tags:

views:

42

answers:

1
+2  Q: 

Are these REST HTTP response codes right, and what about the Content-Type?

I'm writing a controller helper that sets the proper response headers for my REST controller action. It's pasted below and should be simplified enough for those who aren't familiar with Zend Framework to understand what I'm doing.

My question is: Are these codes correct for their respective responses, and in the case of "access denied" do I use a 401 or 403?

Also, in case of responding with an error, I understand I should be placing a message in the response body, but should I set the "Content-Type" to "text/plain"?

<?php

class App_Controller_Helper_RestResponse extends Zend_Controller_Action_Helper_Abstract
{
    public function denied()
    {
        // 403 or 401?
    }

    public function notFound()
    {
        // 404
    }

    public function created()
    {
        // 201
    }

    public function deleted()
    {
        // 204
    }


    public function redirect()
    {
        // 301
        // new url
    }

    public function malformed()
    {
        // 400
    }

    public function gone()
    {
        // 410
    }


}
A: 

Those look pretty good to me, I tend to use 200 for deleted, but I don't see anything wrong with using 204 if you're never going to send back any entity when you process a delete. Regarding 401 vs 403, they're tricky because they are named poorly. 401 says "unauthorized" but the requirement to send a WWW-Authenticate header suggests to me that it should really be used when the request isn't "Authenticated". 401 says: "I can't let you do that because I'm not satisfied I know enough about you. 403 on the other conveys the resource is "Forbidden", just another way of saying "not authorized" only in this case, there is no effort made to get the user better authenticated than they already are. Use 403 when you need to express: "I know who you are, and I don't care, I'm not going to let you do that."

Otherwise those look good, though you may want to consider 302, 303 and 307 as additional redirects depending on why you are doing the redirect. Have an additional look at http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html and let me know if you need some more insight on the redirect headers.

stinkymatt  2010-05-12 01:35:07
Ok so if a user HAS NOT logged in (been authenticated), then I should probably redirect them to a login page. Otherwise if they HAVE logged in and try to access a resource which they do NOT have authorization, I should respond with a 403. Sound good?
talentedmrjones  2010-05-12 23:36:05
Yes, if they have not logged in, send them a 401 with the WWW-Authenticate header pointing to the login page. If they are logged in, and they are doing something you don't want them to do, just send the 403.
stinkymatt  2010-05-14 19:51:38

related questions

Mocking WebResponse's from a WebRequest
What's the best way to learn server RESTful code?
JAX-RS Frameworks
SOAP or REST
Are REST request headers encrypted by SSL?
REST in Java
REST type API for non web based applications, Is It a good idea?
Getting started with REST
Plain text passwords in Ruby on Rails using Restful_Authentication
Where WCF and ADO.Net Data services stand?
REST how to handle query parameters when put to resource?
Any way to handle Put and Delete verbs in ASP.Net MVC?
How do you implement resource "edit" forms in a RESTful way?
Friendly URLs for ASP.NET
Possible to create REST web service with ASP.NET 2.0
Strange Rails Authentication Issue
How to respond to an alternate URI in a RESTful web service
Guide to choosing between REST vs SOAP services?
guid REST URL for ado.net dataservice call?
RESTful web services and HTTP verbs
Calling REST web services from a classic asp page
Best way to write a RESTful service "client" in .Net?
Best Practices for securing a REST API / web service
Document or RPC based web services
Modify Address Bar URL in AJAX App to Match Current State