[Catalyst] Re: using REST within the app

A. Pagaltzis pagaltzis at gmx.de
Fri May 25 00:48:08 GMT 2007 

* John Goulah <jgoulah at gmail.com> [2007-05-24 17:45]:
> What are peoples thoughts on using REST not only as a web
> service, but also within the application itself as another
> layer of abstraction?

I like it for two reasons.

1. Browsers are pretty much dumb terminals. Javascript can help,
   but it’s a bad idea to assume their presence. This puts some
   constraints on how RESTful a browser-targetted app can be.
   Layering the app as a pure RESTful layer with a HTML adaptor
   layer on top helps.

2. Dogfooding. By being forced to use your own API, you make sure
   that the API is sufficiently complete and well-designed that
   other people can actually use it.

> I would assume in this way all the DB related calls would go
> through the REST layer, and this way they can be invoked as
> services or locally through the app. Is this too much overhead
> since the model itself is a layer?

Depends. By doing it this way, you can completely separate the
browser adapter implementation from the RESTful core app, so then
you could conceivably run the browser adapter on a different
machine or do anything else (like putting a cache or routing
proxy between the layers or whatever) that HTTP allows you to do.

See also:

    Squid is My Service Bus
    http://www.mnot.net/blog/2007/04/29/squid

Do you need this sort of flexibility? If so, then following this
approach can be quite worthwhile.

For small apps, though, I wouldn’t bother.

> What are the best ways to deal with this from a security aspect
> (such as making sure people dont call some DELETE action on
> senstive data)? Is this handled with authorization or some
> other such way?

Yes, of course. How would you do it at the level of the
HTML-based web app? Why would the mechinisms and their risk
profiles be any different at a lower level?

> I wouldn't want an "authorized" user to delete content they
> aren't authorized to delete of course.

I don’t understand this statement. How about you make sure that
your security works? And why would the API level somehow be more
sensitive to security issues than a regular webapp?

Regards,
-- 
Aristotle Pagaltzis // <http://plasmasturm.org/>

More information about the Catalyst mailing list