introducing the all new restful api for api management
TRANSCRIPT
Introducing all new RESTFul API for API Management
Joseph Fonseka Senior Technical Lead
Malintha Amarasinghe Software Engineer
Introduction
API Manager 1.10.0 ships with a new REST API for Store and Publisher.
o Current version is 0.9v
Existing APIs
o Not RESTFul
o API interface was not intuitive.
o Did not had a well defined interface. o Secured with a session based login API.
o Need to hard code user credentials.
o You are unable to delegate access.
Example curl -b cookies http://localhost:9763/publisher/site/blocks/listing/ajax/item-list.jag?action=getAllAPIs
New RESTFul API
o Follows RESTFul principles and have a clearly documented API Definition.
o Secured using OAuth.
Richardson Maturity Model
New RESTFul API
API Definition
o We took designed first approach when developing the API.
o API Definition is documented with Swagger 2.0
API Security with OAuth
o Allows you to delegate access to other applications.
o Use API Manager token endpoint to generate tokens.
o Support all the grant types supported by APIM.
o User is picked up from the token.
API Security with OAuth
API Publisher
Token Validation
API Store
Key Manager
OAuth
Application
Token Validation
API Request
API Request
IdP
o We implemented web APIs as Jax-Rs services.
o You can access the APIs using following
contexts. o https://<host>:<port>/api/am/publisher/v0.9
o https://<host>:<port>/api/am/store/v0.9
o The Jax-Rs Applications can be found in. o <AM-HOME>/repository/deployment/server/webapps/
- api#am#publisher#v0.9.war
- api#am#store#v0.9.war
Implementation
Implementation
Implementation : A chain of interceptors
Implementation : Service Implementation
Implementation : Exception Mapper
Validation
o Bean validation 1.1
o Generates a response with a list of violations
and sends back to the client
o Plug-in custom validation implementation based
on CXF Interceptor
Validation
{ "name": "calc1", "context": "/calc1", "version": "1.0.0" }
POST /api/am/publisher/v0.9//apis Authorization: Bearer <token>
{ "moreInfo": "", "code": 400, "description": "Validation Error", "message": "Bad Request", "error": [ { "code": "400_apiDefinition", "message": "apiDefinition: may not be null" }, { "code": "400_endpointConfig", "message": "endpointConfig: may not be null" }, { "code": "400_visibility", "message": "visibility: may not be null" }, ...
HTTP/1.1 400 Bad Request
Incomplete Request: Response:
Access Control and Security
o By default use OAuth for Authorization &
Authentication.
o Resources are secured with OAuth2 Scopes
o Support pluggable security mechanism o Ex. XACML over Basic authentication
GET /apis apim:api_view
POST /apis apim:api_create
POST /apis/change-lifecycle apim:api_publish
Access Control and Security (OAuth) - Step 1
Access Control and Security (OAuth) - Step 2
Access Control and Security (OAuth) - Step 3
Multitenancy
o Tenant is typically extracted from the user
information of the access token
o Store anonymous resources supports a special
header o X-WSO2-Tenant: wso2.com
../store/v0.9/apis/*
../store/v0.9/tiers/*
../store/v0.9/tags
Versioning
o We follow semantic versioning MAJOR.MINOR.PATCH
o We will be committed to retain backward
compatibility for at least one major version.
Road Map
o We have planed to release v1.0.0 in the next APIM release.
o Rewrite Store and Publisher apps to use REST API.
o Add support for Optimistic Concurrency Control and Caching Headers.
o Support for Workflows & long running processes. o …..
Documentation
o Generated from swagger definitions can be found at following locations.
o Publisher Documentation https://docs.wso2.com/display/AM1100/apidocs/publisher/
o Store Documentation https://docs.wso2.com/display/AM1100/apidocs/store/
Questions ?
THANK YOU!