Re: [rest-discuss] W3C Note - User Agent Authentication FORM elements
- I'm sorry. I was waayy too strident (too little
Anyway, the question remains: Is it RESTful for
resources to be parametrized by authentication
From an API, it would be sort of annoying if a
resource can be completely different depending on
From a UI perspective, it strikes me as
frustrating not to be able to mail a URL to the
exact resource I am looking at if I want to.
OTOH it also strikes me that it would be nice to
be able to specify a URL for this TYPE of
resource. My instinct is that application
providers should provide distinct login entry
Anyone else have an opinion here?
On Wed, 5 Mar 2003, Chuck Hinson wrote:
> S. Alexander Jacobson wrote:
> >On Tue, 4 Mar 2003, Chuck Hinson wrote:
> >>But it does identify a single resource. The resource is NOT Chuck
> >>Hinson's bank account - the resource is 'my' bank account with 'my'
> >>being whoever is accessing it.
> >That is sophistry. Most charitably, I would refer
> >you to all the people who want URL's for the
> >different variants produced in
> >But I think that authentication is very different
> >from content negotiation. The notion that mailing
> >the URL of a WSJ article means something different
> >from mailing the URL of a bank savings register is
> >a little odd.
> >Using HTTP-auth for customization is abusive.
> >Now, I can define all sorts of resources
> >parametrized by username password.
> >Rather than adding a id=thingid to the query
> >string. In the future, I can simply pass thingid
> >in the username...
> I respectfully disagree, and I'll leave it at that.
> >S. Alexander Jacobson i2x Media
> >1-212-787-1914 voice 1-603-288-1280 fax
> >To unsubscribe from this group, send an email to:
> >Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
> To unsubscribe from this group, send an email to:
> Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
S. Alexander Jacobson i2x Media
1-212-787-1914 voice 1-603-288-1280 fax
- S. Alexander Jacobson wrote:
> I'm sorry. I was waayy too strident (too littleI don't believe it is. The identity of a thing shouldn't be coupled to
> Anyway, the question remains: Is it RESTful for
> resources to be parametrized by authentication
any Access Control List information I have about that thing.
Another reason: try to write RDF statements about a bank account, where
that bank account is identified in a relative way.
Relative ID: http://example.bank.com/account
You can't write anything about that account because to truely identify
it, you need ACL information. And in the HTTP world, the authentication
is done outside the URI.
If you had an absolute ID for a bank account, then you can actually say
things about it.
Absolute ID: http://example.bank.com/account/12345
Then, this becomes possible (in RDF):
You can't do the above w/ the Relative ID. All the RDF statements would
end up saying that *everyone* owns account http://example.bank.com/account.
This is all true, because HTTP's authentication is done at the protocol
level, and independent of the URI. The ID of the thing you are trying
to operate on is not affected by any ACL information.
Now, having said that, this is a perfectly valid Absolute ID:
But, of course, not as friendly w/ some caches and search engines. And,
you still have to supply a password (or some authenticating token).
Hope that helps,