REST-June2010-ConcreteImpl

Download Report

Transcript REST-June2010-ConcreteImpl

NHIN DIRECT REST IMPLEMENTATION
Prepared by: The NHIN Direct REST Team
June 8, 2010
Some Definitions
» REST – Representational State Transfer
» Introduced in Roy Fielding’s PhD thesis in 2000
» Theory
• Requests and responses between clients and servers embody the
transfer of “representations” of “resources”
– Example: Resource is a “List of Messages”. Representations
could be an XML or HTML expression of the list.
• Resource: Any addressable concept
» Practice
• HTTP methods (typically GET, POST, PUT, DELETE) applied to
resources expressed as URIs
• HTTP status codes for coarse-grained response interpretation
• MIME Content-Type header for request and response interpretation
Why REST?
» Simple
• Knowledge of HTTP method primitives, Content-Type, and URL
formation rules is all that is required
» Ubiquitous
• HTTP is well understood with client libraries in virtually any
environment and servers available for free
» Proven
• HTTP has been the protocol of the web for years
» Extensible
• New URL formation rules and Content-Type headers to address
new resources
» Scalable
• REST HTTP-based services scale using well-understood
techniques
Why REST?
» Integration Simplicity
• Low level of knowledge needed (HTTP methods, headers, and URL
formation rules)
» Tooling
• Lots of development tools to make coding simple (Spring MVC 3.0,
JAX-RS, etc…)
» Natural X.509 certificate directory mechanism
• /certs resource (more later)
Achievements
» REST Specification
• http://nhindirect.org/REST+Implementation
• Still some debate on the best way to architect the Abstract Model
status function (/status resource versus MDN)
» Java-based HISP implementation (MedPlus/Quest & VisionShare)
• Spring MVC 3.0-based
• REST backbone protocol. Demonstrated HISP to HISP messaging.
• REST and SMTP/POP3 edge protocol support
– Functioning with standard email client & REST test clients
– In prototype with MedPlus Care360 EHR as Source/Destination
• S/MIME message-based security (sign and encrypt). TLS between
HISPs
• /certs resource for retrieving X.509 certificates
Achievements
» Ruby on Rails HISP implementation (Arien “private citizen” Malec)
• REST backbone protocol
• S/MIME message-based security (sign and encrypt)
• /certs resource for retrieving X.509 certificates
» Java HISP implementation (Argonne National Labs)
• REST backbone protocol
• SAML integration
REST API Examples
» https://<HISP-domain>/nhin/v1/<health-domain-name>/<health-endpoint-name>/messages
» Dr Johnson retrieving a list of messages from his HISP:
• https://hisp-a.com/nhin/v1/nhin.DodgeClinic.com/DrJohnson/messages
• GET method
• Returns an Atom feed containing URIs of available messages
» Dr Johnson retrieving a message from his HISP:
• https://hisp-a.com/nhin/v1/nhin.DodgeClinic.com/DrJohnson/messages/8dc78b1e-4aea46a3-8317-43fe57ac5d6c
• The UUID at the end of the URL is the message ID
• Response format is an RFC 5322 email message
» HISP A posting a message sent by Dr. Johnson to Dr. Nelson
• https://nhin.MetroCardiology.com/nhin/v1/nhin.MetroCardiology.com/DrNelson/message
s
• POST method
• RFC 5322 email message format
• nhin.MetroCardiology.com resolve in DNS to the IP of the HISP serving Dr. Nelson
» HTTP GET the X.509 certs (as an Atom feed) for [email protected]
• https://nhin.DodgeClinic.com/nhin/v1/nhin.DodgeClinic.com/DrJohnson/certs
Security & Trust
» S/MIME message-based signing and encryption is used by two of the
three implementations for endpoint to endpoint privacy, authentication,
integrity and non-repudiation.
• Ruby on Rails utilizes OpenSSL
• Java (Spring MVC implementation) uses the nhin-d-jagent
• HISP-to-HISP prototyping has been achieved
» Java (Spring MVC) still uses TLS for HISP to HISP on-the-wire privacy
• Needed to protect To and From headers (potential PHI)
• Still some debate about the desirability of client certificates
– They would stop nefarious traffic at the network level
– They may imply a global HISP circle of trust
» Java (Argonne) uses SAML
Coding Experiences
» Java (Spring MVC)
» Ruby on Rails
» Java (Argonne)