Sviluppo Web Avanzato

Lectures Log - A.Y. 2024/2025

Total lectures: 12, total lecture hours: 24 (100%) - First lecture: 2025-02-28, Last lecture: 2025-06-03

Lecture 1: Introduction to (RESTful) web services

2025-02-28, 11:30 (2 hours)
Slides WS-Rest

(1-1)

Course presentation
(1-2)

Why (web) services are an effective way to develop software
(1-3)

The distributed (web) services story: from RPC to RESTful
(1-4)

Course topics: RESTful web services
(1-5)

Example RESTful services as an extension to standard web applications
(1-6)

Example RESTful services as a base for client-side applications like SPA (Angular, React, etc.)
(1-7)

Example RESTful services as a base for mobile apps
(1-8)

Course topics: RESTful web services design
(1-9)

Course topics: RESTful web services implementation (Java, PHP)
(1-10)

Course topics: RESTful clients implementation (Java, PHP, Javascript)
(1-11)

Web services and Web 2.0
(1-12)

What web services really are?
(1-13)

What is the role of web services in web 2.0?
(1-14)

Example Analysis of some services published by the Public Administration on the web
(1-15)

Example An example of real web services: Amazon
(1-16)

Example Making the Public Administration services real web services
(1-17)

RESTful web services: when to use them, and what alternatives exist

Lecture 2: RESTful services semantics 1

2025-03-07, 11:30 (2 hours)
Slides Restful

(2-1)

Basic features of a RESTful service: protocols, formats, methods
(2-2)

Semantics of a RESTful web service: what kind of application it is best suited for?
(2-3)

RESTful services URL structure
(2-4)

Mapping resources to URLs: the basic collection-item structure
(2-5)

Example Mapping relational structures to RESTful URLs
(2-6)

CRUD RESTful operations: the GET method
link https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/GET
(2-7)

Example GET on collections: SELECT
(2-8)

Example GET on collections with a query string: SELECT * WHERE
(2-9)

Encoding of data returned by a GET and the Accept/Content-Type headers
(2-10)

The return value of GET on collections: records or keys list?
(2-11)

Example GET on collections: use of the query string to create a LIMIT clause
(2-12)

GET: HTTP return status
link https://developer.mozilla.org/en-US/docs/Web/HTTP/Status

Lecture 3: RESTful services semantics 2

2025-03-14, 11:30 (2 hours)
Slides Restful

(3-1)

Example GET on item: SELECT * WHERE id = ...
(3-2)

Example GET on attributes: SELECT a WHERE id = ...
(3-3)

GET: HTTP return status
link https://developer.mozilla.org/en-US/docs/Web/HTTP/Status
(3-4)

CRUD RESTful operations: the PUT method
link https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/PUT
(3-5)

Example PUT on item: global UPDATE of a specific record
(3-6)

The payload of the PUT method and the Content-Type header
(3-7)

Example PUT on attributes: UPDATE of individual attributes in a specific record
(3-8)

Example PUT on collections: replacement of an entire collection
(3-9)

PUT: HTTP return status
(3-10)

CRUD RESTful operations: the PATCH method
link https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/PATCH
(3-11)

Example PATCH on item: partial UPDATE of a specific record
(3-12)

Extension of PUT semantics in environments not supporting the PATCH
(3-13)

CRUD RESTful operations: the POST method
link https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/POST
(3-14)

Example POST on collections: INSERT of a new record
(3-15)

The payload of the POST method and the Content-Type header
(3-16)

POST: HTTP return status and values
(3-17)

CRUD RESTful operations: the DELETE method
link https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/DELETE
(3-18)

Example DELETE on item: DELETE of a specific record
(3-19)

Example DELETE on collections: emptying a table
(3-20)

DELETE: HTTP return status
(3-21)

Other HTTP methods: HEAD, OPTIONS
link https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/HEAD
link https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/OPTIONS
(3-22)

Example HEAD on resource: metadata check
(3-23)

Example HEAD used to control resource caching
(3-24)

Example OPTIONS on a resource: allowed methods check
(3-25)

The same-origin-policy issue for services
link https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy
(3-26)

How to grant access to RESTful services from outside (their domain): CORS
link https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
(3-27)

OPTIONS and CORS: the resource preflight
link https://developer.mozilla.org/en-US/docs/Glossary/Preflight_request
(3-28)

RESTful RMI-type operations
(3-29)

How to specify an object (context) and a method to be invoked thorugh an URL
(3-30)

Example The POST method used to make an RMI
(3-31)

Encoding the parameters and the return value of a method invoked via POST
(3-32)

Payload and result for the POST method: Accept and Content-Type header
(3-33)

POST for RMI: HTTP return status
(3-34)

