How to get along with HATEOAS without letting the bad guys steal your lunch - DevNexus 2020
Download as PPTX, PDF•0 likes•79 views
The document discusses the application of HATEOAS (Hypermedia as the Engine of Application State) within RESTful APIs and security measures against potential vulnerabilities. It outlines different maturity levels of API design and emphasizes the importance of minimizing attack surfaces and employing defensive coding practices. Furthermore, it highlights the potential risks posed by hackers exploiting APIs and suggests ways to enhance security through strategic use of HATEOAS links and tracking data.
![20
Hypermedia Controls
• Return list of actions that
can be performed next
• URIs identifying resource(s)
to interact with
• Enable client to react to
changes in response
Account
• id
• firstName
• lastName
• dob
• balance
• currency
• addressID
Address
• id
• nameOrNumber
• street
• line2
• city
• state
• country
• zip
http://host:port/v1/account/1
{
"id": "1",
"addressId": "1",
"balance": 0,
"currency": "USD",
"firstName": "Bob",
"lastName": "Bobson",
"_links": [
{
"href": "http://host:9083/rest/v1/account/1",
"rel": "self"
},
{
"href": "http://host:9083/rest/v1/account/1/deposit",
"rel": "deposit"
},
{
"href": "http://host:9083/rest/v1/address/1",
"rel": "address"
}
]
}
GET
Request Body
Response Body](https://image.slidesharecdn.com/hateoas-and-security-devnexus-2020-final-200224165738/85/How-to-get-along-with-HATEOAS-without-letting-the-bad-guys-steal-your-lunch-DevNexus-2020-20-320.jpg)
![85
HATEOAS- thinking differently
• Using HATOAS naively doesn’t make much difference
/deposit/withdraw
/transfer
/close
GET /withdraw
Links [
“/withdraw”,
“transfer”,
“deposit”,
“close”]](https://image.slidesharecdn.com/hateoas-and-security-devnexus-2020-final-200224165738/85/How-to-get-along-with-HATEOAS-without-letting-the-bad-guys-steal-your-lunch-DevNexus-2020-85-320.jpg)
![86
HATEOAS- thinking differently
• Using HATOAS as engine of state helps the application
/deposit/withdraw
/transfer
/close
GET /deposit
Links [
“/withdraw”
]
This approach still
doesn’t hinder the bad
guys calling any API
directly
How to enforce this
flow?](https://image.slidesharecdn.com/hateoas-and-security-devnexus-2020-final-200224165738/85/How-to-get-along-with-HATEOAS-without-letting-the-bad-guys-steal-your-lunch-DevNexus-2020-86-320.jpg)
![87
HATEOAS- thinking differently
• Have a ’front door’
GET /accounts/<uuid>
Links [
“/withdraw”
“/transfer”
“/deposit”
]
/deposit
/withdraw
/
/transfer](https://image.slidesharecdn.com/hateoas-and-security-devnexus-2020-final-200224165738/85/How-to-get-along-with-HATEOAS-without-letting-the-bad-guys-steal-your-lunch-DevNexus-2020-87-320.jpg)
![88
HATEOAS- thinking differently
• Add tracking data
GET /accounts/<uuid>
Links [
“/withdraw?ref=xxx”
“/transfer?ref=yyy”
“/deposit?ref=xxx”
]
/deposit
/withdraw
/
/transfer](https://image.slidesharecdn.com/hateoas-and-security-devnexus-2020-final-200224165738/85/How-to-get-along-with-HATEOAS-without-letting-the-bad-guys-steal-your-lunch-DevNexus-2020-88-320.jpg)
![90
HATEOAS thinking differently
GET /browse-users?page=100,pagesize=100
GET /browse-users?page=1,pagesize=-100
GET /browse-users?page=$INT_MAX,pagesize=-100
I can validate
the “front
door”
And returned links
have encrypted keys
That cannot be
spoofed
links [
“edit” : “/users/?ref=xxx”
“edit” : “/users/?ref=yyy”
“edit” : “/users/?ref=zzz”
]](https://image.slidesharecdn.com/hateoas-and-security-devnexus-2020-final-200224165738/85/How-to-get-along-with-HATEOAS-without-letting-the-bad-guys-steal-your-lunch-DevNexus-2020-90-320.jpg)
![91
HATEOAS thinking differently
links [
“edit” : “/users/?ref=xxx”
“edit” : “/users/?ref=yyy”
“edit” : “/users/?ref=zzz”
]
These links are still stateless
GET /users/?ref=xxx
GET /users/?ref=xxx
You can call them as many times
as you like
But they can’t be fuzzed!
