Sviluppo Web Avanzato

Lectures Log - A.Y. 2025/2026

Total lectures: 10, total lecture hours: 20 (83%) - First lecture: 2026-02-27, Last lecture: 2026-05-15

Lecture 1: Introduction to (RESTful) web services

2026-02-27, 11:30 (2 hours)
Slides WS-Rest

(1-1)

Course presentation
(1-2)

Why (web) services are an effective way to develop software
(1-3)

The distributed (web) services story: from RPC to RESTful
(1-4)

Course topics: RESTful web services
(1-5)

Example RESTful services as an extension to standard web applications
(1-6)

Example RESTful services as a base for client-side applications like SPA (Angular, React, etc.)
(1-7)

Example RESTful services as a base for mobile apps
(1-8)

Course topics: RESTful web services design
(1-9)

Course topics: RESTful web services implementation (Java, PHP)
(1-10)

Course topics: RESTful clients implementation (Java, PHP, Javascript)
(1-11)

Web services and Web 2.0
(1-12)

What web services really are?
(1-13)

What is the role of web services in web 2.0?
(1-14)

Example Analysis of some services published by the Public Administration on the web
(1-15)

Example An example of real web services: Amazon
(1-16)

Example Making the Public Administration services real web services
(1-17)

RESTful web services: when to use them, and what alternatives exist

Lecture 2: RESTful services semantics 1

2026-03-06, 11:30 (2 hours)
Slides Restful

(2-1)

Basic features of a RESTful service: protocols, formats, methods
(2-2)

Semantics of a RESTful web service: what kind of application it is best suited for?
(2-3)

RESTful services URL structure
(2-4)

Mapping resources to URLs: the basic collection-item structure
(2-5)

Example Mapping relational structures to RESTful URLs
(2-6)

CRUD RESTful operations: the GET method
link https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/GET
(2-7)

Example GET on collections: SELECT
(2-8)

Example GET on collections with a query string: SELECT * WHERE
(2-9)

Encoding of data returned by a GET and the Accept/Content-Type headers
(2-10)

The return value of GET on collections: records or keys list?
(2-11)

Example GET on item: SELECT * WHERE id = ...
(2-12)

Example GET on attributes: SELECT a WHERE id = ...
(2-13)

GET: HTTP return status
link https://developer.mozilla.org/en-US/docs/Web/HTTP/Status
(2-14)

CRUD RESTful operations: the PUT method
link https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/PUT
(2-15)

Example PUT on item: global UPDATE of a specific record
(2-16)

The payload of the PUT method and the Content-Type header
(2-17)

PUT: HTTP return status
(2-18)

CRUD RESTful operations: the PATCH method
link https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/PATCH
(2-19)

Example PATCH on item: partial UPDATE of a specific record
(2-20)

Extension of PUT semantics in environments not supporting the PATCH

Lecture 3: RESTful services semantics 2

2026-03-13, 11:30 (2 hours)
Slides Restful

(3-1)

Example PUT on attributes: UPDATE of individual attributes in a specific record
(3-2)

Example PUT on collections: replacement of an entire collection
(3-3)

CRUD RESTful operations: the POST method
link https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/POST
(3-4)

Example POST on collections: INSERT of a new record
(3-5)

The payload of the POST method and the Content-Type header
(3-6)

POST: HTTP return status and values
(3-7)

CRUD RESTful operations: the DELETE method
link https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/DELETE
(3-8)

Example DELETE on item: DELETE of a specific record
(3-9)

Example DELETE on collections: emptying a table
(3-10)

DELETE: HTTP return status
(3-11)

Other HTTP methods: HEAD, OPTIONS
link https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/HEAD
link https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/OPTIONS
(3-12)

Example HEAD on resource: metadata check
(3-13)

Example HEAD used to control resource caching
(3-14)

Example OPTIONS on a resource: allowed methods check
(3-15)

The same-origin-policy issue for services
link https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy
(3-16)

How to grant access to RESTful services from outside (their domain): CORS
link https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
(3-17)

OPTIONS and CORS: the resource preflight
link https://developer.mozilla.org/en-US/docs/Glossary/Preflight_request
(3-18)

