REST – Do Server-Side Sessions Violate REST Principles?

rest

According to Roy Fielding (one of the principle authors of the HTTP specification) in his seminal thesis Architectural Styles when discussing REST, he mentions:

[E]ach request from client to server must contain all of the information necessary to understand the request, and cannot take advantage of any stored context on the server.

By "stored context" he's referring to application state e.g. what the page number for the next page is vs. resource state e.g. any data store, image etc. – which is arguably the whole point of REST.

Is it fair to say that most attempts at pure rest (hereby defined as an implementation that conforms to the above thesis) must fail due to their reliance on storing session data on the server (persistent or otherwise)?

The concept of a session is common – in particular to Web developers – but is it RESTful according to the above definition?

Best Answer

I would say yes, session state does make a RESTful app non-RESTful. Trivial example, my sister subscribes to the Wall Street Journal. On a regular basis she will be reading something behind the paywall and decide to send a link (via her own email client, not via WSJ) to a friend who does not have a WSJ account. Click, send, fail. Clearly my sister's experience at that URL is different from her friend's.

Related, but not strictly on-topic: I am in the early design phase of a application designed to support significant research efforts on the net (called quests (think: bookmarks on steroids and LSD)) . The owner of the quest wants to share a particular view of his/her data with someone else, but this view requires a combination of UI state (e.g. which visualizations of what data are showing in which panes) along with appropriate permissions to access the UI and the data displayed. There's a lot of stored-state required for the recipient to get the intended view.

My current solution is to store all of the UI/ACL/whatever info necessary for the view in a separate object and return the URL (probably a UUID) for that object. I believe that accessing the view object could be considered RESTful in the sense that everyone in possession of it gets the same info/experience.

Related Solutions

Handling Resource Identifiers in REST API Clients

Edited to address question updates, previous answer removed

Looking over your changes to your question I think I understand the problem you are facing a bit more. As there is no field that is an identifier on your resources (just a link) you have no way to refer to that specific resource within your GUI (i.e. a link to a page describing a specific pet).

The first thing to determine is if a pet ever makes sense without an owner. If we can have a pet without any owner then I would say we need some sort of unique property on the pet that we can use to refer to it. I do not believe this would violate not exposing the ID directly as the actual resource ID would still be tucked away in a link that the REST client wouldn't parse. With that in mind our pet resource may look like:

<Entity type="Pet">
    <Link rel="self" href="http://example.com/pets/1" />
    <Link rel="owner" href="http://example.com/people/1" />
    <UniqueName>Spot</UniqueName>
</Entity>

We can now update the name of that pet from Spot to Fido without having to mess with any actually resource IDs throughout the application. Likewise we can refer to that pet in our GUI with something like:

http://example.com/GUI/pets/Spot

If the pet does not make any sense without an owner (or pets are not allowed in the system without an owner) then we can use the owner as part of the "identity" of the pet in the system:

http://example.com/GUI/owners/John/pets/1 (first pet in the list for John)

One small note, if both Pets and People can exist separate of each-other I would not make the entry point for the API the "People" resource. Instead I would create a more generic resource that would contain a link to People and Pets. It could return a resource that looks like:

<Entity type="ResourceList">
    <Link rel="people" href="http://example.com/api/people" />
    <Link rel="pets" href="http://example.com/api/pets" />
</Entity>

So by only knowing the first entry point into the API and not processing any of the URLs to figure out system identifiers we can do something like this:

User logs into the application. The REST client accesses the entire list of people resources available which may look like:

<Entity type="Person">
    <Link rel="self" href="http://example.com/api/people/1" />
    <Pets>
        <Link rel="pet" href="http://example.com/api/pets/1" />
        <Link rel="pet" href="http://example.com/api/pets/2" />
    </Pets>
    <UniqueName>John</UniqueName>
</Entity>
<Entity type="Person">
    <Link rel="self" href="http://example.com/api/people/2" />
    <Pets>
        <Link rel="pet" href="http://example.com/api/pets/3" />
    </Pets>
    <UniqueName>Jane</UniqueName>
</Entity>

The GUI would loop through each resource and print out a list item for each person using the UniqueName as the "id":

<a href="http://example.com/gui/people/1">John</a>
<a href="http://example.com/gui/people/2">Jane</a>

While doing this it could also process each link that it finds with a rel of "pet" and get the pet resource such as:

<Entity type="Pet">
    <Link rel="self" href="http://example.com/api/pets/1" />
    <Link rel="owner" href="http://example.com/api/people/1" />
    <UniqueName>Spot</UniqueName>
</Entity>

Using this it can print a link such as:

<!-- Assumes that a pet can exist without an owner -->
<a href="http://example.com/gui/pets/Spot">Spot</a>

<!-- Assumes that a pet MUST have an owner -->
<a href="http://example.com/gui/people/John/pets/Spot">Spot</a>

If we go with the first link and assume that our entry resource has a link with a relation of "pets" the control flow would go something like this in the GUI:

Page is opened and the pet Spot is requested.
Load the list of resources from the API entry point.
Load the resource that is related with the term "pets".
Look through each resource from the "pets" response and find one that matches Spot.
Display the information for spot.

Using the second link would be a similar chain of events with the exception being that People is the entry point to the API and we would first get a list of all people in the system, find the one that matches, then find all pets that belong to that person (using the rel tag again) and find the one that is named Spot so we can display the specific information related to it.

REST is not appropriate for business applications because of necessary to distribute business logic accross layers. REST alternative required!

There is a gross misconception somewhere. I think it is near this idea.

In Spring+JSF application all the business logic was encoded in special layer - Spring entities and services. In Spring+REST+AngluarJS this should be different. I don't want to rewrite (move) business logic from Spring/Java to AngularJS/JavasScript but obviously I am required to

No, that isn't obvious at all. Why would the implementation details of your application state require you to rewrite your domain model? Those are completely orthogonal concerns.

REST architecture requires that session and business objects are stored in client (Browser JavaScript objects).

Not at all. REST architecture calls for sending representations of application state to the client.

Put very simply, the client and the server are just sending messages back and forth, so that the client can successfully navigate the application protocol. The side effects that the application protocol has on the domain model are limited to the server.

Review Jim Webber's How to GET a cup of coffee.

Best Answer

Related Solutions

Handling Resource Identifiers in REST API Clients

REST is not appropriate for business applications because of necessary to distribute business logic accross layers. REST alternative required!

Related Topic