links [
“view” : “/users/?ref=qqq”
]
And every call returns
a new set of encrypted
references](https://image.slidesharecdn.com/hateoas-and-security-devnexus-2020-final-200224165738/85/How-to-get-along-with-HATEOAS-without-letting-the-bad-guys-steal-your-lunch-DevNexus-2020-91-320.jpg)
How to get along with HATEOAS without letting the bad guys steal your lunch - DevNexus 2020
- 1. 1 How to get along with HATEOAS without letting the bad guys steal your lunch? Yee-Kang (YK) Chang – Liberty Dev Advocacy Lead @yeekangc Steve Poole – Java Developer Advocate @spoole167
- 2. 2 Who we are Steve Poole @spoole167
- 3. 3 How to get along with HATEOAS without letting the bad guys steal your lunch?
- 4. 4 How to get along with HATEOAS without letting the bad guys steal your lunch?
- 5. 5 Hypermedia As The Engine Of Application State
- 7. 7 Hypermedia As The Engine Of Application State
- 8. 8 Hypermedia, an extension of the term hypertext, is a nonlinear medium of information that includes graphics, audio, video, plain text and hyperlinks. Source: https://en.wikipedia.org/wiki/Hypermedia
- 9. 9 Any wiser?
- 10. 10 Hypermedia As The Engine Of Application State
- 12. 12 Level 0: The Swamp of POX
- 13. 13 Level 0: The Swamp of POX POJ
- 14. 14 POJ • Single endpoint • RPC-style interaction • HTTP POST as lowest common denominator Account • id • firstName • lastName • balance • currency • addressID POST http://host:port/v1/service { "method": "updateAccount", "id": "1" } { "id": "1", "firstName": "Bob", "lastName": "Bobson", "balance": 100, "currency": "USD", "addressId": "1" } Request Body Response Body
- 16. 16 Resources and Resource Identifiers • Resource: information that can be named o Document, Image, Collection of Resources, Temporal Service, Entity (Person) • Resource Identifier: identity of a resource (URI/URL) • HTTP POST as lowest common denominator ResourceResource Identifier POST http://host:port/v1/account/1 Account • id • firstName • lastName • balance • currency • addressID { "method": "updateAccount" } { "id": "1", "firstName": "Bob", "lastName": "Bobson", "balance": 100, "currency": "USD", "addressId": "1" } Request Body Response Body
- 17. 17 Level 2: HTTP Verbs
- 18. 18 HTTP Verbs • Use the HTTP Protocol as intended o HTTP Verbs to manage Resource lifecycle o Response codes for communicate results o Contract for ‘safe’ and ‘idempotent’ ResourceResource Identifier GET http://host:port/v1/account/1 Account • id • firstName • lastName • balance • currency • addressID Request Body Response Body { "id": "1", "firstName": "Bob", "lastName": "Bobson", "balance": 100, "currency": "USD", "addressId": "1" }
- 20. 20 Hypermedia Controls • Return list of actions that can be performed next • URIs identifying resource(s) to interact with • Enable client to react to changes in response Account • id • firstName • lastName • dob • balance • currency • addressID Address • id • nameOrNumber • street • line2 • city • state • country • zip http://host:port/v1/account/1 { "id": "1", "addressId": "1", "balance": 0, "currency": "USD", "firstName": "Bob", "lastName": "Bobson", "_links": [ { "href": "http://host:9083/rest/v1/account/1", "rel": "self" }, { "href": "http://host:9083/rest/v1/account/1/deposit", "rel": "deposit" }, { "href": "http://host:9083/rest/v1/address/1", "rel": "address" } ] } GET Request Body Response Body
- 21. 21 ...As The Engine Of Application State • REST – transfer of state representations • Hypermedia Controls – include transfer of valid application actions
- 22. 22 Benefits • Layer 0 – Swamp: no help to the developer • Layer 1 – Resources: helps developer understand what resources can be manipulated • Layer 2 – HTTP Verbs: helps developer understand how to performance actions on resources. • Layer 3 – Hypermedia: helps developer understand valid actions, their types and locations
- 23. 23 “A further benefit is that it helps client developers explore the protocol. The links give client developers a hint as to what may be possible next. ...” – Martin Fowler https://martinfowler.com/articles/richardsonMaturityModel.html
- 24. 24 sed -e 's/client developers/hackers/g'
- 25. 25 “A further benefit is that it helps hackers explore the protocol. The links give hackersa hint as to what may be possible next. ...” - !Martin Fowler https://martinfowler.com/articles/richardsonMaturityModel.html
- 27. 2727 Let’s dispel some fake news
- 28. 28 You have a firewall
- 29. 29 Internet network cluster Server Container……………………application Reality Do you think just a firewall is sufficient?
