Hi All,
We are developing a REST API for API Manager for making it easy to use API
Management operations. We have already discussed security and other
implementation details in previous mails. This thread is to discuss about
its validation model.
*Problem:*
In traditional approach we need to write code per each method to do
validation. That opens doorway to few other problems:
- Readability issues
- Methods can become longer due to validation related code. It would
not be easy to separate and understand validation related logic
and actual
implementation logic.
- Re-usability issues
- We might have to duplicate similar validations among different
methods. This can introduce bugs when adding new validations etc
and it is
difficult to change an existing validation.
*Suggested Solution:*
We are planing to use Hibernate Bean validation [1] released under Apache
Licence version 2, which is one of the implementations of Bean Validation
1.1 specification[2]. There we are allowed to validate parameters of
methods and objects using annotations. We can use that to validate REST API
calls when they are mapped to Java methods and objects by CXF.
For example; we will not allow a user to POST an API without API name,
version and context. Here we put *@NotNull* annotation before each name,
version and context parameters of the API DTO. Please see the code [3].
There are other in-built validators such as *@Size, @Min/Max, @Pattern* which
we can easily use.
It is also possible to write our own logic and define custom validator
annotations. [4,5] is one we have already implemented to validate apiId
parameter. It checks whether it matched to either a UUID or to
{provider}-{name}-{version} template.
Validation annotations are processed once authentication and authorization
layers' processing is completed using a CXF Interceptor. If it detects any
violations, it will collect all the violations in the request done by the
client and sent back as a list of errors as the response payload.
*Advantages:*
- Once we have implemented a validator, we can easily reuse it in other
resources and methods using annotations. Even they can be used in other
products' APIs, if we could manage those validations in a central place.
- Code becomes clean as we do validation in a separate layer of
processing. Actual implementation methods does not need to contain any
validation code.
- Once we have defined a set of validations using annotations, they can
be easily injected to code by code generation. We will be adding
annotations from the code generator [6] based on the swagger schema of the
API.
Please feel free to give your feedback on this.
Thank you.
Malintha
[1] http://hibernate.org/validator/
[2] http://beanvalidation.org/1.1/
[3]
https://github.com/wso2/carbon-apimgt/blob/release-1.10.x/components/apimgt/org.wso2.carbon.apimgt.rest.api.publisher/src/gen/java/org/wso2/carbon/apimgt/rest/api/publisher/dto/APIDTO.java
[4]
*https://github.com/wso2/carbon-apimgt/blob/release-1.10.x/components/apimgt/org.wso2.carbon.apimgt.rest.api.util/src/main/java/org/wso2/carbon/apimgt/rest/api/util/validation/ApiIdValidator.java
<https://github.com/wso2/carbon-apimgt/blob/release-1.10.x/components/apimgt/org.wso2.carbon.apimgt.rest.api.util/src/main/java/org/wso2/carbon/apimgt/rest/api/util/validation/ApiIdValidator.java>*
[5]
https://github.com/wso2/carbon-apimgt/blob/release-1.10.x/components/apimgt/org.wso2.carbon.apimgt.rest.api.util/src/main/java/org/wso2/carbon/apimgt/rest/api/util/validation/constraints/ValidateApiId.java
[6] https://github.com/hevayo/swagger2cxf-maven-plugin
--
Malintha Amarasinghe
Software Engineer
*WSO2, Inc. - lean | enterprise | middleware*
http://wso2.com/
Mobile : +94 712383306
_______________________________________________
Architecture mailing list
[email protected]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
