How do I secure my service?

4. Why REST? • REST is an architectural style for implementing services with the simple and open model of the web • SOAP is a protocol that delivers a rich messaging model independent of the transport 5 HTTP Messages 18,604 bytes “You entered: 1”

5. Agenda • What is REST and Why should I care? • How will resources be addressed? • How will resources be formatted? • How do I insure scalability? • How do I secure my service?

6. Information Architecture

7. Default WCF Web URI http://localhost/service.svc/method?arg1=1 Authority .svc File path Scheme Method name Query Arguments

8. WCF 3.5 UriTemplates • UriTemplateallows you to override the default • Arguments are bound by name [OperationContract] [WebGet(UriTemplate="Wine/{wineId})] WineDataGetWine(string wineId); http://localhost/service.svc/Wine/1

9. New in WCF 3.5 SP1 • Default Values for template items • Cannot be used for query string values [OperationContract] [WebGet(UriTemplate="Wine/{wineID=17})] WineDataGetWine(string wineID);

10. New in WCF 3.5 SP1 • Compound Template Segments [OperationContract] [WebGet(UriTemplate=“wine({wineID})] WineDataGetWine(string wineID); http://localhost/service.svc/wine(17)

11. Full URI Control • Scott Guthrie • Tip/Trick: Url Rewriting with ASP.NET • Jon Flanders (MVP) • Using WCF WebHttpBinding and WebGet with nicer Urls • IIS7 • Use/Build an HttpModule • IIS7 Team Recently Released a URL Rewrite Module • IIS 5/6 • Use an ISAPI filter

12. Demo Controlling the URI

13. Agenda • What is REST and Why should I care? • How will resources be addressed? • How will resources be formatted? • How do I insure scalability? • How do I secure my service?

14. Message Schema • Option 1: Basic Atom Feed • Standardized syndication schema • WCF 3.5 SP1 Supports All Atom Publishing Protocol types • Option 2: Custom Service Schema • You create your own schema for messages using DataContracts or XSD • See Part 1 session for examples

15. microformats • Standards for common human readable data in (X)HTML • hCard, hCalendar, etc. <div id="" class="vcard"> <a class="url fn n" href="http://www.cohowinery.net"> <div class="org">Coho Winery</div> </a> <a class="email" href="mailto:greatwine@cohowinery.net">greatwine@cohowinery.net</a> <div class="adr"> <div class="street-address">555 Wine Lane</div> <span class="locality">Napa</span> <span class="region">CA</span> <span class="postal-code">94558</span> <span class="country-name">USA</span> </div> <div class="tel">800-555-1212</div> </div>

16. Demo Basic Atom Feed

17. Content Negotiation • Allow the client to ask for the format they want • Accept Header • Extension • Query String • Fixed Content Format • Attribute your WCF service

18. Demo Content Negotiation

19. Agenda • What is REST and Why should I care? • How will resources be addressed? • How will resources be formatted? • How do I insure scalability? • How do I secure my service?

20. Caching • Client Side • Controlled by HTTP Headers • Cache-Control • Instructions to client side cache • Expires • Server Side • HttpRuntime.Cache • “Velocity” Distributed Cache • CTP1 Now Available

21. Conditional Get • GET this data if... • If-Modified-Since: (Date) • Return the data only if it has been modified since (Date) • If-None-Match: (Etag) • Return the data only if there isn't one with this Etag • Saves Bandwidth by not transmitting old data • Response.SuppressEntityBody

22. Demo Caching / Conditional Get

23. Agenda • What is REST and Why should I care? • How will resources be addressed? • How will resources be formatted? • How do I insure scalability? • How do I secure my service?

24. Security Scenarios • Developer / App Authorization • Authorizes an application to access RESTful services • Third Party Access • Application or site accessing a protected resource on behalf of another • Human RIA User • Accessing a protected resource from an Ajax or Silverlight web page using a cookie

25. Developer / App Authorization • Control access to public services • Allows you to revoke access if necessary • Developer is issued a token or application ID (or both) • Verify email and acceptance of license • Each request requires the token to be sent • URI may also include a signature to prevent request tampering • Tokens may be sent in the URI or Authorization header

26. OAuth (Open Authentication) • An open protocol to allow secure API authentication in a simple and standard method from desktop and web applications. • OAuth.net • Allows users to grant access to protected resources without having to give credentials to third parties • MySpace WCF Implementation • RestChess.com

27. Human RIA User • Authentication • Ajax authentication service is enabled • Human signs in to web site with script that calls Sys.Services.AuthenticationService.Login • Authorization token returned in cookie • Client side script accesses protected resources using cookie • Authorization • Server authorizes client requests by placing a web.config file in the folder with the resource

28. Demo Human RIA Security

29. Summary • RESTful Services work the way the Web works • Sharing your data with the world works • Focus on simple and open ideas first • Choose broad adoption over elegant design • Embrace the protocol of the web HTTP • Understand its semantics • Use it as designed

31. appendix

32. WCF Test Client

33. Fiddler Proxy

34. Yahoo Web Search Service back

35. Notepad Service Client?

36. Adventure Works Customer Get