RESTful RMI-type operations
(3-19)

How to specify an object (context) and a method to be invoked thorugh an URL
(3-20)

Example The POST method used to make an RMI
(3-21)

Encoding the parameters and the return value of a method invoked via POST
(3-22)

Payload and result for the POST method: Accept and Content-Type header
(3-23)

POST for RMI: HTTP return status
(3-24)

Example RESTful RMI-type operations: GET for read methods (derived attributes)
(3-25)

Example The POST method as an alternative to GET on collections to define complex filters

Lecture 4: RESTful services security

2026-03-20, 11:30 (2 hours)
Slides Restful Security

(4-1)

The role of security in the design of RESTful APIs
(4-2)

RESTful API security techniques: Mutual TLS
(4-3)

RESTful API security techniques: HTTP Basic Authentication
(4-4)

RESTful API security techniques: Token-Based Authentication
(4-5)

The role of access tokens in API security
link https://datatracker.ietf.org/doc/html/rfc7519
(4-6)

How to exchange the access token: from base methods (query string, path) to Bearer Authorization
(4-7)

Generating access tokens: authentication schemes
(4-8)

Managing the expiration and refreshing access tokens
(4-9)

Example How to implement the login/logout technique in a RESTful service
(4-10)

RESTful API security techniques: API Keys
(4-11)

OAuth: an advanced token-based authentication system for services
link https://datatracker.ietf.org/doc/html/rfc6749
link https://datatracker.ietf.org/doc/html/rfc6750
link https://oauth.net/2
(4-12)

The benefits of OAuth: no stored credentials and scoped authorization codes
(4-13)

Actors and roles in OAuth 2
(4-14)

Tokens and codes used by OAuth 2
(4-15)

The OAuth 2 authorization flow
(4-16)

Example OAuth in the real world
link https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow
(4-17)

Example The catalog case study
material REST_Specs

Lecture 5: RESTful services: a case study

2026-03-27, 11:30 (2 hours)

(5-1)

Example The catalog case study
material REST_Specs
(5-2)

Introduction to the JSON format
link https://www.json.org
(5-3)

Defining the JSON structures required by a service (or inherit them from the code!)
(5-4)

Identifying the collection-item pattern within the API
(5-5)

Defining an URL structure consistent with the API
(5-6)

Outside the pattern: when violating the standard RESTful semantic helps us to be more efficient
(5-7)

Mapping methods and payloads on URLs
(5-8)

Managing binaries correctly and effectively
(5-9)

Example The catalog case study RESTful API
material REST_Specs_RESTful

Lecture 6: JSON Schema

2026-04-10, 11:30 (2 hours)
Slides JSONSchema

(6-1)

JSON Schema: basic structure and annotations
link https://json-schema.org/specification.html
(6-2)

JSON Schema: meaning of the empty schema and "modeling by restrictions" technique
(6-3)

JSON Schema: data types
(6-4)

JSON Schema: string type and constraints
(6-5)

JSON Schema: numeric types and constraints
(6-6)

JSON Schema: object type and property specification
(6-7)

JSON Schema: object type constraints
(6-8)

JSON Schema: array type and constraints
(6-9)

JSON Schema: enumerations
(6-10)

JSON Schema: schema composition (allOf, anyOf, oneOf, not)
(6-11)

JSON Schema: schema references and modularization ($ref property)
(6-12)

Example The catalog data structure defined with JSON Schema
material Catalogo_Object.json
material Catalogo_Object_Schema.json
(6-13)

The YAML (meta) language
link https://yaml.org/spec
(6-14)

Relationships between YAML and JSON
(6-15)

YAML syntax: scalars, objects and arrays

Lecture 7: OpenAPI /1

2026-04-17, 11:30 (2 hours)
Slides OpenAPI

(7-1)

Introduction to OpenAPI 3
(7-2)

OpenAPI online tools and specification
link https://www.openapis.org/
link https://swagger.io/tools/open-source/
(7-3)

OpenAPI: basic structure
(7-4)

Example Using the Swagger editor to create an OpenAPI specification
link https://editor.swagger.io/
(7-5)

OpenAPI: info object
(7-6)

