I am new to RESTful web services and RESTlet. WE only have experience building servlet based web applications (Servlet/JSP on JBoss/Apache). Now, we are building a RESTlet based application where the server side API would be used by two types of clients - web using browser and swing based via desktop.
What I understand is that as per REST concepts a) server can not maintain sessions to improve scalability and few other reasons b) each request from client should be self-contained
Now, I am really confused how to achieve this. Suppose we take a simple shopping cart application.
Step 1) Client sends the authentication request, server authenticates and server responds OK.
Step 2) Client sends a request to add an item to the shopping cart. Server responds OK.
Step 3) Client sends another request to add 2nd item to the shopping card. Server responds OK.
Normally, in a normally web app, a session is created in Step 1 on server and from that point onwards all the requests pertaining to that client are automatically associated with the same session and we store session state (Shopping Cart in this case) in the session object and retrieve/update it with subsequent requests from the client.
Now, in the above scenario:
1) how do we authenticate and authorize Client in Step 2 and 3 if there is no session maintained on the server ?
2) does client need to send some additional information with each request ?
3) How do we retrieve the client specific Shopping Cart in Step 3 ?
4) Does the client need to send it's Shopping Cart that was created/returned by server in Step 2 again in Step 3 ?
Obviously, this is the simplest use case and so every one developing RESTful web services must be designing their app to handle this. What is the best and most common way to handle session management, authentication, authorization in RESTful web services using RESTLet ? If we have to maintain cache on server side with the client's data then how is this different from server maintaining sessions on our behalf ?
Thanks in advance, Deep
1) how do we authenticate and authorize Client in Step 2 and 3 if there is no session maintained on the server ?
2) does client need to send some additional information with each request ?
Yes. You have to send authentication/authorization data with every request. That's what'll prevent the server from 'remembering' who you are (i.e., stateless server, no sessions)
3) How do we retrieve the client specific Shopping Cart in Step 3 ?
Let's ask a different question: What happens if the server restarts? Do you want all shopping cart data to get lost? Probably not. Implying you have to store it somewhere that it can survive a restart. Implying persistent storage. Could be on server or client...
...now, what if your client restarts? You could choose to create a shopping cart 'resource' for that user using a POST request (when the user adds the first item) or have it created the moment the client logs in (wasteful). Then you continue updating the shopping cart using PUT/DELETE and fetch it using GET.
Should it be in the DB? Could be, depends if that's how you want it to be. If it has to be persistent, it's a good place to keep it so it can survive a restart.
So how to receive client specific shopping cart? Well you just send a GET request for the resource!!! That's it! The first POST will create a resource at an appropriate URL and you can then use that.
Restful web services also have restful URLs so that's a key part of the design.
4) Does the client need to send it's Shopping Cart that was created/returned by server in Step 2 again in Step 3 ?
No. As mentioned above. But if you are using cookies or LocalStorage or some other information on the client side, then maybe you do.
Obviously, this is the simplest use case and so every one developing RESTful web services must be designing their app to handle this. What is the best and most common way to handle session management, authentication, authorization in RESTful web services using RESTLet ?
Yes. It is simple but it takes a while to think in terms of 'resources' rather than 'services'. In restful design everything is (or can be) a resource, including transactions, shopping carts etc.,
However, authorization/authentication are part of the http request packet and is sent with every request. I suggest you read up on those.
If we have to maintain cache on server side with the client's data then how is this different from server maintaining sessions on our behalf ?
BIG difference! Are you caching for performance or maintaining a session? If the system restarts will your system work seamlessly on an empty cache? If yes you are caching for performance else you are maintaining state.
I strongly suggest you read RESTful Web Services by Richardson & Ruby to edify the above concepts and glean more insight into how are restful services designed...it takes some getting used to.