- 30. 30 Internet network cluster Server Container……………………application Reality Bad guys are looking for exploits everywhere Vulnerabilities in the application Vulnerabilities in the container Vulnerabilities in the server Vulnerabilities in the cluster Vulnerabilities in the network
- 31. 31 Internet network cluster Server Container……………………application Reality Your best defense Defense in depth Detection Forsooth we are under attack my liege
- 32. 32 Most attacks don’t start with a plan
- 33. 33 They start with a script: trying every door Of every building Across the planet 24x7 Imagine a burglar
- 34. 34 Think of hackers as a B*****d Tester From Hell except they wont ever raise bug reports
- 37. 37 Or how about SwaggerHub
- 39. 39 Or just curl --head <your-site.com>/api/v1
- 40. 4040 How do they hack your API?
- 41. 41 You do follow secure design principles? • Minimize attack surface area • Establish secure defaults • Principle of Least privilege • Principle of Defense in depth • Fail securely • Don’t trust services • Separation of duties • Avoid security by obscurity • Keep security simple • Fix security issues correctly https://www.owasp.org/index.php/Security_by_Design_Princip les#Security_principles
- 42. 42 The bad guys are looking for your weaknesses • Minimize attack surface area • Establish secure defaults • Principle of Least privilege • Principle of Defense in depth • Fail securely • Don’t trust services • Separation of duties • Avoid security by obscurity • Keep security simple • Fix security issues correctly https://www.owasp.org/index.php/Security_by_Design_Princip les#Security_principles
- 43. 43 Three aspects Security Disassembly How does the security system work Reverse Engineering How the application is constructed and how it works Social Engineering what can be find out about the API , the company, the application, the customers.
- 44. 44 Security Disassembly Not using HTTPS? Know what http strict transport security (hsts) is ?
- 45. 45 Security Disassembly Can you rely on having a secure encrypted connection? Browser Exploit Against SSL/TLS (BEAST) Compression Ratio Info-leak Made Easy (CRIME) Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext (BREACH) Padding Oracle On Downgraded Legacy Encryption (POODLE)
- 46. 46 Security Disassembly All data to and from the API is public Even if you have a secure connection to the client Man in the middle Reverse engineered client or app Malware / xss In the browser
- 47. 47 Reverse Engineering You use REST?
- 48. 48 Reverse Engineering • What documentation exists?
- 49. 49 Reverse Engineering With REST I can guess how to use your API GET /users
- 50. 50 Reverse Engineering With REST I can guess how to use your API GET /users/1 GET /users/2
- 51. 51 Reverse Engineering With REST I can guess how to use your API POST /users PUT /users/1 PATCH /users/1 DELETE /users/1
- 52. 52 Reverse Engineering What about cookies, headers etc? GET /users/1
- 53. 53 Reverse Engineering What else can I find about how your service is constructed? X-Powered-By: Servlet/3.0 JSP/2.2 (GlassFish Server Open Source Edition 3.1.2.2 Java/Sun Microsystems Inc./1.6)
- 56. 56 Reverse Engineering Try likely entry points and all the http verbs GET /users/1 DELETE /api/v1/users/1 OPTIONS /api/v1/user/1 HEAD /api/v1/user/1 POST /users/1
- 57. 57 Reverse Engineering Play with the headers and cookies POST /api/v1/user HTTP/1.1 Host: developer.mozilla.org Content-Length: 64 Content-Type: application/x- www-form-urlencoded
- 58. 58 Reverse Engineering Can I get the service to fail or break? 404 “Not Found” 503 “Service Unavailable” “500 Internal Server Error” Different errors from different components?
