Fiddler - error when simulating modem speeds with Web Services - web-services

I have an application that pulls data from several web services.
The application is correctly using fiddler as a proxy for all these web service requests, and everything works as it should.
I would like to simulate the web services servers being slow, so I enabled "Simulate Modem Speeds" in fiddler (without modifying the default rules file). Now most of the responses I get back are:
ReadResponse() failed: The server did not return a response for this request.
If I disable the "Simulate Modem Speeds", everything works fine again.
Is there a way to get this to work, or a better way to simulate a web services response being slow?

Uh, it certainly sounds like your webservice is configured to timeout if it doesn't get a given request within a certain period of time, suggesting that the simulation has, in fact, turned up the sort of problem you'd want to be testing for.
If you want to adjust the "slowness", edit the Rules > Customize Rules file. Search for modem to see the latencies.

Related

Restful service in web application

I am new to RESTful webservice. Whatever I have read over the internet about RESTful webservice, I came to know that REST works similar to servlet + webservice.
Our traditional webservice looks like JSP-> Servlet -> Service -> DAO -> Database.
Will REST replace Servlet in this heirarchy?
My ultimate goal is that my web application should support mobile application and normal browser also. Is it good idea to use REST in that case. If not, in what situation we should use REST?
I hope my question is clear.
Please help me.
Thanks in advance.
There are many ways we can achieve Machine to Machine communication.
Web services also helps communicating between applications made in different platforms.
For example a .net GUI can call a java server side program for data.
REST is one of that kind, based on HTTP protocol.
SOAP web service is heavy weight (using lots of XML) where as REST is simple and you can expose any of your APIS simply using REST.
A services exposed as REST services can be invoked by a client using on of the HTTP verbs GET, POST, PUT, and DELETE with their meaning same as in HTTP.
RESTful Web Services expose the state of its resources.
An 'Employee' data can be queried and represented in any format (Json, XML ...) using REST.
Rest won't replace the Servlet in your hierarchy, actually the HTTP based REST methods are written on this servlets.
Please go through this URL : http://docs.oracle.com/javaee/6/tutorial/doc/gijqy.html
Using REST is not related to browser experience on mobile or other devices. It totally depends on the client side technology used and your browser compatibility with those technologies.
Using REST is a good idea to access data at client side using simple AJAX calls.
REST means Representational State Transfer. It is a way of thinking about architecting network communication between client and server, with the focus being on transferring a resource from server to client and back again.
To understand the significance of this first consider a different architecture, Remote Procedure Call. This is where the client calls a function on the server as if the function existed on the client.
So you want to edit a photo that exists on the server. Your client is a photo editing app that uses RPC to achieve this. You want to blur the photo so your client calls the blur() function using RPC, and the server blurs the image and sends back the updated image. Then you want to rotate the image, so your client calls the rotate() function and the server rotates the image and sends the rotated image to your client.
You might have noticed two issues. Firstly, every time you carry out an action on the photo the server needs to do some work and send you back the updated image. This uses a lot of bandwidth.
Secondly what happens if tomorrow the server developers (who might be nothing to do with the client developers) decide that rotate() is the wrong function name, it should really be rotate_image(), and they update the server. Your client continues to call rotate() but this now fails because such a function doesn't exist on the client.
REST is an alternative way of thinking about client/server communication. Instead of telling the server to carry out an action on the resource (eg rotate the photo), why doesn't the client not just get a representation of the resource and carry out all the actions it wants to (blur, rotate etc) and then send the new state of the resource back to the server.
If you did it this way the protocol to communicate between client and server can be kept very simple and will require very few updates. All you need is functions for the client to get the resource and functions to put it back on the server. The client will have to know how to blur the image and rotate the image, but it doesn't need to know how to tell the server to do this, it just needs a way of telling the server to save the updated image.
