| Time |
S |
Nick |
Message |
| 00:30 |
|
|
shrink0r joined #rest |
| 01:10 |
|
|
shrink0r_ joined #rest |
| 02:37 |
|
|
shrink0r joined #rest |
| 03:04 |
|
|
lemur joined #rest |
| 03:41 |
|
|
lemur joined #rest |
| 03:58 |
|
|
vanHoesel joined #rest |
| 04:23 |
|
|
ewalti joined #rest |
| 04:24 |
|
|
ewalti joined #rest |
| 05:20 |
|
|
ewalti joined #rest |
| 06:42 |
|
|
ewalti joined #rest |
| 07:03 |
|
|
_ollie joined #rest |
| 08:26 |
|
|
azr joined #rest |
| 09:31 |
|
|
fumanchu_ joined #rest |
| 09:44 |
|
|
Left_Turn joined #rest |
| 10:12 |
|
|
shrink0r joined #rest |
| 10:33 |
|
|
vanHoesel joined #rest |
| 10:39 |
|
|
interop_madness joined #rest |
| 10:51 |
|
|
shrink0r joined #rest |
| 10:56 |
|
|
azr joined #rest |
| 11:39 |
|
|
mezod joined #rest |
| 12:48 |
|
|
azr joined #rest |
| 12:58 |
|
|
azr_ joined #rest |
| 13:04 |
|
|
shrink0r joined #rest |
| 13:19 |
|
|
dEPy joined #rest |
| 13:28 |
|
|
vanHoesel joined #rest |
| 13:40 |
|
|
azr joined #rest |
| 13:55 |
|
|
nkoza joined #rest |
| 14:03 |
|
|
azr joined #rest |
| 15:24 |
|
|
ewalti joined #rest |
| 15:33 |
|
|
vanHoesel joined #rest |
| 15:48 |
|
|
vanHoesel joined #rest |
| 16:14 |
|
|
lemur joined #rest |
| 16:42 |
|
|
shrink0r joined #rest |
| 17:05 |
|
|
shrink0r_ joined #rest |
| 17:17 |
|
|
SupaHam joined #rest |
| 17:29 |
|
|
SupaHam joined #rest |
| 17:46 |
|
|
jsys joined #rest |
| 17:48 |
|
jsys |
So you have a bunch of resources with various authorization requirements. You can't make it a cross-cutting concern and wrap everything in a proxy that checks for permissions, because every single verb of every single resource requires different permissions. So how do you make sure you don't forget to test about permissions |
| 17:52 |
|
asdf` |
isn't that implementation-specific? |
| 18:04 |
|
jsys |
asdf`: it is; but it's a problem all services have :P |
| 18:06 |
|
asdf` |
then to answer your question, how do *i* make sure i don't forget: by having a test suite |
| 18:06 |
|
asdf` |
(which is of course somewhat naive because it means i assume whoever wrote the test suite was wiser than the implementor) |
| 18:07 |
|
jsys |
asdf`: It's like we can never prove our code is correct, and there can be a vulnerability hiding in plain sight everywhere :P it's kind of unsettling |
| 18:08 |
|
asdf` |
you can hire auditors |
| 18:08 |
|
whartung |
you accept that the more fine grained your security, the more difficult it is to test, but you test it anyway |
| 18:13 |
|
jsys |
I have the same problem doing everything so I guess I'm a bit OCD. |
| 18:13 |
|
jsys |
:D |
| 18:26 |
|
|
azer_ joined #rest |
| 19:01 |
|
|
ewalti joined #rest |
| 20:03 |
|
|
graste joined #rest |
| 20:03 |
|
|
saml joined #rest |
| 20:12 |
|
|
begriffs joined #rest |
| 21:13 |
|
|
mgomezch joined #rest |
| 21:44 |
|
|
azer_ joined #rest |
| 22:06 |
|
* pdurbin |
co-presented how we have woven permissions into our command pattern architecture: http://iqss.github.io/javaone2014-bof5619 |
| 22:28 |
|
|
azer__ joined #rest |
| 22:31 |
|
|
fuzzyhorns joined #rest |
| 22:36 |
|
|
jsys joined #rest |
| 22:39 |
|
jsys |
How'd you model a resource which gets created, and then upon being read, it destroys itself. |
| 22:40 |
|
pdurbin |
like it's a job in a queue? |
| 22:41 |
|
whartung |
I'd use a whiteboard |
| 22:43 |
|
pdurbin |
and your brain |
| 22:44 |
|
whartung |
but, simply, I'd do a DELETE that returned the resouce representation as its payload |
| 22:45 |
|
jsys |
whartung: shouldn't that be idempotent |
| 22:46 |
|
whartung |
it is idempotent. The next time you call it, you get 404 |
| 22:46 |
|
whartung |
actually I doubt delete is idempotent, just by it's nature |
| 22:46 |
|
whartung |
but it is, ostensibly, safe to send more than once -- like an elevator button |
| 22:46 |
|
whartung |
but that's the behavior you wanted |
| 22:47 |
|
jsys |
whartung: yeah. Only a very specific case of delete is idempotent. I don't know what they were thinking in that spec. |
| 22:47 |
|
pdurbin |
it's safe to keep washing the potentially dirty plate over and over |
| 22:47 |
|
whartung |
yea |
| 22:48 |
|
jsys |
pdurbin: until you run out of soap |
| 22:48 |
|
pdurbin |
eep! |
| 22:52 |
|
whartung |
then you use json... |
| 22:53 |
|
jsys |
"It's ok to use POST" |
| 22:53 |
|
jsys |
I'll just POST, screw it, we're doing it live! |
| 22:53 |
|
whartung |
POST would be the other option |
| 23:05 |
|
jsys |
You know what would be cool. If HTTP was defined so one request could request many resources |
