REST – complex applications

by

The “Filter As Resource” is a perfect tact for this.

You can PUT the filter definition to the filter resource, and it can return the filter ID.

PUT is idempotent, so even if the filter is already there, you just need to detect that you’ve seen the filter before, so you can return the proper ID for the filter.

Then, you can add a filter parameter to your other requests, and they can grab the filter to use for the queries.

GET /medications?filter=1234&page=4&pagesize=20

I would run the raw filters through some sort of canonicalization process, just to have a normalized set, so that, e.g. filter “firstname=Bob lastname=Eubanks” is identical to “lastname=Eubanks firstname=Bob”. That’s just me though.

The only real concern is that, as time goes on, you may need to obsolete some filters. You can simply error out the request should someone make a request with a missing or obsolete filter.

Edit answering question…

Let’s start with the fundamentals.

Simply, you want to specify a filter for use in queries, but these filters are (potentially) involved and complicated. If it was simple /medications/1234, this wouldn’t be a problem.

Effectively, you always need to send the filter to the query. The question is how to represent that filter.

The fundamental issue with things like sessions in REST systems is that they’re typically managed “out of band”. When you, say, go and create a medication, you PUT or POST to the medications resource, and you get a reference back to that medication.

With a session, you would (typically) get back a cookie, or perhaps some other token to represent that session. If your PUT to the medications resource created a session also, then, in truth, your request created two resources: a medication, and a session.

Unfortunately, when you use something like a cookie, and you require that cookie for your request, the resource name is no longer the true representation of the resource. Now it’s the resource name (the URL), and the cookie.

So, if I do a GET on the resource named /medications/search, and the cookie represents a session, and that session happens to have a filter in it, you can see how in effect, that resource name, /medications/search, isn’t really useful at all. I don’t have all of the information I need to make effective use, because of the side effect of the cookie and the session and the filter therein.

Now, you could perhaps rewrite the name: /medications/search?session=ABC123, effectively embedding the cookie in the resource name.

But now you run in to the typical contract of sessions, notably that they’re short lived. So, that named resource is less useful, long term, not useless, just less useful. Right now, this query gives me interesting data. Tomorrow? Probably not. I’ll get some nasty error about the session being gone.

The other problem is that sessions typically are not managed as a resource. For example, they’re usually a side effect, vs explicitly managed via GET/PUT/DELETE. Sessions are also the “garbage heap” of web app state. In this case, we’re just kind of hoping that the session is properly populated with what is needed for this request. We actually don’t really know. Again, it’s a side effect.

Now, let’s turn it on its head a little bit. Let’s use /medications/search?filter=ABC123.

Obviously, casually, this looks identical. We just changed the name from ‘session’ to ‘filter’. But, as discussed, Filters, in this case, ARE a “first class resource”. They need to be created, managed, etc. the same as a medication, a JPEG, or any other resource in your system. This is the key distinction.

Certainly, you could treat “sessions” as a first class resource, creating them, putting stuff in them directly, etc. But you can see how, at least from a clarity point of view, a “first class” session isn’t really a good abstraction for this case. Using a session, its like going to the cleaners and handing over your entire purse or briefcase. “Yea, the ticket is in there somewhere, dig out what you want, give me my clothes”, especially compared to something explicit like a filter.

So, you can see how, at 30,000 feet, there’s not a lot of difference in the case between a filter and a session. But when you zoom in, they’re quite different.

With the filter resource, you can choose to make them a persistent thing forever and ever. You can expire them, you can do whatever you want. Sessions tend to have pre-conceived semantics: short live, duration of the connection, etc. Filters can have any semantics you want. They’re completely separate from what comes with a session.

If I were doing this, how would I work with filters?

I would assume that I really don’t care about the content of a filter. Specifically, I doubt I would ever query for “all filters that search by first name”. At this juncture, it seems like uninteresting information, so I won’t design around it.

Next, I would normalize the filters, like I mentioned above. Make sure that equivalent filters truly are equivalent. You can do this by sorting the expressions, ensuring fieldnames are all uppercase, or whatever.

Then, I would store the filter as an XML or JSON document, whichever is more comfortable/appropriate for the application. I would give each filter a unique key (naturally), but I would also store a hash for the actual document with the filter.

I would do this to be able to quickly find if the filter is already stored. Since I’m normalizing it, I “know” that the XML (say) for logically equivalent filters would be identical. So, when someone goes to PUT, or insert a new filter, I would do a check on the hash to see if it has been stored before. I may well get back more than one (hashes can collide, of course), so I’ll need to check the actual XML payloads to see whether they match.

If the filters match, I return a reference to the existing filter. If not, I’d create a new one and return that.

I also would not allow a filter UPDATE/POST. Since I’m handing out references to these filters, I would make them immutable so the references can remain valid. If I wanted a filter by “role”, say, the “get all expire medications filter”, then I would create a “named filter” resource that associates a name with a filter instance, so that the actual filter data can change but the name remain the same.

Mind, also, that during creation, you’re in a race condition (two requests trying to make the same filter), so you would have to account for that. If your system has a high filter volume, this could be a potential bottleneck.

Hope this clarifies the issue for you.

More Related Contents:

  1. Do sessions really violate RESTfulness?
  2. Can you help me understand this? “Common REST Mistakes: Sessions are irrelevant”
  3. ASP.NET Web API session or something?
  4. How to invalidate session in JSF 2.0?
  5. What’s your favorite cross domain cookie sharing approach? [closed]
  6. Sticky and NON-Sticky sessions
  7. Maintaining Session through Angular.js
  8. How to log users off automatically after a period of inactivity?
  9. Session variable value is getting null in ASP.NET Core
  10. How a server can make a session with a client in RMI
  11. Authentication: JWT usage vs session
  12. How to use cURL to send Cookies?
  13. Check if session exists JSF
  14. What does the crossContext attribute do in Tomcat? Does it enable session sharing?
  15. Why Doesn’t Closing A Tab Delete A Session Cookie?
  16. Get Request and Session Parameters and Attributes from JSF pages
  17. Firebase 3.x – Token / Session Expiration
  18. symfony2 session lifetime
  19. ‘session’ is undefined when using express / redis for session store
  20. Classic ASP: Multiple ASPSESSIONID in cookies
  21. Invalidating client side JWT session
  22. The session id is too long or contains illegal characters, valid characters are a-z, A-Z, 0-9 and ‘-,’
  23. Using Express and Node, how to maintain a Session across subdomains/hostheaders
  24. What is the best way to manage a user’s session in React?
  25. Spring Framework 3 and session attributes
  26. Laravel: share session data over multiple domains
  27. Difference between session affinity and sticky session?
  28. How to connect with Web Api Spotify (in Java)?
  29. MessageBodyWriter not found for media type=application/json
  30. Best way to support “application/x-www-form-urlencoded” post data with WCF?

Leave a Comment