RE: REST and the Web

> > But everybody does this on the web all of the time! When I go to
> > eBay I don't see your auctions, I see mine!
> 
> I was talking about mapping 'functional' resources onto URI's, or
> passing parameters from a form to a URI. Things like the proposal for
> variable substitution in the submission URI make it easier to map
> services into URI space (especially with well-defined GET-able
> resources). In leiu of a framework for doing this, people have
> traditionally used POST. SOAP over HTTP/XML-RPC is a logical extension
> (to developers)of POST.

Exactly, eBay is a great example of how 95% of the universe use POST as
RPC rather than its intended RESTful purpose.

There *is* a "proper" way to use POST: in my opinion that is the
behavior which says that the POSTed entity creates a new URI which is
subordinate to the POST target, and returns the URI of that new
resource.  This is really a fine architecture, and if people stuck to it
we would have a much easier time in realizing the semantic web.

Too bad only 5% of the people who use POST actually use it "properly"
(the way I define proper), and only 5% of those people even could say
why it is "proper".  POST makes itself so easy to abuse, that the
situation today is people who treat POST right do so accidentally rather
than deliberately.

So, what do we do about it?  My suggestion is:

1) "Educate" people to stop abusing POST
2) Give people incentive to deploy more RESTful architectures by
enhancing the value of other uses of the web (besides GET and
abusive-POST, which are both just fine as RPC).  In other words, make an
obvious value proposition for using these protocols "properly" -- people
may still choose to abuse, but with full knowledge that they are losing
some great opportunities.
3) Try to gain some transparency into the cases where people are
exposing functionality (instead of resources) over POST.  As it
currently stands, people who use CGI+POST to call COM/DCOM/EJB are no
different to a firewall administrator than those who don't.  It is
impossible for firewall admins to have any visibility into how people
are abusing POST.  Furthermore, it is impossible for future advances (in
caching, semantic web, etc.) to know whether a particular POST is
RESTful or RPCful.  So this lack of transparency makes it hard to
progress.
4) Try to get vendors to encourage 1-3 in their products.

And I think that #1 above is fairly weak by itself.  To say that
re-education alone is enough would require:

A) Getting agreement (even at TAG level) that all non-resource exposure
of functionality via POST is "wrong".
B) Actively working to interfere with and prevent users from using POST
this way.

"A" is going to be very difficult, and "B" is just plain rude.  And in
the extremely likely event that both would fail to eliminate POST abuse,
we would end up just heaping lots of punishment on users for no effect
whatsoever.

(*Maybe* it would be possible to get TAG to agree about "A", but it
would take heaps of hubris to think that was all there is to it).

-J

Received on Saturday, 30 March 2002 22:01:39 UTC