Loading ...
Sorry, an error occurred while loading the content.

Re: [rest-discuss] W3C Note - User Agent Authentication FORM elements

Expand Messages
  • S. Alexander Jacobson
    I m sorry. I was waayy too strident (too little sleep). Anyway, the question remains: Is it RESTful for resources to be parametrized by authentication
    Message 1 of 49 , Mar 5 3:17 PM
    • 0 Attachment
      I'm sorry. I was waayy too strident (too little
      sleep).

      Anyway, the question remains: Is it RESTful for
      resources to be parametrized by authentication
      information?

      From an API, it would be sort of annoying if a
      resource can be completely different depending on
      auth.

      From a UI perspective, it strikes me as
      frustrating not to be able to mail a URL to the
      exact resource I am looking at if I want to.

      OTOH it also strikes me that it would be nice to
      be able to specify a URL for this TYPE of
      resource. My instinct is that application
      providers should provide distinct login entry
      points.

      Anyone else have an opinion here?

      -Alex-





      On Wed, 5 Mar 2003, Chuck Hinson wrote:

      >
      >
      > S. Alexander Jacobson wrote:
      >
      > >On Tue, 4 Mar 2003, Chuck Hinson wrote:
      > >
      > >
      > >>But it does identify a single resource. The resource is NOT Chuck
      > >>Hinson's bank account - the resource is 'my' bank account with 'my'
      > >>being whoever is accessing it.
      > >>
      > >>
      > >
      > >That is sophistry. Most charitably, I would refer
      > >you to all the people who want URL's for the
      > >different variants produced in
      > >content-negotiation.
      > >
      > >But I think that authentication is very different
      > >from content negotiation. The notion that mailing
      > >the URL of a WSJ article means something different
      > >from mailing the URL of a bank savings register is
      > >a little odd.
      > >
      > >Using HTTP-auth for customization is abusive.
      > >Now, I can define all sorts of resources
      > >parametrized by username password.
      > >
      > >Rather than adding a id=thingid to the query
      > >string. In the future, I can simply pass thingid
      > >in the username...
      > >
      > >
      > I respectfully disagree, and I'll leave it at that.
      >
      > --Chuck
      >
      > >-Alex-
      > >
      > >
      > >___________________________________________________________________
      > >S. Alexander Jacobson i2x Media
      > >1-212-787-1914 voice 1-603-288-1280 fax
      > >
      > >
      > >
      > >
      > >To unsubscribe from this group, send an email to:
      > >rest-discuss-unsubscribe@yahoogroups.com
      > >
      > >
      > >
      > >Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
      > >
      > >
      > >
      > >
      > >
      >
      >
      >
      > To unsubscribe from this group, send an email to:
      > rest-discuss-unsubscribe@yahoogroups.com
      >
      >
      >
      > Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
      >
      >

      ___________________________________________________________________
      S. Alexander Jacobson i2x Media
      1-212-787-1914 voice 1-603-288-1280 fax
    • Seth Ladd
      ... I don t believe it is. The identity of a thing shouldn t be coupled to any Access Control List information I have about that thing. Another reason: try to
      Message 49 of 49 , Mar 22 7:02 PM
      • 0 Attachment
        S. Alexander Jacobson wrote:
        > I'm sorry. I was waayy too strident (too little
        > sleep).
        >
        > Anyway, the question remains: Is it RESTful for
        > resources to be parametrized by authentication
        > information?


        I don't believe it is. The identity of a thing shouldn't be coupled to
        any Access Control List information I have about that thing.

        Another reason: try to write RDF statements about a bank account, where
        that bank account is identified in a relative way.

        Relative ID: http://example.bank.com/account

        You can't write anything about that account because to truely identify
        it, you need ACL information. And in the HTTP world, the authentication
        is done outside the URI.

        If you had an absolute ID for a bank account, then you can actually say
        things about it.

        Absolute ID: http://example.bank.com/account/12345

        Then, this becomes possible (in RDF):

        <bank:Account rdf:about="http://example.bank.com/account/12345">
        <bank:ownedBy rdf:resource="http://example.com/person/88888"/>
        <bank:balance>$1,334.23</bank:balance>
        </bank:Account>

        You can't do the above w/ the Relative ID. All the RDF statements would
        end up saying that *everyone* owns account http://example.bank.com/account.

        This is all true, because HTTP's authentication is done at the protocol
        level, and independent of the URI. The ID of the thing you are trying
        to operate on is not affected by any ACL information.

        Now, having said that, this is a perfectly valid Absolute ID:

        http://example.bank.com/account?owner_id=88888

        But, of course, not as friendly w/ some caches and search engines. And,
        you still have to supply a password (or some authenticating token).

        Hope that helps,
        Seth
      Your message has been successfully submitted and would be delivered to recipients shortly.