Sviluppo Web Avanzato

Lectures Log - A.Y. 2025/2026

Lecture 1: Introduction to (RESTful) web services

2026-02-27, 11:30 (2 hours)
Slides WS-Rest

• (1-1)

  Course presentation
• (1-2)

  Why (web) services are an effective way to develop software
• (1-3)

  The distributed (web) services story: from RPC to RESTful
• (1-4)

  Course topics: RESTful web services
• (1-5)

  Example RESTful services as an extension to standard web applications
• (1-6)

  Example RESTful services as a base for client-side applications like SPA (Angular, React, etc.)
• (1-7)

  Example RESTful services as a base for mobile apps
• (1-8)

  Course topics: RESTful web services design
• (1-9)

  Course topics: RESTful web services implementation (Java, PHP)
• (1-10)

  Course topics: RESTful clients implementation (Java, PHP, Javascript)
• (1-11)

  Web services and Web 2.0
• (1-12)

  What web services really are?
• (1-13)

  What is the role of web services in web 2.0?
• (1-14)

  Example Analysis of some services published by the Public Administration on the web
• (1-15)

  Example An example of real web services: Amazon
• (1-16)

  Example Making the Public Administration services real web services
• (1-17)

  RESTful web services: when to use them, and what alternatives exist

Lecture 2: RESTful services semantics 1

2026-03-06, 11:30 (2 hours)
Slides Restful

• (2-1)

  Basic features of a RESTful service: protocols, formats, methods
• (2-2)

  Semantics of a RESTful web service: what kind of application it is best suited for?
• (2-3)

  RESTful services URL structure
• (2-4)

  Mapping resources to URLs: the basic collection-item structure
• (2-5)

  Example Mapping relational structures to RESTful URLs
• (2-6)

  CRUD RESTful operations: the GET method
  link https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/GET
• (2-7)

  Example GET on collections: SELECT
• (2-8)

  Example GET on collections with a query string: SELECT * WHERE
• (2-9)

  Encoding of data returned by a GET and the Accept/Content-Type headers
• (2-10)

  The return value of GET on collections: records or keys list?
• (2-11)

  Example GET on item: SELECT * WHERE id = ...
• (2-12)

  Example GET on attributes: SELECT a WHERE id = ...
• (2-13)

  GET: HTTP return status
  link https://developer.mozilla.org/en-US/docs/Web/HTTP/Status
• (2-14)

  CRUD RESTful operations: the PUT method
  link https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/PUT
• (2-15)

  Example PUT on item: global UPDATE of a specific record
• (2-16)

  The payload of the PUT method and the Content-Type header
• (2-17)

  PUT: HTTP return status
• (2-18)

  CRUD RESTful operations: the PATCH method
  link https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/PATCH
• (2-19)

  Example PATCH on item: partial UPDATE of a specific record
• (2-20)

  Extension of PUT semantics in environments not supporting the PATCH

Lecture 3: RESTful services semantics 2

2026-03-13, 11:30 (2 hours)
Slides Restful

• (3-1)

  Example PUT on attributes: UPDATE of individual attributes in a specific record
• (3-2)

  Example PUT on collections: replacement of an entire collection
• (3-3)

  CRUD RESTful operations: the POST method
  link https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/POST
• (3-4)

  Example POST on collections: INSERT of a new record
• (3-5)

  The payload of the POST method and the Content-Type header
• (3-6)

  POST: HTTP return status and values
• (3-7)

  CRUD RESTful operations: the DELETE method
  link https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/DELETE
• (3-8)

  Example DELETE on item: DELETE of a specific record
• (3-9)

  Example DELETE on collections: emptying a table
• (3-10)

  DELETE: HTTP return status
• (3-11)

  Other HTTP methods: HEAD, OPTIONS
  link https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/HEAD
  link https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/OPTIONS
• (3-12)

  Example HEAD on resource: metadata check
• (3-13)

  Example HEAD used to control resource caching
• (3-14)

  Example OPTIONS on a resource: allowed methods check
• (3-15)

  The same-origin-policy issue for services
  link https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy
• (3-16)

  How to grant access to RESTful services from outside (their domain): CORS
  link https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
• (3-17)

  OPTIONS and CORS: the resource preflight
  link https://developer.mozilla.org/en-US/docs/Glossary/Preflight_request
• (3-18)

  RESTful RMI-type operations
• (3-19)

  How to specify an object (context) and a method to be invoked thorugh an URL
• (3-20)

  Example The POST method used to make an RMI
• (3-21)

  Encoding the parameters and the return value of a method invoked via POST
• (3-22)

  Payload and result for the POST method: Accept and Content-Type header
• (3-23)

  POST for RMI: HTTP return status
• (3-24)

  Example RESTful RMI-type operations: GET for read methods (derived attributes)
• (3-25)

  Example The POST method as an alternative to GET on collections to define complex filters

Lecture 4: RESTful services security

2026-03-20, 11:30 (2 hours)
Slides Restful Security

• (4-1)

  The role of security in the design of RESTful APIs
• (4-2)

  RESTful API security techniques: Mutual TLS
• (4-3)

  RESTful API security techniques: HTTP Basic Authentication
• (4-4)

  RESTful API security techniques: Token-Based Authentication
• (4-5)

  The role of access tokens in API security
  link https://datatracker.ietf.org/doc/html/rfc7519
• (4-6)

  How to exchange the access token: from base methods (query string, path) to Bearer Authorization
• (4-7)

  Generating access tokens: authentication schemes
• (4-8)

  Managing the expiration and refreshing access tokens
• (4-9)

  Example How to implement the login/logout technique in a RESTful service
• (4-10)

  RESTful API security techniques: API Keys
• (4-11)

  OAuth: an advanced token-based authentication system for services
  link https://datatracker.ietf.org/doc/html/rfc6749
  link https://datatracker.ietf.org/doc/html/rfc6750
  link https://oauth.net/2
• (4-12)

  The benefits of OAuth: no stored credentials and scoped authorization codes
• (4-13)

  Actors and roles in OAuth 2
• (4-14)

  Tokens and codes used by OAuth 2
• (4-15)

  The OAuth 2 authorization flow
• (4-16)

  Example OAuth in the real world
  link https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow
• (4-17)

  Example The catalog case study
  material REST_Specs

Lecture 5: RESTful services: a case study

2026-03-27, 11:30 (2 hours)

• (5-1)

  Example The catalog case study
  material REST_Specs
• (5-2)

  Introduction to the JSON format
  link https://www.json.org
• (5-3)

  Defining the JSON structures required by a service (or inherit them from the code!)
• (5-4)

  Identifying the collection-item pattern within the API
• (5-5)

  Defining an URL structure consistent with the API
• (5-6)

  Outside the pattern: when violating the standard RESTful semantic helps us to be more efficient
• (5-7)

  Mapping methods and payloads on URLs
• (5-8)

  Managing binaries correctly and effectively
• (5-9)

  Example The catalog case study RESTful API
  material REST_Specs_RESTful