- 59. 59 Reverse Engineering If I can find a static endpoint service I might be able to get at the filesystem… GET /api/v1/images/a/../../../../../../etc/passwd
- 60. 60 Reverse Engineering Stack traces and error messages really help More help I’m on the right track More component info
- 61. 61 Reverse Engineering Fuzzing calls and data.. GET /users/1 POST /users/2 PUT /users/20000?name=“(select GET /users/-1 GET /users/$INT_MAX
- 63. 63 Fuzzing calls and data. Reverse Engineering Fuzz urls, json payloads, xml payloads, binary payloads … Import / export / upload / download options .. Command line options, file formats … “known-to-be-dangerous” values In the public domain Widespread & mature Automatic ‘protocol’ detection & exploitation
- 64. 64 Reverse Engineering Hack the client and/or the data flows
- 65. 65 Reverse Engineering Read the code and the issues
- 66. 66 Reverse Engineering Read the logs
- 67. 67 Reverse Engineering Find test end points <servlet> <servlet-name>TestRetrieveFileResponseServlet</servlet-name> <display-name>TestRetrieveFileResponseServlet</display-name> <servlet-class> tests.webservices.TestRetrieveFileResponseServlet </servlet-class> </servlet> <servlet-mapping> <servlet-name>TestRetrieveFileResponseServlet</servlet-name> <url-pattern>/TestRetrieveFileResponseServlet</url-pattern> </servlet-mapping> <servlet-mapping> We don’t use security on our test endpoints because it’s easier
- 68. 68 Reverse Engineering: Summary 1. Find common memes about API design being used 2. Identify components (Look for vulnerabilities ) 3. Find published lists of end points (even if unintentional) 4. Find API responses that indicate less checking / validation 5. Find direct paths to the different software components 6. Use API fuzzing to break / exploit / explore 7. Take the client apart 8. Document the flows 9. Sell the information
- 69. 69 Reverse Engineering: Summary The bad guys will hack your system and your API (mostly) automatically using all the available tools in their toolbox What can you do to make it harder?
- 70. 7070 REST Defense against the dark side
- 71. 71 Basics Reduce the opportunity to fuzz the data Less guessable paths Can you use a different port? Require special headers to prevent a 404? Following REST API design doesn’t mean you have to be too helpful. Don’t do this: GET /api/v1/management/departments/10 Do this: GET /api/sendoa/management/departments/10 Any derivation of /api/v1 you can think of? So has someone else and it’s encoded in the bots
- 72. 72 Basics Reduce opportunity for ‘drive-by’ discovery Make all identifers UUID’s Place limit checking on data ranges. Following REST API design doesn’t mean you have to be too helpful. Don’t do this: GET /api/v1/management/departments/10 Do this: GET /api/sendoa/management/departments/f2a5c851-f703-4f63-93f2- 64771a488c3f Got a great project? Don’t use its name here. People talk on social media…
- 73. 73 Basics Reduce opportunity for fuzzing Check assumptions about what dependencies will check (write testcases to prove it’s true and will remain true) Validate the data request as a whole as well as its individual parts Following REST API design doesn’t mean you have to be too helpful.
- 74. 74 Basics Reduce your data output and organize by use case o . GET /api/v1/UserDelivery/1GET /api/v1/Users/1
- 75. 75 Basics Reduce raw data being returned o . GET /api/v1/Calendar/1
- 76. 76 Basics Reduce raw data being returned o . GET api/v1/Calendar/1?from=01122019
- 77. 77 Basics Write code defensively Assume all requests are bogus and log unusual but valid reqs Validate all the data The request is a request – not an order. Review all error messages for too much helpfulness. Review return codes for consistency across the whole API Review headers and cookies for extraneous non essential data Following REST API design doesn’t mean you have to be too helpful.
- 78. 78 Basics Write code defensively https://blog.jetbrains.com/idea/2017/09/code-smells-too-many-problems/ Often the path through the code is decided only by the data provided Bad guys look for unexpected paths by fuzzing your data Don’t have unexpected states or code paths..
- 79. 79 Basics Log / alert unexpected behavior Build in an expectation of what the client will be doing with the data. All log entries must be useful – generic errors don’t help. Be careful about the amount of extra info in a log – remember the bad guys may gain access to them too Following REST API design doesn’t mean you have to be too helpful.
- 80. 8080 How to use HATEOAS for even more security ..
