tags:

views:

81

answers:

3

This is kind of a follow-up question to this one.

So is having a unique response for any given URI a core tenant of RESTful architecture? A lot of discussion here tends that direction, but I haven't seen it anywhere as a "hard and fast" rule.

I understand the value of it (for caching, crawling, passing links, etc), but I also see things like the twitter API violate it (A request to http://api.twitter.com/1/statuses/friends_timeline.xml will vary based on the username given), and I understand there are times when it may be necessary--not to mention that a chronologically paged resource will also change as new elements are added.

Should I strive for varied responses from the same URI to be eliminated altogether, or do I just accept that sometimes it isn't practical, and as long as I minimize its occurrence, I'll be in decent shape.

A: 

Nothing in REST says same response - but you shuld be prepared to handle stuff like the "If Modified Since" request headers WHEN THEY MAKE SENSE ;)

The tritter API has other issues, obviously - as in: this is a design decision. Once you allow friend timelines to be isolated, for example, it would make sense to put the timeline below a friend name element - they obviously decided against this ;)

It runs down to design decisions. Look at OData (like http://odata.netflix.com/Catalog/) - here it makes snse to return the same data for every URL for a given time (caching), because it is a fully public cataloque. For other scenarios it may make no sense.

TomTom
A: 

Some request headers do change what is returned (while still being RESTful):

  1. Clearly the cache-headers are expected to be used to determine if a 304 or 200 is returned
  2. The Accept header can be used to determine the format of the response (HTML vs XML vs JSON)
  3. The Authorized header can at least determine if a 401, 403, or 200 is returned.
  4. Also, resources are allowed to change over time.

The real question is whether the Authorized header (which determines the user) can be used to change the content of the response. I haven't seen any official statement about it, but I suspect a number of people would rather have the user in the URL and the Authorized header used to validate access. I suspect either way is still RESTful.

Kathy Van Stone
The question is, how many intermediary caches are able to handle response variations based on auth header. If caching is not important for a particular application then maybe using a single url is ok. But why take that risk?
Darrel Miller
+1  A: 

Not the same response, but a representation (wich depends on conneg and conditional request headers) of the same resource. In a Rest Architecture, a URI identify one and only one resource (but a resource can have several URI). Presenting different resource depending on the authorized user (being HTTP Auth, cookies, ...) is bad practice, since the same URI represent a different resource for each user, as in the Twitter example. I can't allow you to view my timeline and give you the URI, since this is the same URI for your timeline. The user must be encoded in the URI, and access limited by the authorization mecanism. To have a single access point presenting different resource depending on the authenticated user, use a redirect (e.g. 303 See Other, 302 Found, ...)

Yannick
Do you have any references for your 'bad practice' statement? It's perfectly legitimate to return different content based on the logged in user. For example, I could define a shortcut URL `/my/things` which returns things for the logged in user and returns the response with the `Content-Location` header set to `/users/123/things` to indicate the canonical location for that resource (see RFC 2616 section 14.14)
Greg Beech
if /my/things and /users/123/things are supposed to represent the same resource then only one should return 200, the other should return 303 See Other.
Darrel Miller
The Content-Location should be used to give the URI of the returned variant of the resource (different representation, e.g. conneg) or to return the created resource in the case of POST (instead of using 201 + Location, the later being more rigourus). In the case you are presenting, it's a different resource. You can't assure what resource a client will retreive by GETing this URI. If the UA is a browser, you can't copy/past the URI, since the Content-Location is not directly accessible. URI are resource identifier, that is they identify a resource,always the same (see sect.5.2 of Roy thesis)
Yannick
see also: Axiom 1 and 2 of web architecture (http://www.w3.org/DesignIssues/Axioms.html#unique)
Yannick
Interesting approach using redirects. I like that, particularly because the `my/things` example is exactly what I'm looking at (well, it's one of my two use cases). A user shouldn't have to know their ID to easily type in a URI to get to a certain resource, and this way they don't have to.
keithjgrant