All geek questions in one place

REST based site in ColdFusion

My company is going to redesign a large project from scratch. We are currently thinking about how to implement data providers. I have used to integrate some web services in the last few months and to a large extent as processing data in this way. So I was thinking about RESTful design. We will use ColdFusion 10, which comes with REST support, but I really don't like the component structure needed for this.

The biggest advantage is probably that we can use REST to provide data for all our platforms, namely: website, mobile site, and iOS / Android application. My approach to security will be as follows: Access to public data can be obtained by anyone (obviously). Access to private data is possible only with BasicAuth. Using BasicAuth also allows us to create user roles with different access levels. Authorization will be implicit and based on the session / login.

<!--- server-side example to request customer information (private data, BasicAuth required) ---> <cfset requestedID = 123> <cfhttp url="/customer/#requestedID#" method="get" username="#APPLICATION.REST_SYSTEMUSER#" password="#APPLICATION.REST_SYSTEMUSER_PW#"> <cfhttpparam type="url" name="includeAddresses" value="true"> </cfhttp> <!--- successful response in JSON ---> { "ID": 123, "FirstName": "John", "LastName": "Doe", "Birthday": "1970-01-01", "BillingAddress": { "Receiver": "John Doe", "Street": { "Name": "Main Street", "Number": "13", "Addition": "" } "City": { "ZipCode": "AB-123", "Name": "Sampletown", "District": "" } }, "ShippingAddresses": [ ] } <!--- deserialize JSON and build an object to use server-side (the constructor wraps the data and adds functions to it) ---> <cfset customerJSON = deserializeJSON(CFHTTP.FileContent)> <cfset customer = createObject("component", "Customer").init(customerJSON)>

Here are the questions that came to my mind:

  • Can this general REST approach be used for everything on every page? (Is it wise to use REST on websites to start with?)
  • Do local HTTP requests affect performance and slow page loading?
  • Is BasicAuth sufficient to protect data? (I would just add minor security features, such as anti-spam protection).
  • Is it better to avoid dependencies in the web service, for example /customer/ to access /address/ to get your data?

On one of the other (older) websites, we have file-based data providers (including components and components that take care of accessing the database, etc.), but we ran into several problems with more complex pages ( for example, by the verification process), for example, name conflicts include, opaque and heavy components, mixing model / view / controller elements, etc.

+6
source share
3 answers

Here are my answers based on a study I did recently. My company is developing new products, so I asked a lot of questions, just like you. We are also very interested in the fact that the REST API is not only what allows the interface, but also because it becomes an integration point for other applications. We have kept a separate API for other products, and it is too easy to synchronize it with the main application if you are not careful.

  • Can I use the REST / Single-P approach? It certainly can be. A number of large sites work like this. What seems common is a hybrid approach where the server can generate HTML for the start page, possibly with the 10 products shown), but the transition to the next 10 products will be via a RESTful call with client-side rendering. This probably gives you the best customer experience, but at the low cost of creating two different templates (server as well as client). Depending on how your site works and who uses it, this may or may not be necessary. For example, GMail is a one-page application, but it is an application, and you endure a couple of seconds that it spends showing you the loading bar, and when the retail site starts up, such a lag may be unacceptable.

  • Local requests slow down loading? Do you mean that your website makes REST calls to receive data, and not directly to the database? In this case, it will add some delay, since an additional network host is involved there, but in a well-configured system and deployment, I think that the lag can be controlled.

  • HTTP core. I would consider this only on HTTPS. It is simply not secure enough HTTP. This is described in the link below.

  • Dependent data. I was also interested about this. I really helped to watch the presentation from StormPath , which covered a lot of problems and good practices when implementing the RESTful API. They cover an approach to data binding (following HATEOAS principles), but also an extension of the entity, so GET to /customers/ID123?expand=address will return the client view, but with their built-in address, which is a good way to avoid a lot of calls to get all the necessary data .

Regarding support for RIGHT CF10. I looked at him and was not very keen on how he worked. Perhaps I misunderstood this, but the REST application seemed very separate from any regular application that you tried hybrid next to. The Railo implementation seemed pretty similar, but with slightly different nitpicking. Of course, creating a REST application that worked on both seemed rather complicated. Did you even look at Taffy ? I am not, but would be interested in how this works.

Since REST is an architectural style and not a strict standard, there are many latitudes for how you implement things and many opportunities for discussion / argument on the β€œbest” approach

+4
source

I recently met a project called Taffy, which is the basis for writing the REST API in ColdFusion. It works with CF8-10 and Railo. I am very impressed with how it structures the code and how easy it becomes to write each of the REST endpoints. You might want to study this project for the back as well.

+1
source

Can this generic REST approach be used for everyone on every single page? (Is it smart to use REST on websites to get started?)

I'm not sure, but one big thing that bothers me is how REST calls the onError error handler in onError . Here 's a bug report that was marked as Fixed, but WHO KNOWS WHEN WE RECEIVE IT . CF11? I do not know, ask Adobe.

This really sucks, because you may never know what exactly went wrong with getting the 5xx error code on the client side.

Do local HTTP requests affect performance and slow down page loading?

Sure. I think it would be better if both the web interfaces and the RESTful APIs call the same method at the service level.

Is BasicAuth sufficient to protect data? (I would just add minor security features such as anti-spam protection)

Usually yes if it is HTTPS. Depends on what is "enough."

Is it better to avoid dependencies in the web service, for example / client / access / address / to get your data?

Agree with the side dish, please read its answer.

Finally, I just want to note that in addition to the official implementation of CF10, there are such frameworks as Taffy or ColdBox , which can work with the RESTful API without CF10.

Also, check What can the CF10 RESTful API do that the Coldbox RESTful API cannot do? And vice versa?

+1
source

Source: https://habr.com/ru/post/945193/

More articles:


All Articles