- 81. 81 Recap • We need an API approach that can 1. Reduce opportunities for data fuzzing 2. Reduce risk of driving down unexpected state paths 3. Reduce the ability of a machine to explore the API 4. Make it harder for a human being to hack the api 5. Detect unexpected behavior 6. But still have an API that developers can use
- 82. 82 HATEOAS to the rescue? https://en.wikipedia.org/wiki/HATEOAS GET /accounts/12345/ These relationship values can’t be automatically discovered without making the 1st call. But then tools can find these links and use them
- 83. 83 HATEOAS- thinking differently • HATEOAS is intended to help with navigating through the options available in a REST based application. It helps the client understand what are valid next options. • Used carelessly HATEOAS is an aid to the hackers • But there is an answer
- 84. 84 HATEOAS- thinking differently • Traditional REST application approach: every service is callable in any order /deposit/withdraw /transfer /close GET /withdraw POST /deposit …
- 85. 85 HATEOAS- thinking differently • Using HATOAS naively doesn’t make much difference /deposit/withdraw /transfer /close GET /withdraw Links [ “/withdraw”, “transfer”, “deposit”, “close”]
- 86. 86 HATEOAS- thinking differently • Using HATOAS as engine of state helps the application /deposit/withdraw /transfer /close GET /deposit Links [ “/withdraw” ] This approach still doesn’t hinder the bad guys calling any API directly How to enforce this flow?
- 87. 87 HATEOAS- thinking differently • Have a ’front door’ GET /accounts/<uuid> Links [ “/withdraw” “/transfer” “/deposit” ] /deposit /withdraw / /transfer
- 88. 88 HATEOAS- thinking differently • Add tracking data GET /accounts/<uuid> Links [ “/withdraw?ref=xxx” “/transfer?ref=yyy” “/deposit?ref=xxx” ] /deposit /withdraw / /transfer
- 89. 89 HATEOS thinking differently GET /accounts/<uuid>/ The links are now ‘tracked’ And tied to this caller GET /account-mgmt/<uuid>/ Plus the less common options are somewhere else with different access required Plus the less common options are somewhere else with different access required
- 90. 90 HATEOAS thinking differently GET /browse-users?page=100,pagesize=100 GET /browse-users?page=1,pagesize=-100 GET /browse-users?page=$INT_MAX,pagesize=-100 I can validate the “front door” And returned links have encrypted keys That cannot be spoofed links [ “edit” : “/users/?ref=xxx” “edit” : “/users/?ref=yyy” “edit” : “/users/?ref=zzz” ]
- 91. 91 HATEOAS thinking differently links [ “edit” : “/users/?ref=xxx” “edit” : “/users/?ref=yyy” “edit” : “/users/?ref=zzz” ] These links are still stateless GET /users/?ref=xxx GET /users/?ref=xxx You can call them as many times as you like But they can’t be fuzzed! links [ “view” : “/users/?ref=qqq” ] And every call returns a new set of encrypted references
- 92. 92 HATEOAS thinking differently GET /api/v1/findPetsByStatus?status=available&pagesize=100 GET queryStatus?ref=888c6e08-daf1-4484-8d31-0394b05d6338
- 93. 93 HATEOAS thinking differently ref=“888c6e08-daf1-4484-8d31-0394b05d6338” Moral equivalent of /api/v1/queryStatus?status=available &pagesize=100 &page=2 &pages_processed=1 &ip-address=<ipaddress> &first-request=<timestamp> &other things to help you keep track of usage profile now you have actionable intelligence about the client Encrypted data is not fuzzable
- 94. 94 HATEOAS thinking differently Using HATEOAS this way helps greatly with being able to track unexpected behaviour and reduce data fuzzing. It may mean an extra call or two What’s that worth versus increased peace of mind?
- 95. 9595 The ultimate reality using HATEOAS principles and a defensive design style can help protect your application as part of a “defense in depth” approach
- 97. 97 The ultimate reality • Hackers use sophisticated tooling to attack you • These tools look for known vulnerabilities and common design errors. • Everyone makes mistakes (some of which we don’t know about yet) • Relying on one single form of defense is the ultimate foolishness • Right now its about defense In depth o Be less vulnerable than the next guy. o make the human side of hacking expensive and time consuming • Make sure you have alarm systems: Invest in detection, invest in the strongest encryption, invest in security testing, design for defense • Take a long hard look at your design choices – easy for developers = easy for hackers
Editor's Notes
- #4: HATEOAS is nothing new, in fact it’s the aspect of Roy Fielding’s REST work that is often overlooked. I first came across HATEOAS working with a customer many years ago. They raved about how it improved decoupling between their client applications and their backend services.
