My current project is a restful API that connects to a database to retrieve data.
What should be done if the route handlers can't access the database? In such a case I would implement a middleware that sends back a global response that indicates that the API is temporarily not available.
Which status code should be returned? Internal Server Error (500) or Service Unavailable (503)?
Is it efficient if the middleware checks with each request the database connection?
Well normal people dont understand 500 or 503 . so its better to catch these exceptions in catch block and then set some appropriate message .
Also for all your database related question explore database connection use connection pooling lib such as HakariCp
Related
A Java server exposes REST services using Apache CXF 3.1.10. Trying to call a GET service with a URL longer than 8K, the service gives error.
The REST server uses JAXRSServerFactoryBean that launch a Jetty server. I can not find a way to allow the server to accept request of more than 8K.
Get requests have a query size limit, both on client and server side. (check this for details: maximum length of HTTP GET request?)
Maybe you should move to POST services. Or if you control both the client and server, you may use the request body. (That is allowed for GET requests but there are some clients/servers not supporting that)
I am currently designing a web application using AngularJS. In this I am fetching and posting data via Rest API(s) with different methods. The data I retrieving is fetched in the form of JSON.
Problem:
Issue here is, while I am using https, the data sent and received via HTTP requests can still be seen in proxy tool or traffic monitors. All the JSON can be easily read from this.
Each of my request has a token attached in it's header which takes care of authentication. However, once authorized, there is some part I don't want to be displayed in/ caught in such monitoring tools.
Question:
This data is stored in an encrypted way in database and all, however while coming via HTTP request, it is first decrypted and then sent. How can I hide/protect this data?
You can't.
If you give it to the client, then the client has to be able to see it.
If the user has configured their browser to proxy requests, then the proxy is the client.
Once the data leaves your server in an HTTP response then anyone/anything thing the user of the client wants to trust with that data can access it. You don't have control at that point.
proxy tool or traffic monitors will see https data only if the client has accepted the man-in-the-middle (MITM) by installing the ssl certificate used by the MITM:
To see the content (other than the host name) of an https connection, someone who is neither the client or the server must do a MITM.
If someone do a MITM with a certificate not trusted by the client, the client will reject the connection.
WARNING: If the server do NOT use HSTS, the person doing the MITM can do an SSLSTRIP attack if the first connection is http. In that case, the MITM do not need a trusted certificate because the connection will stay in plain text (http)
I want to save data using AngularJS and RestApi. I am sending an object in data parameter.
I tried both $http.post() direct method and $http() method , but non of these are working.
Always the error coming is "Method not allowed-405"
I am running on local machine.
Edit:
Eventually by doing some modifications like I specified "localhost:xxx" before the 'api/abc', now I am getting the error as "The requested resource does not support the http method 'POST'".
The reason is that the API you're using does not support POST requests to the URL you're trying to POST to
More info from http://www.checkupdown.com/status/E405.html below
All Web servers can be configured to allow or disallow any method. For example if a Web server is 'read-only' (no client can modify URL resources on the Web server), then it could be set up to disallow the PUT and DELETE methods. Similarly if there is no user input (all the Web pages are static), then the POST method could be disallowed. So 405 errors can arise because the Web server is not configured to take data from the client at all.
When calling a web service from Force.com, I am getting:
System.CalloutException: Web service callout failed: Unexpected
element. Parser was expecting element
'http://schemas.xmlsoap.org/soap/envelope/:Envelope' but found ':HTML'
The network guys at the other end has asked to see the full response that Salesforce is getting from their server.
Is there a way to achieve that? I have tried running with debug level 'Finest' from execute anonymous, but that yields the same little message with no further detail.
The message you are getting is because an error is generated as Saleforce is trying to parse the response is and it isn't logged unfortunately.
The parsing error is happening because instead of a SOAP message response you are getting an HTML page. This usually happens when you are accessing a service that is protected behind a firewall. Which means you may be able to see the service when browsing on your computer but remember that Salesforce is outside of your firewall and thus any communication by Salesforce to your service will be blocked.
