Hey MachII-ers, Question about REST api design in general, which I'm taking my first crack at (the machii REST endpoint stuff is great btw).
How are folks handling the decisions of which portions of their REST api are exposed to different clients? For example we might make available a resource such as: GET /products Client A should have access to products 1, 2 & 3 while Client B should have access to products 4, 5 & 6 I'm thinking of filtering the call at the time it hits the endpoint to ensure that an optional clientID is passed to the service and then having the service return the appropriate collection. However there may be a use case where internally we make a call which should permit all products to be returned. Logically we would create a client ID for the internal org. which would permit this. Also, we may want to permit Client A access to GET,POST,PUT /product but Client B only GET? Which leads to the idea of REST authentication, which I'm not finding so straight forward. Am leaning towards wrapping client requests in SSL along with server side caching to avoid having clients build complicated headers ala oAuth, Digest etc. Once a client is authenticated, perhaps there could be some way to use the clientID for filtering? Anyway, looking for ideas. cheers, Mike F -- To post to this group, send email to [email protected] For more options and to unsubscribe, visit this group at http://groups.google.com/group/mach-ii-for-coldfusion?hl=en SVN: http://svn.mach-ii.com/machii/ Wiki / Documentation / Tickets: http://trac.mach-ii.com/machii/