This means that the developers of the client can work away implementing new features independently to the developers of the server. Very handy if the developers of the client are nothing to do with the server (the developers of Firefox have nothing to do with the New York Times website and vice versa)
HTTP is one such protocol that follows this architecture pattern and it allows the web to grow as it has. There are a small set of verbs (functions) in HTTP and they are concerned only with transferring a representation of the resource back and forth between client and server.
Using HTTP your photo client simply sends a GET message to the server to get the photo. The client can then do everything it wants to to the photo. When it is finished it sends the PUT message with the updated photo to the server.
Because there are not domain specific actions in the protocol (blur, rotate, resize) this protocol can also be used for any number of resources. HTTP doesn't care if the resource is a HTML document, a WAV file, a Javascript script, a PNG image. The client obviously cares because it needs to understand the resource it gets, and the server might care as well. But the protocol between the client and server doesn't need to care. The only thing HTTP knows is that there is a variable Content-Type in the HTTP header where the server can tell the client what type of resource this is.
This is powerful because it means you can update your client independently to updating your server without updating the transfer protocol. HTTP hasn't been updated in years. HTML on the other hand is updated constantly, and web servers and web browser are updated constantly (Chrome is on version 33). These updates can happen independently to each other because HTTP never (rarely) changes.
A web browser from 10 years ago can still communicate with a modern web server over HTTP to get a resource. The browser might not understand the resource, say it gets a WebM video that it can't understand, but it can still get this resource without the network communication failing.
Contrast that with the example of RPC above where the client server communication will break if the server changes rotate() to rotate_image(). Every single client will have to be updated with this new function or they will crash when trying to talk to the server.
So REST is a way of thinking about client server communication, it is an architecture design/pattern. HTTP is a protocol that works under this way of thinking that focuses on simply transferring state of a resource between server and client.
Now it is important to understand that historically a lot of people, including web developers, didn't get this. So you got things like developers putting verbs into resource names to try and simulate Remote Procedure Call over HTTP. Things like
GET http://www.mywebsite.com/image/blur_image
And they would hard code the URI /image/blur_image into their client and then try and make sure the guys developing the server never changed the URI blur_image. You get back to all problems of RPC. As soon as the server guys move the resource blur_image (which is not really a resource to start with) to /image/blur_my_image the client falls over because it has that hard coded as an action to perform, rather than simply getting /image and doing what ever it wants to it.
So there are lot of examples on the web of doing REST wrong. Anything that tightly couples client and server communication is doing REST wrong. Your client should be able to survive URIs changing, or Content-Types being updated, without falling over. It can complain it doesn't understand a resource (eg Netscape Navigator 2.0 complaining it has no idea what a HTML5 document is), but it should complain that a URI has changed. This is the discoverability aspect of REST, which I haven't gone into too much, but basically your client should be able to start at the root of the server http://www.mywebsite.com and if it understand the content types it should be able to continue on to the resource it wants. You should never need to hard code a URI into your client other than the root of the server.
I could write a book about this stuff (and many have), but I hope that serves as a good introduction about what REST actually is.
#javafan I just checked the mykong example you provided. Please note that that is not standard http servlet implementation, it is a Jersy way of implimentinmg rest. So when you map all your URIs goes through this servlet com.sun.jersey.spi.container.servlet.ServletContainer and you write classes with annotation #path etc the Jersy runtime environment will do the necessary processing for you like converting the input and output objects to necessary formats (json, xml etc) depending on your configuration. You can write a simple servlet and add methods in it with #path annotation in it and that will be invoked inturn when you make the corresponding request. but the doGet and doPost methods are standard servlet methods that processes GET and POST method by default. You can ad another methods to the same servlet and add more qualifiers to process your request.
#GET, #Produces("xml") etc.
I hope this helps.