Example RESTful RMI-type operations: GET for read methods (derived attributes)
(3-35)

Example The POST method as an alternative to GET on collections to define complex filters

Lecture 4: RESTful services security

2025-03-21, 11:30 (2 hours)

(4-1)

Security in RESTful APIs
(4-2)

The role of the access token in API security
link https://datatracker.ietf.org/doc/html/rfc7519
(4-3)

How to exchange the access token: from base methods (query string, path) to Bearer Authorization
(4-4)

Managing the expiration and refreshing access tokens
(4-5)

Generating access tokens: authentication schemes
(4-6)

Example How to implement the login/logout technique in a RESTful service
(4-7)

OAuth: an advanced authentication system for services
link https://datatracker.ietf.org/doc/html/rfc6749
link https://datatracker.ietf.org/doc/html/rfc6750
link https://oauth.net/2
(4-8)

The OAuth 2 authorization flow
(4-9)

The benefits of OAuth: no stored credentials and scoped authorization codes
(4-10)

Example OAuth in the real world
link https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow
(4-11)

Example The events case study
material REST_Specs

Lecture 5: RESTful services: a case study

2025-03-28, 11:30 (2 hours)

(5-1)

Example The events case study
material REST_Specs
(5-2)

Introduction to the JSON format
link https://www.json.org
(5-3)

Defining the JSON structures required by a service (or inherit them from the code!)
(5-4)

Identifying the collection-item pattern within the API
(5-5)

Defining an URL structure consistent with the API
(5-6)

Outside the pattern: when violating the standard RESTful semantic helps us to be more efficient
(5-7)

Mapping methods and payloads on URLs
(5-8)

Managing binaries correctly and effectively
(5-9)

Example The events case study RESTful API
material REST_Specs_RESTful
(5-10)

Introduction to JSON Schema

Lecture 6: JSON Schema

2025-04-04, 11:30 (2 hours)
Slides JSONSchema

(6-1)

JSON Schema: basic structure and annotations
link https://json-schema.org/specification.html
(6-2)

JSON Schema: meaning of the empty schema and "modeling by restrictions" technique
(6-3)

JSON Schema: data types
(6-4)

JSON Schema: string type and constraints
(6-5)

JSON Schema: numeric types and constraints
(6-6)

JSON Schema: object type and property specification
(6-7)

JSON Schema: object type constraints
(6-8)

JSON Schema: array type and constraints
(6-9)

JSON Schema: enumerations
(6-10)

JSON Schema: schema composition (allOf, anyOf, oneOf, not)
(6-11)

JSON Schema: schema references and modularization ($ref property)
(6-12)

Example The event data structure defined with JSON Schema
material Event_Object.json
material Event_Object_Schema.json
(6-13)

The YAML (meta) language
link https://yaml.org/spec
(6-14)

Relationships between YAML and JSON
(6-15)

YAML syntax: scalars, objects and arrays

Lecture 7: OpenAPI /1

2025-04-11, 11:30 (2 hours)
Slides OpenAPI

(7-1)

Introduction to OpenAPI 3
(7-2)

OpenAPI online tools and specification
link https://www.openapis.org/
link https://swagger.io/tools/open-source/
(7-3)

OpenAPI: basic structure
(7-4)

Example Using the Swagger editor to create an OpenAPI specification
link https://editor-next.swagger.io/
(7-5)

OpenAPI: info object
(7-6)

OpenAPI: tags object
(7-7)

OpenAPI: externalDocs object
(7-8)

OpenAPI: servers
(7-9)

OpenAPI: specification factorization and components object
(7-10)

OpenAPI: schema components
(7-11)

OpenAPI: parameter components
(7-12)

Example The events RESTful service specification with OpenAPI 3: base structure, schemas and parameters

Lecture 8: OpenAPI /2

2025-05-09, 11:30 (2 hours)
Slides OpenAPI

(8-1)

OpenAPI: response components
(8-2)

Example The events RESTful service specification with OpenAPI 3: base structure, schemas, parameters and responses
(8-3)

OpenAPI: requestBody components
(8-4)

OpenAPI: securityScheme components
(8-5)

OpenAPI: endpoints: basic structure of the paths object
(8-6)

OpenAPI: parametric URLs in the paths object
(8-7)

OpenAPI: endpoint parameters (parameters)
(8-8)

Path-level and method-level parameters
(8-9)

OpenAPI: response status and corresponding content (responses)
(8-10)

OpenAPI: request content (requestBody)
(8-11)

OpenAPI: security requirements of an endpoint (security)
(8-12)

Example The events RESTful service specification with OpenAPI 3
material Event_OpenAPI.yaml
(8-13)

Developing a RESTful service with JAX-RS
link https://eclipse-ee4j.github.io/jersey/