Couple of ways to address this but this wiki topic from Salesforce best covers the options:
http://www.salesforce.com/us/developer/docs/api/Content/sforce_api_om_outboundmessaging_security.htm
The above is specific to outbound messaging but essentially the technology issues are the same.
Don't forget that Apex includes an HttpRequest Class that works as a lower layer than the SOAP APIs. You should be able to write up a test method that sends a hard-coded XML request to the server and dumps the HttpResponse so you can see it.
Adding my own best answer, based on some internet research:
You can use an external tool like Runscope as a webservice proxy to automatically forward requests and pass through responses and view the XML SOAP messages. This is not a native solution on SFDC but it does do the job.
https://www.runscope.com/
The issue is that Force.com is trying to parse a SOAP response that's actually just HTML. This happens sometimes when an error occurred server-side and the response is meant for a browser to display, rather than sending back an exception report via a properly formatted SOAP response.
If they can't figure out why they are not sending back a consumable SOAP response, then you can try using other tools (outside of Force.com) to make the same webservice call from your browser and then see what the HTML actually says on return.
I have a Silverlight client calling a WCF Service on an IIS web server. It uses the default basicHttpBinding setting for the calls. My client code has the usual Visual Studio generated proxy that is generated when using the 'Update Service Reference' menu option.
Does every call to the service using that proxy use the same connection? Or does it create a connection each time a call is made and then close it down once the reply is received? As the client is actually making a SOAP call over HTTP I just assumed that every service request had a new connection created but I want to check if that is the case?
(I need to know because if it creates a new connection each time then each request could end up at a different server because there are several servers being load balanced. It is uses a single connection for the duration of the proxy then I can assume they all end up at the same machine and so cache state information for better performance.)
You have to differ between connection and session. Connection allows you calling the server. Session allows you maintaining state among subsequent requests from the same client. Application session for example allows using server side caching. First of all BasicHttpBinding does not support session.
HTTP 1.1 specification describes that each connection should be opened as persistant. When you call first HTTP request to a new server, a persistant connection is established and it remains opened for subsequent calls to the same server. If you do not call the server again it is closed after some timeout. Persistant connection openning and closing is handled internally and it is fully transparent to developers.
Persistant connections are used by all browsers and HTTP APIs including .NET HttpWebRequest and so all HTTP based bindings. You can demand that new connection is created and closed for each request/response by creating custom binding with HTTP transport channel and property KeepAliveEnabled set to false. It will add additional overhead because new TCP connection will be established for each request/response. Establishing TCP connection is time consuming operation.
Persistant HTTP connection is not related to WCF application session. WCF session is by default handled between single service proxy instance and single service instance. All subsequent calls from the same proxy instance are handled by the same service instance (PerSession instancing). WCF application session is built on top of any other session - connection, security, reliable. BasicHttpBinding does not support any of these session types so it can't use WCF application session (and PerSession instancing). Each request for service exposed on BasicHttpBinding is by default handled by new service instance (PerCall instancing).
By HTTP specification the client should be able to open only two concurrent persistant HTTP connections to the same server. Persitant HTTP connections are shared for all service proxies calling the same server from the same client machine in the same period of time. Moreover single proxy instance can call the service from many different connections if long period of time elapses among calls. Those are reason why persistant HTTP connection can't be used as connection session. HTTP is not connection oriented - it only allows reusing connection for performance reasons.
The inactivity timeout of persistant HTTP connection in WCF is 100 seconds. I have found this timeout by measuring in Procmon. I have unanswered question about setting this timeout to different value.
When you are using load balancing you can't also rely on connection. The persistant HTTP connection is opened between client and load balancer. But it is responsibility of the load balancing algoritm to select processing server. In case of BasicHttpBinding it can be simple Round Robin because processing servers will not use any kind of session. In case of session oriented binding you have to use some algoritm with session affinity (sticky sessions) which will forward all requests from the same session to the same server so the same service instance can handle them. But it is not the case of BasicHttpBinding.