I have separate application for client side which is in ReactJs and NodeJS (Express server) and Web Services in Java application running in tomcat.
My query is which is better approach in terms of making web service call.
One is making direct web service call from ReactJS and get the data.
Other one is calling web service in Express server. Request from client browser will go to Express and Express will make all web services call.
I know one issue in making direct call to web service will be cross domain policy which can be handle by setting configuration in Java server.
Apart from it what should be better approach.
From my experience it ended up better using direct calls from UI application and avoiding intermediate server.
Reason for doing this directly is that our servers ended up with a lot of restrictions based on IP addresses, and all requests have been coming from intermediate server (nodeJS server), so DDOS protection of end server had to have some exceptions (our node server which could be on ACS with dynamic IP addresses so it might be hard to manage).
Also If you want to pass and track end users IP addresses, you need to manage headers on Node server (to be sure you are passing it as it was in original request).
It is way simpler to manage this kind of situation if calls are comming from React app and simply set up CORS on java server.
Also its way easier to debug it on UI app directly, so you will be watching response logs on one place only. Other way around you could end up debugging your node server and UI app.
Hope this helps a bit.
Best way IMO is to create a router in Node js specifically for all your Java webservices and act as a proxy.
Suppose if your url pattern is like http://domain/java-ws/api then all these requests will be routed to your Java service.
If you have an Apache server directing requests to your node JS then configure url pattern proxy using proxy module.
Browsers are blocking CORS requests for a reason. You may get away by setting things on your server.
Related
I have a GAE project and I would like to make requests to an external server. The server needs to whitelist the IP address but GAE works with dynamic IP addresses and the list is too long. I have been looking at 2 options:
1. Move the GAE project to Compute Engine
My biggest concern about this is the time it would take to move the project to Compute Engine. So far we've been using App Engine for free and we would like to avoid extra costs.
2. Use our domain to make the requests
We could white list the IPs ourselves and receive requests from the GAE project to our domain and then make requests from the domain's static host IP itself to their server.
For this option I'd also like to know if transferring the domain to GAE has any advantage. Will the outgoing requests from GAE through the transferred domain be made through the domain's IP?
Note:
This is largely based on assumption, I am highly inexperienced with networking so if there's anything that could be better expressed please tell me. I tried to search online for a way to do this but couldn't get to a satisfactory answer.
You don't need to think about domains in this context, because you're whitelisting IPs, not domains. And it's not necessary to move the whole project, you need only move that part that makes this requests.
Just create a proxy on any server with a static IP, like micro instance on Google Compute, and do all requests through this server.
As I understand you do all request to the same external server, right? In this case it could be even simpler. You don't need to install a full featured proxy, just install an Nginx on a micro instance (with SSL and some authentication, of course) that will proxy all requests to the target server.
I ended up using RabbitMQ to send messages from Google App Engine to Compute Engine, the compute engine then forward those messages as Http requests.
Is it possible to prevent requests that are not using https from calling a get/post in code.
For example I am implementing a rest api with java and spring, and I would like to return a http status to the caller if they were not using https.
/api/getBlah using https would return the item, however using just http would not work and return the appropriate http status.
For an API server, I strongly encourage you to don't answer a redirect
If you do answer a redirect, if a developer make the mistake to use the http version of your API he will not see immediately that he used an insecure connexion
If you answer a "400 Bad Request", "401 Unauthorized" or a "405 Method Not Allowed" with a body explaining that only https is allowed, then the developer will immediately see the problem.
In short, answering a redirect http=>https in an API encourage bad practices.
There are a few different ways of handling this. Web Server Handling in my opinion, is the most common and makes the best use of the strengths of web servers and application serves.
Web Server Handling
As mentioned in the comments above, a common method of deploying Java web applications is to place a web server (such as apache or nginx) in front of a Java Application Server (tomcat, wildfly, jetty, etc.). The web server then proxies requests to the application server.
In a setup like this you can simply return a static response or redirect the user.. In this way, you don't need to return anything special from your own Java application. The web server does the lifting for you.
It should be noted (as in the answer from #Tom), that in the API use-case, an HTTP to HTTPS redirect is not best approach. This is more commonly
Application Server Separate Servlets
On the Java side, you could essentially create two separate web applications. The first would be configured to receive requests from the HTTP listener and would provide proper error messages or redirects. The other would be your main application and would be configured to only receive requests from the HTTPS listener.
