All geek questions in one place

RESTful service support. Should I use Pragma, Cookies, a custom header or something else to identify client sessions and transactions?

Problem

We build SOA with a RESTful approach to services. Once the systems are in production, we will have many customers consuming the interface, including internal and third-party systems.

We would like to be able to consume the echo in the response information provided by the client application, for example: -

  • Session identifier - it may be a Java EE session identifier or something specific for the client, this is useful for the support team and debugging client problems to track them across all our systems.
  • Transaction ID is a unique request identifier that we can respond to the client to help the client in correlating the request / response, if they activate the service asynchronously or if we implement the long process 202 of the accepted style.

Potential solutions

Thus, adhering to RESTful restrictions, we must use HTTP to implement it, and there are several options that we could implement.

  • Pragma header - implements pragma extensions for transaction identifier, session identifier, etc. This seems like a purist of solutions, because it uses a standard HTTP header, although I would be concerned that it became a dump for everything that we cannot be bothered to think about it correctly.
  • X-My-Header - custom headers for each required field. A proxy can be disabled, not basic HTTP, so it feels like an anti-rest
  • In the query string or XML / JSON views - add fields to all our resources. Since this is a working parameter, it looks like it should be represented as metadata, not a resource.
  • Cookies - use Cookies and Set-Cookies to store custom key values; useful with session identifiers, as most implementations already use cookies. It will be necessary to forward each time in order to maintain correlation on the client side, which kind hits the point of use of the cookie.

Answer

Is there a precedent for this? We are crazy? Is there anything obvious in all my research? Does anyone really care how they support their services after they are deployed? Should I just shut up and leave?

I hope someone can help.

PS sorry if this is a bit of an essay, the tip said "be specific" ....

+6
source share
2 answers

Oh it's a pain. I was there too.

Well, the idea with metadata for transactions, sessions, etc. - a good idea. For journaling, at least.

The problem is setting up what matches the various corporate policies and SOA infrastructure.

There is a direct connection between the best design and the maximum interoperability in the case of HTTP.

The safe way is encoding the metadata in the message itself. Not very nice, and this solution looks a bit like SOAP, where you have an envelope with headers for all messages.

I ended up using the X-header for information such as transaction id. However, as you mentioned, proxies / b2b gateways, etc. They can reset headers, it’s not obvious that you can restore them with all assigned development frameworks, COTS applications, etc. Therefore, if you do so, you should avoid having the metadata mandatory to get the solution working - just "nice to have."

Cookies are nothing but pain. They can be annoying or sometimes even useful when interacting with the browser, but in a SOA script this would be a bad idea. Many things can go wrong, and it’s a pain to debug cross-organizations.

I would also avoid using query strings along with POST or PUT data. This is possible according to the HTTP specifications. but not when it comes to random implementation.

+2
source

You can use the GUID and let the client generate it and pass it as part of any request that will start the workflow / business process. This GUID can be used to correlate between several components involved in a workflow.

0
source

Source: https://habr.com/ru/post/922856/

More articles:


All Articles