- #5: Where to start... Well, the main key word in the title is the dreadfull acronym of HATEOAS, so let’s dig a big deeper into that.
- #6: OK, so this is what HATEOAS stands for: Hypermedia As The Engine Of Application State. Definitely a Friday afternoon down the pub naming that one.
- #7: This was my first thought when I read the name.
- #8: So let’s break it down a bit. Hypermedia looks to be pretty important to let’s try to understand that a bit more...
- #9: Here’s the definition from Wikipedia, which actually was one of the most intuitive I found. Read it. Essentially, in the same way Hypertext is a graph of linked text documents, Hypermedia is also a graph of linked things, but in this case they can be of various different types such as images, audio, etc.
- #10: So, are we any wiser?
- #11: And what about this part?
- #12: To try to understand things a bit more, I did a bit of research and came across the Richardson Maturity Model. This isn’t anything new and was written as part of a REST book many years ago. At the time of writing, Martin Fowler reviewed it and wrote up a summary of the model. It follows the standard approach for Capability Maturity Model. They’re designed to measure your organizational/technical maturity against defined criteria. I found this a nice way to think about the elements of REST services. The last layer is HATEOAS and we’ll get to that, but let’s look at each layer. Level 0 – The Swamp of POX You may need more than SOAP to clean off from the Swamp of POX The Richardson Maturity Model starts not at level 1, but at level 0 – the “swamp of POX.” POX in this case stands for Plain Old XML, and represents the most basic functionality expected of an API entering into the Richardson Maturity Model. At this level, HTTP is used as the transport mechanism for every remote interaction, but these interactions don’t utilize the mechanisms inherent in the web. HTTP serves as a basic tunneling mechanism alone. At this level, all API interaction is essentially RPC, a back and forth XML conversation wherein every request and response is nothing more than a chunk of code. This may be useful in some cases, surely, but even in SOAP, the penultimate POX-centric solution, each iteration and evolution is nothing more than wrapping the HTTP process in a complicated envelope. Level 1 – Resources Utilize resources to begin the API maturation process XML conversations work in some scenarios, but they’re not ideal for the complex tasks required of modern API interactions and offerings. For one, POX is inefficient, often transferring superfluous text. Second, by communicating over XML, you’re over complicating what should be an otherwise simple, efficient, and succinct communication. Our first step towards rectifying these issues is to emerge from the swamp of POX by utilizing resources. Resources allow requests to be delivered to the specific resource in question, rather than simply exchanging data between each individual service endpoint. While this seems like a small difference, in terms of function, it’s a complete sea change. In POX, an ill-defined function is simply called from a large body, an aether-like miasma of collated resources and possible points of resolution, and then this function is defined with further complex arguments. By adopting resources rather than XML bodies for communication, we are establishing a type of object identity, calling a particular object and passing arguments to it that are specifically related only to its function and form. Also read: 7 Growing API Design Trends Level 2 – HTTP Verbs Correct HTTP verb usage Now that we’ve moved towards resources, we can start looking at how we interact with those resources. In the POX approach, verbiage often doesn’t specifically matter. POST does what POST does, but GET can in many cases function in much the same way, resulting in an API that often delivers the same data to duplicate verbs. In Level 0 and Level 1, these verbs serve as a tunneling mechanism for your request – in those levels, this is fine, since all the API is really doing is conversing in XML with XML. The problem, however, is that verbiage is different for a reason. Each verb — GET, POST, PUT, DELETE, etc — does something very specific, and these functions often deliver entirely different sets of results when properly addressed – failure to leverage HTTP verbs for their correct usages means that you’re losing a lot of potential functionality for no reason. As a good example, both POST and GET in the POX approach will result in the same return – GET, however, is defined as a safe operation, which opens up a ton of functionality. One such functionality is caching, which can be used to great effect to reduce the amount of processing needed by the API, and an increase in transit efficiency by removing the need to respond to requests that will only generate the same result. All of that is lost, of course, without designing your resources specifically around the verbiage and the expected response. By differentiating the leverage through design at level 2, we can take full advantage of such benefits. For more on HTTP verbiage read: Designing Evolvable APIs for the Web: Interaction Level 3 – Hypermedia Controls HATEOAS delivers more links and information For many developers, level 2 is “good enough”. Proper verbiage and a reduction in XML chatter dependence seems to result in an API