Again responding with a static error would be best for an API.
Application Server Single Application
When a servlet handles requests, it will populate information in the ServletRequest, including information about if the requests was secure (used HTTPS). See the [ServletRequest documentation][2] and specifically the isSecure() method. You can inspect the ServletReuest within your application to determine the appropriate way of responding to the request.
Don't Answer
You can also simply configure your webserver/app server to not listen for HTTP requests. You'll miss the change to provide a sensible error to the user, but you'll achieve the affect of not allowing any requests over HTTP.
I'm starting to develop what should become a client-server Application using Hibernate, Spring and Eclipse RCP (for the client). This is the first time I'm designing an application from the beginning so I'm just making my first steps.
I have set up Spring on both client and server using RMI for remoting (but I wouldn't mind using something else if there was a clear advantage). So right now I'm able to call exposed services of the server from different clients to get information from the database. What I haven't done is get any kind of authentication in place, so basically the server just answers to the different clients without knowing anything about them, there is not concept of a session yet. Of course this has to change since I need different user to have different roll and so on, but right now the problem I'm facing is getting the server to notify the client when certain thing happen.
My idea to solve this problem was to have a queue of events at the Server and have the clients get them every 3 second or so. The server would then identify the client by it's session token and send the appropriate events. Yet my partner in this project is concerned that this technique (polling) might waste too much bandwidth unnecessarily.
So to bring it to the point. What are the standard techniques for a server to notify a client about changes using Spring? Please notice that I'm not developing a web application and that this is only intended to be used withing a private network. That is one of the difficulties I've been facing: every single tutorial about Spring security or remoting assumes you are making a web application, but I really don't want to get lost into the details of Spring MVC and web applications in general.
Any resources would be appreciated. A good and long tutorial on the matter would be great.
EDIT: Hmm, it looks like JMS might be what I'm looking for.
As I understand, the issues you are facing is identifying a client in request and correlate different client request i.e. have something like a session.
Spring also support RMI over HTTP protocol (Using Hessian and its own HTTP Invokers). Check out this link (Section 17.3). Now once you have transport as HTTP, it has inherent Basic Authentication and session which can be leveraged to get around the issues you are facing.
This is just a pointer. I would be curious to know how eventually you resolved your problem.
We are seeing Spring in school right now but we don't have the time to wait till the end of the semester to start developing an application. We continue using an app we made last year, and are writing the service layer right now.
The problem is our "client" wants to have a desktop client and a webpart, which used the same dtatabase. This would be no problem if we hook up a server that can handle RMI. So basically we want to be able to retrieve/send data to the server that runs our service layer, and use the objects on the client side as well.
I have no idea where to start digging in Spring to figure out how to do this, so some help would be appreciated.
PS: At this point I do not need MVC yet. MVC is handled from within the desktop app where we have views and controllers.The model is the same from the one on the service layer. How do we use the same model without copying it?
Check out spring remoting: http://static.springsource.org/spring/docs/3.0.x/spring-framework-reference/html/remoting.html
It's easy to expose your spring beans remotely, using a variety of protocols.
You might want to take a look at the REST paradigms. With this in mind you could have a web server running your server part of the application and communicating with clients through the HTTP protocol. A simple client could be a webpage in the browser which gets the corresponding HTML pages from the server, or a Swing client which communicates over JSON with the server.
The server can implement different methods for JSON or HTML communication and the server can decide what implementation to use by looking at the Accept Header of the Request objects sent to it, that's what they call Content Negotiation
JSR-311 is implemented as Project Jersey which is a framework for RESTful webservices. You might want to take a look at that.
hope that helped
I would like to create a touch screen application.It will be a windows application, so using that how can i get data from a web server?
There are several methods.
Your server can create scripts/webpages to return data in XML or JSON format upon request, and your windows application will have to make HTTP requests to your scripts/web server, retrieve and parse to get the data.
Make sure to protect your data which are requested from the web to prevent other unintended use.
You can also directly connect to the database (depending whether your database supports remote connection or not...)
Using a webserver is usually totally independent from the clients operating system. It may be tricky if the webserver provides service and entity beans and you rich client is written in C/C++ language.
But there are several protocols where you do not have to care. If your application is a thin client (browser interface), I suggest having a look at REST. For rich clients you can use SOAP to talk with your server.
Of course, the server has to provide the data for the chosen protocol...