Return-Path: Delivered-To: apmail-incubator-esme-dev-archive@minotaur.apache.org Received: (qmail 76832 invoked from network); 25 Feb 2009 17:18:10 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 25 Feb 2009 17:18:10 -0000 Received: (qmail 55542 invoked by uid 500); 25 Feb 2009 17:18:10 -0000 Delivered-To: apmail-incubator-esme-dev-archive@incubator.apache.org Received: (qmail 55499 invoked by uid 500); 25 Feb 2009 17:18:10 -0000 Mailing-List: contact esme-dev-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: esme-dev@incubator.apache.org Delivered-To: mailing list esme-dev@incubator.apache.org Received: (qmail 55488 invoked by uid 99); 25 Feb 2009 17:18:10 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 25 Feb 2009 09:18:10 -0800 X-ASF-Spam-Status: No, hits=2.2 required=10.0 tests=HTML_MESSAGE,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of esjewett@gmail.com designates 74.125.46.157 as permitted sender) Received: from [74.125.46.157] (HELO yw-out-1718.google.com) (74.125.46.157) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 25 Feb 2009 17:18:02 +0000 Received: by yw-out-1718.google.com with SMTP id 4so88100ywq.0 for ; Wed, 25 Feb 2009 09:17:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type; bh=sgyLGdaOjr1MzbY0HA03IKs+TlDasoG32h7Uow81q2E=; b=FcCdR4papvj+Ig05d59Yjl18L5N7/dXmgzAfTGoPw53QMv7/BH1ZLe6v0lnLPs/Efl pbquQ1OnWvP+21c94KiNg76to+EGrg85ZKF9ReFV3ivEzohK+ekDW64fQuNPuZUmJoou 4Ja0nVrqg2JDAWLDp4yYtRTmbyTYOvShvGVf4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=Wi7IKZeCkzWNNI6VEHFQmWcH/OaqrQ7musOYGRlgtGrmrnOUqbQGx5uxT3ZjeyV6gE a4wSLm09eUyswbC/F35mzdmkzxbr+3VBqX43hefP8eewtW89fCu2Cd+113kMX6wmYbIQ 1dMRSd7gECUv41aBYEmjS20dv530RNEuTiKDE= MIME-Version: 1.0 Received: by 10.231.16.197 with SMTP id p5mr478396iba.51.1235582260985; Wed, 25 Feb 2009 09:17:40 -0800 (PST) In-Reply-To: References: <0015175cb7c2aef2f80463096aa3@google.com> Date: Wed, 25 Feb 2009 09:17:40 -0800 Message-ID: <68f4a0e80902250917i51e73802oc8f892ab88fe23a0@mail.gmail.com> Subject: Re: RESTful ESME API - Design From: Ethan Jewett To: esme-dev@incubator.apache.org Content-Type: multipart/alternative; boundary=00221532c5b4c1be790463c1692e X-Virus-Checked: Checked by ClamAV on apache.org --00221532c5b4c1be790463c1692e Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Hi, I'm in agreement that it is desirable and possible to avoid using HTTP sessions. At one point in the past I suggested using OAuth because it is a standard way to handle session tokens and authorization delegation for API clients. It also provides the benefit of fully specifying how credentials should be provided along with the request and it does not rely on HTTP sessions. I'd still recommend that OAuth be the end-goal for an ESME API authorization scheme. If we get rid of HTTP sessions, we should be able to drop the "sessions" resource from the API entirely. What I don't understand is what affect this might have on long-polling, as I'm not sure how the technical mechanism of long-polling works. Ethan On Wed, Feb 25, 2009 at 7:15 AM, Bertrand Delacretaz wrote: > > > Are these HTTP sessions, or something else? > (I'm not familiar with the current EMSE API, bear with me if this is a > silly question). > > Looking at your suggested API, it seems like minor changes would make > it possible to avoid HTTP sessios altogether, for example: > > PUT /api/messages/USERID > > Using a Content-Type and representation (XML, JSON, whatever) that > describes the message, using parameters similar to what you have > above. And credentials to restrict access, of course. > > With this kind of change, I think you could avoid HTTP sessions, and > make the API more RESTful. > > WDYT? > > -Bertrand > --00221532c5b4c1be790463c1692e--