MikeF
unread,May 3, 2012, 7:43:33 PM5/3/12Sign in to reply to author
Sign in to forward
You do not have permission to delete messages in this group
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to Mach-II for CFML
Hey MachII-ers,
Question about REST api design in general, which I'm taking my first
crack at (the machii REST endpoint stuff is great btw).
How are folks handling the decisions of which portions of their REST
api are exposed to different clients?
For example we might make available a resource such as:
GET /products
Client A should have access to products 1, 2 & 3 while Client B should
have access to products 4, 5 & 6
I'm thinking of filtering the call at the time it hits the endpoint to
ensure that an optional clientID is passed to the service and then
having the service return the appropriate collection. However there
may be a use case where internally we make a call which should permit
all products to be returned. Logically we would create a client ID for
the internal org. which would permit this.
Also, we may want to permit Client A access to GET,POST,PUT /product
but Client B only GET?
Which leads to the idea of REST authentication, which I'm not finding
so straight forward. Am leaning towards wrapping client requests in
SSL along with server side caching to avoid having clients build
complicated headers ala oAuth, Digest etc. Once a client is
authenticated, perhaps there could be some way to use the clientID for
filtering?
Anyway, looking for ideas.
cheers,
Mike F