REST Services
REST (representational state transfer) is an architectural style, based on resources to provide inter-system communication.
The Java API specification for RESTful Web Services is called JAX-RS. It provides portable APIs for developing, exposing and accessing web applications designed and implemented in compliance with principles of REST architectural style.
Axon.ivy uses the reference implementation libraries of JAX-RS called Jersey.
Call a remote REST Service
To call a remote REST service it has to be defined in the REST Clients. After that a REST Client Activity can be used to call the REST service.
Examples can be found in the ConnectivityDemos project.
Provide own REST Services
To provide a custom REST service from an ivy project,
JAX-RS
annotations can be used. A REST resource is created by adding a Java
class to the src
directory. The Java class has to use the correct
annotations (as shown below), then it will be detected as a REST
resource and published automatically. After publishing, the resource
will be available on the base path /ivy/api/.
/**
* Provides the person REST resource
* on the path /ivy/api/myApplicationName/person
*/
@Path("person")
public class CustomProjectResource {
@GET
@Produces(MediaType.APPLICATION_JSON)
public Person get() {
Person p = new Person();
p.setFirstname("Renato");
p.setLastname("Stalder");
return p;
}
}
Further information is available in the JAX-RS API Specification.
Many example REST services are available in the ConnectivityDemos.
Secure APIs
REST APIs served by the Axon.ivy Engine are protected by default to provide safe interactions with your API clients.
Basic auth
REST APIs are protected with Basic authentication so that only known users of the security system can get valid responses. Setting HTTP Basic authentication headers from an API client is simple and widely supported. However, since HTTP Basic headers can be easily decrypted, it is strongly recommend to allow only encrypted HTTPS traffic on the REST APIs.
You can customize the authentication for a specific API method by setting security annotations headers:
@PermitAll: allows unauthenticated access to anonymous users
@RolesAllowed: users must be authenticated and own the defined roles
@DenyAll: nobody is allowed to invoke this service
The security annotations can be reviewed in the Secure Service within the ConnectivityDemos.
CSRF protection
To call a modifying REST service via PUT
, POST
or DELETE
the
caller needs to provide a HTTP header called X-Requested-By
with
any value e.g. ivy
. The CSRF filter
protects REST services against cross-site request forgery (CSRF). If a client omits the header on a modifying REST request, the response
will indicate a failure with the HTTP status code 400 (Bad Request).
User provided REST services via GET
, HEAD
or OPTIONS
should
therefore be implemented in a way that they don’t modify data.
The CSRF protection filter is enabled by default. However, it can be turned off
in an environment where the client can be trusted (e.g. intranet). See the
property REST.Servlet.CSRF.Protection
in the ivy.webserver.yaml
Workflow API
Axon.ivy provides a basic Workflow API REST Service. It can be used to enable remote systems to request information about tasks of a user etc.