After reading Rusty Elliotte’s blog for a while I have been interested in finding out more about REST implementations. The hardest thing to get my head round is that there is not a standard implementation or standard for it. Take for example this weekend’s REST task which was to find out about how a REST application would handle authentication. Authentication for a public service is probably the key element to a useful real-world Web Service application and in my past experience it is a vexed and complex issue that involves head-splitting implementation details.
As this tutorial points out authentication is hard. So why try to implement it yourself? The tutorial instead suggests relying on the HTTP authentication that should already be part of your webserver implementation. This is what blows me away about REST so far, it uses what you already have and already know to achieve something new. It has the hallmark of any truly useful technology or methodology in that what it does is push the boundaries of what you can do with what you already know.
I’ve run into HTTP authentication once before when a previous company I worked with restricted web access to a select few. I ended up writing a proxy that spoofed the Authentication that my authorised login was using. The proxy worked so well that in the end I was asked to shut it down and full access was restored to the rest of the team (the point being well-taken) however I didn’t learn much about Authentication except how to literally reproduce a valid response.
Clearly the time has come to learn more.