Hesam Seyed Mousavi, November 28, 2014
As part of the recent Visual Studio 2013 and .NET 4.5 launch, Microsoft formally unveiled its new web services framework called the ASP.NET Web API. Included as part of the ASP.NET MVC 4 offering, the open-source ASP.NET Web API is designed to simplify the development and consumption of RESTful services.
In a post called “Where does ASP.NET Web API Fit?”, Rick Strahl of West Wind Technologies explains the purpose and benefits of the ASP.NET Web API.
ASP.NET Web API differentiates itself from the previous Microsoft in-box HTTP service solutions in that it was built from the ground up around the HTTP protocol and its messaging semantics. Unlike WCF REST or ASP.NET AJAX with ASMX, it’s a brand new platform rather than bolted on technology that is supposed to work in the context of an existing framework. The strength of the new ASP.NET Web API is that it combines the best features of the platforms that came before it, to provide a comprehensive and very usable HTTP platform. Because it’s based on ASP.NET and borrows a lot of concepts from ASP.NET MVC, Web API should be immediately familiar and comfortable to most ASP.NET developers.
Strahl points out the core capabilities that make the ASP.NET Web API a natural fit for both existing users of the the ASP.NET MVC framework, and developers who need to build HTTP endpoints.
Microsoft already has an existing a web services framework called Windows Communication Foundation (WCF) which lets developers build contract-first services that leverage transport protocols such as TCP, HTTP and MSMQ. Originally built for SOAP-based services that want WS-* capabilities, WCF eventually added a handful of REST-friendly capabilities.
As time passed, the WCF Web APIs had a lot of trouble adapting WCF to the “native” HTTP world. As WCF was primarily designed for SOAP-based XML messages, and the “open-heart” surgery that was required to make the Web API work as part of WCF was a bit too much (or so I understand from people who were involved in creating the Web APIs). On the other hand, the ASP.NET MVC infrastructure with its elegant handling of HTTP requests and responses, and its support of easy-to-create controllers seemed like the proper way to go for creating this new type of services.
WCF remains alive and well in the latest .NET 4.5 release and Flatow identifies some of the decision criteria for choosing between WCF and the ASP.NET Web API.
REST – RE presentational State Transfer
REST is not a standard but an approach (specification) to developing and providing services on the internet. REST follows an architectural style of web application, like a user progressing through a web application by selecting links which takes him to the next page. REST is based on Resources that are identified by a unique URI.
When we conform to the standard or characteristic defined for a service to be REST, we can refer the service to be RESTful. REST does not tie itself to any particular platform, but is currently done on Web with HTTP.
Fundamental Characteristics / Constraints of REST
Separation of Concerns is a principle where the user interface is separated from data storage. This leads to the portability of the user interface across multiple platforms and improves scalability by simplifying server components.
Each request to the server should contain all the information required to understand and complete the request.
The data within a response to a request should be cacheable/ non-cacheable to be used by client at another point of time. This might improve the performance and reduce network traffic.
Intermediary servers like Proxy servers or Cache servers can be used to improve performance or introduce security.
A uniform interface (like HTTP GET, POST, DELETE, PUT) is to be used to access a resource.
A RESTful Web Service is a collection of the following:
Uniform Resource Identifier – This is a unique way of identifying resources on the network. Every resource on the web is given a unique identifier – a universal identifier (example, URL). All web browsers, servers, applications understand this identifier, which makes it easy to connect and exchange information between one another without any issues.
Can be XML, HTML, and JSON.
HTTP forms a standard way to communicate with resources on the web. GET, PUT, DELETE, POST are some of the common methods to access a resource.
Helps to request a specific representation of the resource.
Updates a resource with a specific representation.
Deletes a specified resource.
Creates a new resource.
Designing RESTful Services
The initial steps in designing RESTful based services is to identify the objects (resources) that will be exposed to the outside world and next to map these resources to a URI. We should not focus on designing the methods for an application; instead, we should focus on designing resources and their URI. There are various data formats which can be used with REST, but XML is easier and mostly used, but JSON is equally being used.
.NET 4.5 and REST and WCF
WCF is not all about building SOAP based services, it’s an extensible framework with a common programming model and a totally pluggable communication infrastructure. The basic job of the WCF runtime is to listen for messages from a network location and process those messages and pass them to the application (service). With .NET 4.5, developing a REST application is an easy task. Microsoft has provided a REST template which we can use to create new projects, this will create a basic skeleton code for REST.
Security and REST
If you look into the above code, you will noticed the flaw, this service does not have any security aspect built into it. But when we are building services exposing endpoints, the security aspect should be taken care of. RESTful services are just HTTP endpoints, so all security aspects implemented with HTTP (like HTTPS, certificates) can also be implemented with REST.
There are two types of hosting services, self hosting Web Services and Web Services hosted with an application server like IIS. In self hosting Web Services, most of the security aspect should be taken care of in the code; on the other hand, while hosted in IIS, the setting in IIS take care of the security.
Setting Endpoint: Security for Services Deployed on IIS
When hosting an endpoint on IIS, use the web.config file to make configuration changes. The configuration can be done for the virtual directory where the service is running. We need to be aware of both the client config and the virtual directory configuration.
Once authenticated, the next step is to authorize the client, what they can do and what they can’t do.
Impersonation: by impersonating the client, the authorization is delegated to another layer. For example, when a client is trying to insert or update data in to a SQL Server database, SQL Server throws an exception in case the client doesn’t have permission, which can be bubbled back to the client.
Role based: Implement authorization by restricting access to operations to certain Windows users or groups.
Advantages of REST
Services offered by REST style are easier to consume compared to other style services, meaning lower learning curve for the consumer.
Supports caching of URI of the service and components can be deployed independently. Lightweight (consider SOAP which uses WSDL which makes the SOAP protocol a complex service).
Disadvantage of REST
The major disadvantage from a developer’s perceptive is it does not have metadata. So it requires knowledge of implementation details. On the security aspect, RESTful services depend on the security aspect of HTTP security.
When to Use REST
REST can be implemented when we plan to design an application to be used exclusively on the web, and also when we need a quick client integration.
When Not to Use REST
When designing an application of service oriented architecture which interconnects many systems and uses many transport channels, it is better to use SOAP.