Sunday, 8 November 2015

restful web service

1. what is restful service?
  • server provide resource for client to access and modify
  • resource is represented in text, xml, json (most popular)
  • http protocol is used
  • http get(read),  put(create), delete(delete), post(update/create), options(supported operations)
  • stateless, cachable
  • description languages: wadl, wsdl

2. rest testing with soapui
  • create project
  • add wadl or wsdl api, each api will display a sample request
  • to test a sample request, add it to 'test case' (test suite)
  • add assertions to test case result
  • run test case/suite and generate report
  • property transfer: transfer property from previous test step to next test step

3. rest vs soap
  • rest is architecture, soap is protocol
  • soap is older, heavier, stateful, built-in security, transactional, reliable, no caching, xml payload
  • use soap ui to test soap

4. url encoding
  • url can only be sent over the internet using the ascii character-set
  • when url contain non ascii text, it is converted with a "%" followed by two hexadecimal digits
  • url cannot contain spaces, space is converted with a plus (+) sign or with %20

5. postman
  • install "interceptor extension" to send http request with restricted header and cookie captured from browser
  • interceptor use postman as browser proxy, and can capture header and cookie from chrome to be used by postman later, therefore avoid CORS policies issue)
  • if login using chrome with 'interceptor' turned on, postman will not need authentication later
  • use 'environment' to cater for local, ci, dev, sit...
  • use array in postman (see reference)
  • postman native app handles cookie directly without interceptor, so remember to turn on interceptor in browser when needed
  • ssl certification verification can be turned off when certificate is involved, it can be done in postman settings, or when running newman in command line '--insecure'

  • extract token/value from response/header
    • var body =  JSON.parse(responseBody);
    postman.setEnvironmentVariable("access_token_from_auth0", body.access_token);

6. https
  • purpose: 1) verify that server is authentic 2) encrypt conversation
  • client obtain certificate from server that proves server identify
  • server can obtain certificate from client, but it RARELY happens
  • so it's a one-way certification, that's why restassured ''relaxedHTTPSValidation()" works
  • port 443
  • ssl certificate that contains public key is sent from server to client browser
  • client use public key to encrypt
  • server use private key to decrypt
  • connection is secure

7. http status
  • 200
  • 400 - bad request
  • 401 - unauthenticated
  • 403 - unauthorized
  • 500 - internal server error

8. http parameter
  • http 'GET' parameter is sent as query in url, e.g. http://example.com/page?parameter=value&also=another
  • http 'POST' parameter is sent in body as 'application/x-www-form-urlencoded' () or 'multipart/form-data'
  • if you have binary (non-alphanumeric) data (or a significantly sized payload) to transmit, use 'multipart/form-data'. otherwise, use 'application/x-www-form-urlencoded'

9. http header
  • name/value pairs, e.g. user-agent, accept-encoding, cookie
  • 'Content-Type':multipart/formdata means a list of document broken into pieces, each with different mime type

10. session (server side)
  • server create temporary file (differ in session id) to store session variables and value
  • session time out after say 30 min

11. cookie (browser side)
  • cookie contain server session id
  • both session and cookie are based on connection, therefore if connecting from two browsers, will have two pairs of cookie/session
  • client sends cookie to server, and server use session to "remember" the state of the application for that specific client and generate appropriate response
  • session cookie and persistent cookie are different, session cookie is deleted when browser close or leave site, persistent cookie is deleted when expired
  • cookie is domain specific, domain is set to the host name of the page that set the cookie

12. cookie vs jwt
  • cookie is stateful, session is created on server side, session id is sent to client as a cookie, session can expire
  • token is stateless, server does not have session data, server embed user data in token and send to client
  • cookie is sent automatically by browser with every request to server
  • token is not sent automatically by browser, client application must explicitly attach it to header
  • token is self contained, contain both validity (signature) and user information (header and payload)
  • header and payload are only base64-encoded, signature is created by signing header and payload with a private key
  • token can be decoded at jwt.io. signature validity can be performed.

13. sso (single sign on)
  • access more than one application in a single user session without having to re-authenticate

14. serialize/deserialize json/xml java
  • jackson 'ObjectMapper.writeValueAsString()'
  • jackson ''ObjectMapper.readValue(jsonInString, User.class)

15. soap
  • envelope, header, body, fault element 

16. ssl/tls certificate
  • certificate usually is stored on server side, only occasionally needed on client side when client also need to be authenticated
  • client and server will do 'ssl hand shake', where client (and if server) check validity of certificate, and negotiate encryption details

17. mock
  • mocky
  • wiremock


references:
1. restful tutorial
2. learn rest, a tutorial.
3. getting started with rest testing
4. functional testing
5. transferring property values
6. url encoding
7. can a json start with [?
8. jaxb hello world example
9. best way to compare 2 xml documents in java
10. compare two json objects in java
11. cucumber-jvm bdd for restful api
12. what is a good approach to verify xml response from restful service in java?
13. jaxb and marshal/unmarshal schema validation
14. sample restful test site
15. form-data or x-www-form-urlencoded?
16. how are parameters sent in an http post request?
17. how session works?
18. session (wiki)
19. cookie vs token
20. environment and array in postman
21. rest vs soap testing
22. rest vs soap
23. understand jwt
24. soap vs rest by smartbear
25. how to convert java object to from json jackson
26. xml soap
27. http put vs post
28. how https works
29. cookie in mobile, do the exist?
30. user session management and sso
31. sending cookies with postman
32. anatomy of jwt
33. extract data from postman and chaining requests
34. how do you make money using postman?
35. how do fix newman error self signed certificate?
36. newman
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)