REST/SOAP

• REST stateless authentication - REST stateless authentication
• Stateless authentication with API REST - Stateless authentication with API REST
• Message authentication code - Message authentication code
• JSON Web Tokens - JSON Web Tokens
• Where to store you JWT cookies - JWT token must be retrieved from back end as Cookie header with HttpOnly and Secure flags for avoiding XSS (it only applies when storing JWT token in localStorage/sessionStorage) As Cookie will be stored in sessionStorage and because of HttpOnly JavaScript will not be able to access it. XSS applies when hackish Javascript is injected in your site. Because JavaScript can not read it, we are safe :)
• Where to store you JWT cookies - JWT token, for avoiding CSRF, requires random token provided from back end as Cookie. This random token could be included in the JWT payload or in some HTTP header like X-XSRF-TOKEN for being sent to back end (it only applies when storing JWT token in localStorage/sessionStorage) As Cookie will be stored in sessionStorage and because only code that runs in my domain can read the cookie we are safe. CSRF applies when from some different domain some one tries to send some order to my site by means of for example POST to my site. Because this POST came from a different domain my Cookie will not be sent and we are safe :) Remenber, cookies apply for domain.
• AngularJs - AngularJs CSRF protection. It uses random token provided from back end (as Cookie header with HttpOnly and Secure flags) This random token is sent to back end in HTTP header X-XSRF-TOKEN. Code from a different domain will not be able to send my cookie because this code is not able to see Cookie set for my domain/site.
• Nobody Needs Reliable Messaging - Nobody Needs Reliable Messaging
• WS-RM and WS-R: Can SOAP be reliably delivered from confusion? - WS-RM and WS-R: Can SOAP be reliably delivered from confusion?
• Web Services Description Language (WSDL) Version 2.0 Part 1: Core Language - Web Services Description Language (WSDL) Version 2.0 Part 1: Core Language
• Describe REST Web services with WSDL 2.0 - Describe REST Web services with WSDL 2.0
• Architectural Styles and the Design of Network-based Software Architectures - Architectural Styles and the Design of Network-based Software Architectures
• Steve Yegge rant: SOA, Amazon VS Google - Steve Yegge rant: SOA, Amazon VS Google
• RSDL - RSDL
• RESTful Service Description Language (RSDL) - RESTful Service Description Language (RSDL)
• RFC 7231: Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content - RFC 7231: Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content
• JSON PATCH vs JSON MERGE PATCH - JSON PATCH vs JSON MERGE PATCH
• RFC 7396: JSON MERGE PATCH - RFC 7396: JSON MERGE PATCH. Useful when having a simple API.
• RFC 5789: PATCH method - RFC 5789: PATCH method
• RFC 6902: PATCH JSON document - RFC 6902: PATCH JSON document. Useful when having a complex API.
• Do not patch like an idiot (great links at the bottom of that page) - Do not patch like an idiot (great links at the bottom of that page)
• POST and updates, Roy T. Fielding thoughts - POST and updates, Roy T. Fielding thoughts
• RFC 6570: URI Template - RFC 6570: URI Template
• RFC 3986: Uniform Resource Identifier (URI): Generic Syntax - RFC 3986: Uniform Resource Identifier (URI): Generic Syntax
• Do not use PUT for partial updates - Do not use PUT for partial updates
• Best practice for paging in RESTful APIS - Best practice for paging in RESTful APIS
• Pagination reponse payload from a RESTful API - Pagination reponse payload from a RESTful API
• REST pagination in Spring (HATEOAS with Header Links no pagination body data) - REST pagination in Spring (HATEOAS with Header Links no pagination body data)
• RFC 5988: Links HTTP Header: next, prev, first, last - RFC 5988: Links HTTP Header: next, prev, first, last
• Duplicate REST resources in multiple URLs: canonical URLS - Duplicate REST resources in multiple URLs: canonical URLS
• RFC 6596: The Canonical Link Relation - RFC 6596: The Canonical Link Relation
• Retrieving partial resources: The Google way - Retrieving partial resources: The Google way
• Why trailing slashes on URIs are important - Why trailing slashes on URIs are important
• Trailing slashes and relative URIs - Trailing slashes and relative URIs
• RFC 7231: return 400 for errors and sintax validations - RFC 7231: return 400 errors when sintax validations
• RFC 7231: return 404 not found - RFC 7231: return 404 when not found resource
• RFC 7231: return 409 just for conflicts - RFC 7231: return 409 just for conflicts. Typically when using PUT and optimistic lockings
• RFC 4918: return 422 for errors and sematic validations - RFC 4918: return 422 errors when sematic validations
• RFC 7231: return 301. Moved Permanently. This and all future requests should be directed to the given URI - RFC 7231: moved Permanently status code. For historical reasons, a user agent MAY change the request method from POST to GET for the subsequent request. If this behavior is undesired, the 308 (Permanent Redirect) status code can be used instead
• RFC 7231: return 302. Found, moved temporarily. The target resource resides temporarily under a different URI - RFC 7231: the redirection might be altered on occasion, the client ought to continue to use the effective request URI for future requests. For historical reasons, a user agent MAY (even if RFC wasn't originally intended to behave like this) change the request method from POST to GET for the subsequent request. If this behavior is undesired, the 307 (Temporary Redirect) status code can be used instead
• RFC 7231: return 303, server is redirecting the user agent to a different resource which is intended to provide an indirect response to the original request - RFC 7231: This status code is applicable to any HTTP method, not just POST. It is primarily used to allow the output of a POST action to redirect the user agent to a selected resource by means of GET. Unlike 302, RFC was originally intended to change the request from any HTTP method to GET. If this behavior is undesired, the 307 (Temporary Redirect) status code can be used instead
• RFC 7231: return 307. Temporary Redirect. Target resource resides temporarily under a different URI - RFC 7231: the target resource resides temporarily under a different URI and the user agent MUST NOT change the request method. This status code is similar to 302 (Found), except that it does not allow changing the request method from POST to GET
• RFC 7238: return 308. Permanent Redirect. The target resource has been assigned a new permanent URI and any future references to this resource ought to use one of the enclosed URIs - RFC 7238: This status code is similar to 301 (Moved Permanently) except that it does not allow changing the request method from POST to GET. The user agent MUST NOT change the request method
• RFC 7231: return 200, success with body and without links - RFC 7231: return 200 when success after GET,HEAD,POST,PUT,DELETE,OPTIONS,TRACE and body in response. No links in response. No Location header
• RFC 7231: return 201, success with body and links - RFC 7231: return 201 when success after POST,PUT and body in response. With links in reponse. Links to new resource in the reponse's Location header.
• RFC 7231: return 204, success without body - RFC 7231: Any verb returns 204 when success and no body in response
• REST versioning - REST versioning