Monthly Archives: September 2002

Ken Arnold on Distributed Computing

Ken Arnold gives a wonderful interview on distributed computing and the inherrent problems associated with it. Brilliantly done, modulo a slightly confusing answer about state; he seems to also be confusing application and session state, in part at least. I can’t imagine developing a system without object state, since for most systems it’s a requirement that state is held persistently. The most important issue is application/session state; keep it in one place if you can, preferably on the client if you need to scale.

He also misses what I believe to be the principle difference between computing at Internet-scale versus the smaller-scale. Then again, a lot of people miss this. Awesome interview though.

REST Compared

I gave a presentation to the Web Services Architecture WG last week. It focuses on comparing REST with other “distributed object” styles, specifically tuple spaces, OO RPC, and email.

The pushback I got on it at the meeting was “But REST is for humans!” (wrong). The question I posed at the end never got answered, but is crying out for one I’d say;

What about a uniform interface makes it unsuitable for machine processing?

"Application State"

Paul Prescod responds to Adam Bosworth’s “One Fell Swoop” article. Right on again. But there was something else in there that I felt needed some clarification; application state.

Adam writes;

[…]Thinking of the Web servers as “objects” is an extremely bad idea. Objects are repositories of state. Conversations with them are by definition not stateless.[…]

There, Adam appears to confuse object state and application state. The former, object state, refers to the state held by the object, in the “behaviour, state, identity” sense of the word. For example, the state of the current weather in Ottawa is 11 degrees C.

“Application state” refers to the progression of the system during the execution of the application, more commonly (and less confusingly, IMO) referred to as “session state”. In the weather example, “session state” is held entirely by the client as the weather service need not remember anything about my invocation in order to serve it the next time (though that’s obviously a weak example). Any stateless interaction means that application state is maintained by the initiator of that interaction. Any stateful interaction means that application state is, at least in part, maintained by the recipient; this can range from part initiator, part recipient with HTTP+cookies, or full-recipient state in a remote session architecture like VNC.

SOAP SMTP binding security

Just noticed Simon’s reference to his SOAP SMTP binding spec. Section 6, “Security Considerations” says “This should introduce no new security considerations.”. Bzzt! 8-)

Consider that by requiring the SOAP response in a new email, rather than using the SMTP response as the response, you’re requiring that any deployed implementation of software conforming to this specification, include an automated responder where none was previously. That is, what was once a safe “input only” protocol (SMTP), has been turned into a request/response protocol. There’s oodles of new security considerations to consider because of that.

Odd views by Web services proponents

So while at the Web Services Architecture WG face-to-face, I was chatting with an unnamed attendee about the eventual “Judgement Day” for Web services; the day when the TAG, and/or TimBL will decide whether or not Web services have anything to do with the Web. This person, who is very likable and definitely well respected in the Web services space, said that if Web services get kicked out of the W3C, their company would leave the W3C.

Hello?! Wouldn’t you think that a more reasonable response would be something like “Well, I suppose we’d have to navel gaze for a while and understand what this means. I mean, the Web is a good thing, right? And if we’re doing things that don’t respect or reuse the principles that made it work so well, we should fix that I think.” Wishful thinking, I know. Sigh.

Sam responds

Sam responds

For those who want to understand the issue Mark has with SOAP, he objects to the string “doGoogleSearch” in this example. FWIW, I don’t see how this is any different, architecturally, than hidden controls in HTML.

It isn’t any different than hidden controls, but I wouldn’t use hidden controls either. I’d just POST the data “q=foo” to whatever URI the POST form told me too. No need to understand what “doGoogleSearch” means, because the context in which the POST operation is to be interpreted by the server, is provided entirely by the URI to which I’m POSTing.

Sam asks

Sam asks

Now it turns out that the Google API has a limit of a 1,000 queries per day. This means that the 1,001st query will not have the same result as the 1,000th query. The query itself has a (GASP!) side effect. It is most decidedly not idempotent. So what do you do? Call back the Hobbits and recode to use POST, or do you make the pragmatic decision to slightly bend the rules a bit?

Well, first of all, that part of 2116 that you referred to earlier in your blog (presumably you meant 9.1.1 not 9.1.2) says “SHOULD NOT”, not “MUST NOT”. The reason this is so, is because unsafe GETs won’t break the Web; web page counters demonstrated that. What will break the Web is if people who click on a URI get blamed for causing the side-effect, as 9.1.1 points out when it says “The important distinction here is that the user did not request the side-effects, so therefore cannot be held accountable for them.”. Also, it’s not a fundamental axiom, in the same way that a uniform interface is – it’s derivate (though lots of other important principles are too).

But with that said, your example is an excellent one, because clearly a counter such as the one you describe would be “blaming” the user for bumping it up by one. So IMO, no, this service should not use GET, at least for those queries. It should be bootstrapped with GET though, so that you GET the HTML form, but the form results should be POSTed back.

Also, in case you were going to suggest that this somehow makes the Google API “ok” because it uses POST, it should be noted that it doesn’t use POST, it tunnels through it. A client needs to know more than just the URI, the form structure, and the POST method. It needs to know what the string “doGoogleSearch” means.

And as for RSS, I welcome any suggestions for a blogging tool/service that provides free RSS feeds and lets me edit from a browser (something that Dave Winer seems dead set against providing – or at least he was in the past).