OpenAPI: tags object
(7-7)

OpenAPI: externalDocs object
(7-8)

OpenAPI: servers
(7-9)

OpenAPI: specification factorization and components object
(7-10)

OpenAPI: schema components
(7-11)

OpenAPI: parameter components
(7-12)

OpenAPI: response components
(7-13)

Example The catalog RESTful service specification with OpenAPI 3: base structure, schemas, parameters and responses
(7-14)

Presentation of the final project specifications

Lecture 8: OpenAPI /2

2026-04-24, 11:30 (2 hours)
Slides OpenAPI

(8-1)

OpenAPI: requestBody components
(8-2)

OpenAPI: securityScheme components
(8-3)

OpenAPI: endpoints: basic structure of the paths object
(8-4)

OpenAPI: parametric URLs in the paths object
(8-5)

OpenAPI: endpoint parameters (parameters)
(8-6)

Path-level and method-level parameters
(8-7)

OpenAPI: response status and corresponding content (responses)
(8-8)

OpenAPI: request content (requestBody)
(8-9)

OpenAPI: security requirements of an endpoint (security)
(8-10)

Example The catalog RESTful service specification with OpenAPI 3
material Catalogo_OpenAPI.yaml
(8-11)

Developing a RESTful service with JAX-RS
link https://eclipse-ee4j.github.io/jersey/

Lecture 9: JAX-RS /1

2026-05-08, 11:30 (2 hours)
Material JAXRS_Examples

(9-1)

Example How to create a new JAX-RS server application
material JAXRS_Base_T10
(9-2)

Configuring JAX-RS with service providers and resources: the Application class and @ApplicationPath annotation
(9-3)

Marking classes as (root) RESTful resources: the @Path annotation
(9-4)

Marking class methods to answer HTTP methods: the @GET annotation
(9-5)

RESTful output type for a method: the @Produces annotation
(9-6)

JAX-RS method return types and automatic type conversion
(9-7)

Automatic JSON encoding of complex return types: lists, maps, objects
(9-8)

Required structure for Java objects to be automatically encoded and decoded in JSON
(9-9)

The @JsonIgnore annotation used to exclude class fields from the JSON output
(9-10)

Example Creating a custom serializer for a class
(9-11)

Using the Response class to build RESTful responses
(9-12)

Returning status codes and building complex responses with the Response class
(9-13)

Handling and encapsulating exceptions: the WebApplicationException class
(9-14)

Handling exceptions: the ExceptionMapper class
(9-15)

How to inject a query parameter in a method with the @QueryParam annotation
(9-16)

The @Path annotation on methods to identify sub-resources
(9-17)

The @Path annotation with parameters
(9-18)

How to inject a URL parameter in a method with the @PathParam annotation

Lecture 10: JAX-RS /2

2026-05-15, 11:30 (2 hours)
Material JAXRS_Examples

(10-1)

Returning a binary download
(10-2)

Returning a stream: StreamingOutput
(10-3)

Implementation of REST methods: the @POST annotation
(10-4)

RESTful input type for a method: the @Consumes annotation
(10-5)

How to inject the request payload in a method
(10-6)

Data types for payloads: strings, numbers, InputStreams
(10-7)

Automatic Java bean decoding from a JSON payload
(10-8)

Example Creating a custom deserializer for a class
(10-9)

Using the UriInfo class to generate URIs to internal resources of a REST application
(10-10)

Implementation of REST methods: the @PUT annotation
(10-11)

Implementation of REST methods: the @DELETE annotation
(10-12)

How to add CORS headers and handle preflight requests with a filter
(10-13)

RESTful API and authentication: returning an authentication token (authentication header, cookie or plain payload)
(10-14)

How to define authentication-related annotations in JAX-RS
(10-15)

How to write a authentication filter in JAX-RS
(10-16)

Limit access to a RESTful method with an authentication annotation
(10-17)

Example The catalog RESTful service developed with JAX-RS
material CatalogREST_JAXRS
(10-18)

A development pattern for RESTful services: sub-resources
(10-19)

Define and return a REST sub-resource with the @Path annotation
(10-20)

RESTful design with JAX-RS: when and how to use sub-resources?