Will HTTPS Authentication Slow My Application?

I am building a web application and RESTful web service.
I have been reading various articles about the best way to authenticate the requests to the web service.
The best option for me seems to be to use HTTP basic authentication. Pretty much every article ive read says that authentication should be encrypted over SSL or equivalent.
Im not totally sure what this involves. Does this mean that my whole web service will have to be on a secure server? Will this slow things down?
This really depends on how much data is being transferred and the amount of hits your service is getting. Encrypting the data will increase processing time and typically the amount of information transferred. However, if you choose basic authentication without SSL and there is a user running a packet sniffer on your network, it is almost like yelling your credentials across the room. It is possible to switch between HTTP and HTTPS by configuring your .HTACCESS if you'd like. See the link below:
Correctly switching between HTTP and HTTPS using .htaccess

Duplicate Soap Requests

We are upgrading from 10.0 to 10.3.6. Our web app is running in a DMZ and uses .jar files created with clientgen to invoke JAX-RPC web service operations deployed on our internal network by going through an XML firewall. My problem is that the XML firewall is behaving as though the HTTP request to invoke the web service operation was sent twice, when as near as I can tell it was only sent once. I set the following properties to view the soap traffic:
-Dweblogic.wsee.verbose=*
-Dweblogic.log.RedirectStdoutToServerLogEnabled=true
Unfortunately I don't have access to the XML firewall but I have been able to get the log entires for my service endpoints. I can see that it reports receiving duplicate requests but for the life of me I don't know how this can be happening. This does not happen when the web service clients are running on version 10.0.
I've tried everything I can think of to troubleshoot this problem. I'm hoping somebody here can offer up some suggestions or perhaps tell me if this is a known issue.
You could use TCP Monitor to intercept the SOAP traffic between your server and the firewall.
This way you can tell if the requests are being sent twice or if there is some internal issue with the firewall.
Also, after you intercept the requests, you can use again TCP Monitor or SOAP UI to re-send the request to emulate the webserver and debug the firewall.

Redirect outgoing HTTPS request to an HTTP fake service?

My title might be overly specific - I'm having trouble formulating the question, since I haven't dealt with network administration a lot, and especially not SSL / HTTPS. In other words, the answer to "Why haven't you done . . ." is like to be, "I don't know much about ...."
I am testing, and the System Under Test (SUT) is a web service calling into the Facebook API using https://graph.facebook.com.
I have a test server set up on a remote machine that will serve pages to http://graph.facebook.com. I can use the hostfile on the SUT server to redirect requests to http://graph.facebook.com to the test server. This works fine when I then type:
curl http://graph.facebook.com
The test server receives the request, and serves back the expected page.
However, as mentioned before, the SUT isn't using the HTTP site, but the HTTPS site for the Facebook API (naturally). Is there any way I can intercept the outgoing request and redirect it to the HTTP service that I'm running on the other site? I'd like to be able to type:
curl https://graph.facebook.com
and have it be redirected to the fake Facebook service I'm running on the test server. I can configure the servers at both ends.
If this is very difficult, I might also want to put in a feature request for the ability to change the URL for the Facebook API requests. However, I think the dev is using a pre-existing Facebook API module, and this might not be straight-forward. (Okay, I got curious and checked . . . a quick investigation suggests that the API supports data injection of the code that handles the actual HTTPS requests, so he'd have to implement his own version of the interface so that he could pass in a configurable URL that I could set from outside of the code - but I'd still rather not distract him unless it's really necessary).
I'm using an asis-server on port 80 to fake the Facebook responses, if that is relevant.
The solution we ended up using was a service on the test server that intercepted the HTTPS requests and redirected them to the HTTP service. Our ops person used nginx for this.
We're still not sure if this will work as a mock for the SUT - it depends on if the SUT is verifying the certificate information or ignoring it. I still might need to ask the developer to implement a feature to support mocking.

Is it inadvisable to use http traffic analysis to build a meta web service / pseudo-api?

I've been looking at http traffic analyzers which are browser addons that monitor and analyze all incoming and outgoing HTTP traffic between the browser and whatever web server you're connecting to.
The types of information available per request include:
* Request and response headers
* Sent and received cookies
* Querystring parameters
* POST parameters
* Response body
My question is whether it makes sense to use this to build a web service.
What I am interested in is using Windows SkyDrive - which offers 25GB of storage per user account - as a storage solution for my web app.
So what I am considering is using HTTP traffic analysis to figure out how to get my web app to mimic a browser interacting with my SkyDrive account.
Is this a bad solution? I have a feeling one of two things could happen quickly:
Microsoft figures out that these are automated requests and shuts down my SkyDrive account and deletes the data.
Microsoft changes the authentication front-end regularly, requiring me to repeatedly reprogram the portion of my service that interacts with SkyDrive.
Has anyone tried something like this and encountered difficulties? I would like to hear some feedback on whether this is likely to be worth the effort or not.
What you want to do is probably possible, technology wise. But is it allowed under the terms of service of SkyDrive? and what is the worst case scenario if they do change their protocols? Will you be trying to run a business off this data? Have you considered using something like Amazon's Simple Storage Service, which is designed to accommodate exactly what you want to do? Why waste your time reverse engineering the skydrive protocol?