Lecture 9: JAX-RS /1

2025-05-16, 11:30 (2 hours)
Material JAXRS_Examples

(9-1)

Example How to create a new JAX-RS server application
material JAXRS_Base_T10
(9-2)

Configuring JAX-RS with service providers and resources: the Application class and @ApplicationPath annotation
(9-3)

Marking classes as (root) RESTful resources: the @Path annotation
(9-4)

Marking class methods to answer HTTP methods: the @GET annotation
(9-5)

RESTful output type for a method: the @Produces annotation
(9-6)

JAX-RS method return types and automatic type conversion
(9-7)

Automatic JSON encoding of complex return types: lists, maps, objects
(9-8)

Required structure for Java objects to be automatically encoded and decoded in JSON
(9-9)

The @JsonIgnore annotation used to exclude class fields from the JSON output
(9-10)

Using the Response class to build RESTful responses
(9-11)

Returning status codes and building complex responses with the Response class
(9-12)

Handling and encapsulating exceptions: the WebApplicationException class
(9-13)

How to inject a query parameter in a method with the @QueryParam annotation
(9-14)

The @Path annotation on methods to identify sub-resources
(9-15)

The @Path annotation with parameters
(9-16)

How to inject a URL parameter in a method with the @PathParam annotation

Lecture 10: JAX-RS /2

2025-05-23, 11:30 (2 hours)
Material JAXRS_Examples

(10-1)

Returning a binary download
(10-2)

Returning a stream: StreamingOutput
(10-3)

Implementation of REST methods: the @POST annotation
(10-4)

RESTful input type for a method: the @Consumes annotation
(10-5)

How to inject the request payload in a method
(10-6)

Data types for payloads: strings, numbers, InputStreams
(10-7)

Automatic Java bean decoding from a JSON payload
(10-8)

Using the UriInfo class to generate URIs to internal resources of a REST application
(10-9)

Implementation of REST methods: the @PUT annotation
(10-10)

Implementation of REST methods: the @DELETE annotation
(10-11)

Summary of JAX-RS techniques for single-class resources
(10-12)

A development pattern for RESTful services: sub-resources
(10-13)

Define and return a REST sub-resource with the @Path annotation
(10-14)

RESTful design with JAX-RS: when and how to use sub-resources?
(10-15)

Example The events RESTful service developed with JAX-RS
material JAXRS_Example_Events
(10-16)

RESTful API and authentication: returning an authentication token (authentication header, cookie or plain payload)
(10-17)

How to define authentication-related annotations in JAX-RS
(10-18)

Limit access to a RESTful method with an authentication annotation
(10-19)

How to write a authentication filter in JAX-RS

Lecture 11: RESTful clients

2025-05-30, 11:30 (2 hours)

(11-1)

How to inject authenticated user information in a RESTful method
(11-2)

RESTful API and authentication: returning an authentication token (authentication header, cookie or plain payload)
(11-3)

Creating advanced custom (de)serializers
(11-4)

Example Creating a custom (de)serializer for the Event class
(11-5)

Handling exceptions: the ExceptionMapper class
(11-6)

How to add CORS headers and handle preflight requests with a filter
(11-7)

RESTful clients in Java with the Apache HTTPComponents Client library
(11-8)

Example A Java client for the events RESTful service
material EventsREST_Client_Java
(11-9)

RESTful clients in Javascript with the XMLHttpRequest object (AJAX)
(11-10)

Example A Javascript client for the events RESTful service: XHR client
material EventsREST_Client_JS
(11-11)

RESTful clients in Javascript with the Fetch API object
link https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API
(11-12)

Example A Javascript client for the events RESTful service: Fetch client
material EventsREST_Client_JS

Lecture 12: Advanced topics

2025-06-03, 16:30 (2 hours)

(12-1)

RESTful in PHP with the Slim framework
(12-2)

Example A simple RESTful service created using Slim in PHP
material PHP_Example_Fattura
(12-3)

Basic notions about JQuery
link https://jquery.com/
(12-4)

JQuery and AJAX: the main $ .ajax function
(12-5)

JQuery and AJAX: the "shortcut"methods $ .get, $ .post, and $ .getJSON
(12-6)

RESTful clients in Javascript with JQuery
(12-7)

Example A Javascript client for the events RESTful service: JQuery client
material EventsREST_Client_JS
(12-8)

Beyond RESTful: notes on gRPC, Protobuf, GraphQL...
link https://grpc.io/
link https://protobuf.dev/
link https://graphql.org/
(12-9)

Common RESTful errors: Over and underfetching, N+1 request problem, poor type safety
(12-10)

RESTful best practices: rules of the right linguistic design
link https://doi.org/10.1109/SCC55611.2022.00017