that is basically in a usable state, and as such is where many developers feel comfortable with stopping. Unfortunately, this is missing the entire point of this exercise – the final step, level 3, grants certain benefits that should not be ignored. Level 3 implements hypermedia, which can be used to great effect to extend the functionality of an API to new levels. By implementing HATEOAS (Hypertext as the Engine of Application State), we can make the API respond to requests with additional information, and link resources together for more rich interactions. These links can make user experience that much more rich, and can create a web of functionality that results in a more powerful, more efficient, and more useful. Utilizing hypermedia also delivers the ability to update URI schemes without breaking clients, allowing for a greater amount of freedom for development change on the back end. This is not the case before level 3, but the benefits don’t stop there. The simple fact is that an API which does not utilize Hypermedia is functioning at its most basic, least useful level – the fundamentals may be on offer, but the API is self-limiting in the extreme. Related: REST State Machine Revisited The Richardson Maturity Model Guides Development Beyond the reasons noted above, there’s an even greater reason to adopt the Richardson Maturity Model through to level 3. According to Roy Fielding, the creator of the concept of RESTful design, Hypermedia is a prerequisite of true REST. As such, reaching the final third level of the Richardson Maturity Model can be seen as a goalpost for development teams that desire a true RESTful conclusion. All of that being said, the final level of the Richardson Maturity Model is not the end-all be-all for API design. REST is very useful, but there are some cases where SOAP makes sense, and in that case. Even in those cases, of which there are few, level 2 Richardson Maturity Model is still a very good goalpost to reach, as that is where an API comes to depend on resources rather than XML bodies and massive undifferentiated endpoints. Here, we can see where the Richardson Maturity Model really shines. Yes, it’s final levels will result in a RESTful result – but ultimately, the Richardson Maturity Model is a great system by which the maturity of an implementation can be measured. With each maturity requirement of your implementation fluctuating largely due to the requirements of the user, the Richardson Maturity Model can be used as a sort of structure by which development can be guided towards a more complete, more mature result, irrespective of the foundational elements of the API itself. It also adds structure for collaborative development. Any development will naturally start as less mature and evolve towards more mature. Guiding API design solely by features or economic motives without a structure in place can lead to issues. Therefore, technical development must be guided, and it must be structured with a goal in mind. More important than these elements are the structures which fundamentally dictate whether the API is RESTful or not, whether it uses resources or not, and whether it respects standardized verbiage. The Richardson Maturity Model can function as a system to ensure adherence and promote maturity throughout the development lifecycle. A Path Toward API Realization Ahh, out of the swamp. This looks much better. The Richardson Maturity Model is a visual way to gauge the competency of your API. In this article we dissected each layer: Plain Old XML, Resources, HTTP verbs, and hypermedia. Much like Maslow’s Hierarchy, the journey to realization is an upward climb; as your API moves higher, it becomes more fulfilled. While the Richardson Maturity Model is not the only development model on offer in the API landscape, it’s core philosophies are hard to argue against. The simple fact that its ultimate goal, integration of Hypermedia, is considered by Roy Fielding himself to be a prerequisite for REST design should make anyone developing a REST application take notice. Additionally, even when ignoring its RESTful attributes, the Richardson Maturity Model offers a goalpost for development that will result in greater, more fully designed APIs that respond in a more natural, effective, and powerful way. Additional Resources Richardson Maturity Model: steps toward the glory of REST Richardson Maturity Model Act Three: The Maturity Heuristic
- #13: Swamp of POX. POX stands for Plain Old XML, which shows its age.
- #14: So for us, we’re going to talk about Swamp of Plain Old JSON, or POJ.
- #15: With POJ, you have a single service endpoint for all requests. Interactions are RPC style, meaning your calling a remote procedure identified in the body of the request. Because you don’t know the semantics of the procedure you need to use the lowest common denominator Http method of POST (neither safe nor idempotent so can’t be cached or retried).
- #17: Next layer up is Resources and Resource Identifiers. Here, we expose multiple endpoints, one for each resource type. The API becomes more strongly typed because we’re passing the same resource type around. Still passes the procedure in the request and uses POST as the lowest common denominator.
- #21: The existences of a link can be reflected in the UI with an available action. The location can be changed on the server without having to change the client.