| 23:05 |
|
jsys |
If you think about it, this is kind of a flaw with the spec in the first place. |
| 23:06 |
|
jsys |
Good old N + 1 problem. |
| 23:17 |
|
jsys |
http://cdn.meme.am/instances/500x/60094391.jpg |
| 23:24 |
|
whartung |
sevearl folks have batching things they're using. |
| 23:24 |
|
jsys |
whartung: how do they work - windowing requests? |
| 23:24 |
|
|
fumanchu joined #rest |
| 23:24 |
|
whartung |
basiaclly, just gang them up |
| 23:25 |
|
jsys |
whartung: to gang them up in you need to wait a bit, have a window of gathering messages and then splitting them in batches |
| 23:25 |
|
whartung |
that's an implementation detail |
| 23:25 |
|
jsys |
it will work, but it's just kinda stupid to be having to infer a batch request implicitly |
| 23:25 |
|
jsys |
It's not an implementation detail whartung, when it adds complexity and adds *latency* |
| 23:26 |
|
jsys |
Any windowing algorithm would have a latency of at least the window size |
| 23:26 |
|
jsys |
You also would need HTTP2 to avoid the multi-request/response overhead |
| 23:26 |
|
whartung |
that's only if the windowing is transparent, there's no suggestion that all folks using batching are using it transparently. |
| 23:26 |
|
jsys |
Granted HTTP2 fixes things a bit. |
| 23:27 |
|
jsys |
whartung: not sure what you mean |
| 23:27 |
|
whartung |
you don't need that whoe windowing thing if you're explicitly batching. You simply build up your batch, and you send it. |
| 23:27 |
|
jsys |
what you build it from what |
| 23:27 |
|
whartung |
GET /this; GET /that; GET /other -- GO |
| 23:27 |
|
jsys |
and where are those GETs coming from? |
| 23:28 |
|
whartung |
from the client |
| 23:28 |
|
jsys |
If you're collecting GETs you're not responding to them. Ergo, windowing, ergo, latency |
| 23:29 |
|
* jsys |
will use ergo more frequently going forward |
| 23:29 |
|
whartung |
I think you're adding complexity that isn't necessarily there. |
| 23:29 |
|
jsys |
whartung: when a GET arrives you can choose to respond immediately, or you can choose to wait and respond later in batch. That "later" part means latency |
| 23:29 |
|
jsys |
whartung: so what isn't there |
| 23:30 |
|
whartung |
the CLIENT is making a single request with the entire batch. |
| 23:30 |
|
jsys |
whartung: you can request only one resource at a time with HTTP |
| 23:30 |
|
whartung |
it understands the semantic of what it's asking. It's not making "3 calls", it's making one call |
| 23:30 |
|
whartung |
POST /bathprocessor "GET /this; GET /that; GET /other" |
| 23:30 |
|
whartung |
*batchprocessor |
| 23:31 |
|
whartung |
single request |
| 23:31 |
|
jsys |
whartung: there goes the cache in proxies and the client |
| 23:31 |
|
whartung |
it's a POST, it's likely not cached anyway |
| 23:31 |
|
jsys |
whartung: "don't use POST to fetch a cacheable resource" |
| 23:31 |
|
whartung |
obviously an difficulty when trying to batch requests |
| 23:31 |
|
jsys |
whartung: I'm not saying people shouldn't do it, heck I tunnel everything through post. |
| 23:31 |
|
jsys |
But it's not REST if you do it that way |
| 23:32 |
|
jsys |
Because the proxies see one opaque bundle |
| 23:32 |
|
jsys |
Can't cache anything |
| 23:32 |
|
whartung |
and in REST you're allowed to make requests with opaque bundles that don't cache anything. You just shouldn't. |
| 23:32 |
|
jsys |
whartung: if HTTP actually explicitly supported batching GET it'd be totally different |
| 23:32 |
|
|
shrink0r joined #rest |
| 23:33 |
|
jsys |
whartung: and you can at least give me that one :P Cause you know I'm right |
| 23:33 |
|
jsys |
I suppose they didn't think about it because designing for decades ahead in isolation from the world... is kinda nuts. |
| 23:34 |
|
whartung |
I don't dream of what "If HTTP did…", I work with what I have. |
| 23:34 |
|
jsys |
whartung: that's commendable, and exactly what I do. But we're in a channel called "REST" |
| 23:36 |
|
whartung |
which actually has nothing to do with HTTP, but we won't go there.... |
| 23:37 |
|
jsys |
whartung: don't worry I know where you'd go ;) |
| 23:38 |
|
jsys |
whartung: with some fixes HTTP could be a much better protocol to do REST upon. |
| 23:38 |
|
jsys |
whartung: but it's ironic you can design a protocol better at REST than HTTP is (which REST was derived from) |
| 23:42 |
|
jsys |
whartung: check it out, FTP is better at REST than HTTP is: MGET, MPUT |
| 23:42 |
|
jsys |
Jeez. |
