SLIDE 1 ‹#›
Dynamic Verification of Inter-Parameter Constraints in Web Applications
Nathalie Oostvogels・Joeri De Koster・Wolfgang De Meuter
Third party web services
2
Dynamic Verification of Inter-Parameter Constraints in Web - - PowerPoint PPT Presentation
Dynamic Verification of Inter-Parameter Constraints in Web - - PowerPoint PPT Presentation
# Dynamic Verification of Inter-Parameter Constraints in Web Applications Nathalie Oostvogels Joeri De Koster Wolfgang De Meuter Third party web services 2 Web API specifications 3 Web API requests request.post( { url:
SLIDE 2
SLIDE 3
Web API specifications
3
SLIDE 4
Web API requests
4
request.post( { url: “api.twitter.com/1.1/direct_messages/new.json”, form: { user_id: 42, screen_name: “Alice”, text: “Hello” }}, (error, r, result) => { console.log(result) });
SLIDE 5
Web API specifications
5
- ptional
number
- ptional
string required string max length = 140 max length = 15
SLIDE 6
Automatically Verifying Requests
6
SLIDE 7
Dynamic verification
7
request.post( { url: “api.twitter.com/1.1/direct_messages/new.json”, form: { user_id: 42, screen_name: “Alice”, test: “Hello” }}, (error, r, result) => { console.log(result) });
- Request to “api.twitter.com/1.1/
direct_messages/new.json" is incorrect: required field “text” not present.
⎬
SLIDE 8
Dynamic verification
8
request.post( { url: “api.twitter.com/1.1/direct_messages/new.json”, form: { user_id: 42 screen_name: “Alice”, text: “Hello” }}, (error, r, result) => { console.log(result) });
- ⎬
SLIDE 9
At runtime…
9 “You must specify either a list ID or a slug and owner” “Some co-ordinate parameters were blank” “Incompatible parameters specified in the request”
SLIDE 10
Inter-parameter constraints
Exclusive Constraints Dependent Constraints Group Constraints ○ constraints defined over multiple parameters
10
SLIDE 11
Automatically Verifying Requests
11
SLIDE 12
Exclusive constraints
12
○ exactly one of a set of parameters is required
Silent choice: Twitter chooses screen_name over user_id
SLIDE 13
Dependent constraints
13
○ constraints on a parameter depend on a property of another parameter
Silent choice: Facebook ignores details of link when link is not provided
SLIDE 14
Group constraints
14
○ a set of parameters should either be all excluded from a request or all included
Silent choice: Twitter ignores latitude when longitude is not provided
SLIDE 15
Inter-parameter constraints in web APIs
# entry points XOR Dependent Group 117 10 3 3 97 32 14 6 50 11 3 5 206 12 1 209 11 4 1 9 2 5 2
15
SLIDE 16
A new specification language for web APIs
16
x-constraints:
- present(screen_name) XOR
present(user_id) paths: /direct_messages/new: post: parameters:
- name: user_id
type: number
- name: screen_name
type: string
- name: text
type: string required: true
SLIDE 17
Dynamic verification
17
request.post( { url: “api.twitter.com/1.1/direct_messages/new.json”, form: { user_id: 42, screen_name: “Alice”, text: “Hello” }}, (error, r, result) => { console.log(result) });
- Request to “api.twitter.com/1.1/direct_messages/new.json" is incorrect:
the exclusive constraint on user_id and screen_name is not satisfied.
SLIDE 18
Inter-parameter constraints in web APIs
18
- Error message when
constraints not satisfied.
Eliminating vague error
messages
Uniform error messages
- Error message when
constraints not satisfied.
SLIDE 19
Conclusion
19
○ When programming against Web APIs, programmers
- Ien resort to trial and error
○ Introduced tool that transparently intercepts and validates requests according to specificaKon ○ Supports validaKon of inter-parameter constraints ○ Future work: inter-parameter constraints outside
- f web APIs