The more I learn about Zope, the more I like. Mostly.
I’ve always had a keen interest in software composition, and so
was particulary impressed with Zope’s notion of
“acquisition”,
which is just composition by aggregation. What’s really novel here is not that, which has
been done before,
many times, but the binding of
the URI hierarchy to containment relationships. Kudos for that.
One of the very few criticisms I have about Zope though is the use of
“URL Traversal”,
to locate scripts named in a URI. I added some comments to that page (itself,
a nifty feature!), as you can see there;
I was thoroughly impressed with most of what I’d seen in Zope, but not so much with this feature. Perhaps
it’s convenient, but it’s also quite dangerous in general I think. The examples of “feed” and “wash” are are
called “unsafe” methods in Web architecture terms (http://www.w3.org/TR/webarch/); that is, they change the
state of the object. Therefore they, shouldn’t be invoked with GET, as Googlebot might come along and
accidentally feed your hippos. If you want to change the hippo directly to the fed state, use PUT with a
document which represents the state of that fed hippo. If you just want to give him food (that he may or may
not choose to eat), use POST with a description of the food.
I also wonder if the same misunderstanding about GET vs. POST was responsible
for some problems I noticed with
object publishing.
For example, both GET and POST end up invoking the “index_html” method (eek, a horrid name) of
an object (basically the equivalent of doGet() for you servlet fans). It’s odd that the object
model define ambiguous dispatch behaviour for GET/POST, yet define proper dispatch behaviour for
PUT, HEAD, and the WebDAV extensions. Perhaps a legacy mistake that’s too costly to fix? Dunno.
But the more I read the publishing section, the more it seems that Zope has a bit of split
personality in supporting both the Web and RPC models.
Hopefully that doesn’t get in the way of what I want to do with it.
Today the WS-I announced
a bunch of
implementations of a sample application
they’d speced out. Seems like a good idea.
I downloaded a couple of them, and was very pleased to see a series
of URIs that appeared as though they were identifying domain objects;
http://localhost:8080/wsi/scm/logging
http://localhost:8080/wsi/scm/retailer
http://localhost:8080/wsi/scm/warehousea
http://localhost:8080/wsi/scm/warehouseb
http://localhost:8080/wsi/scm/warehousec
http://localhost:8080/wsi/scm/manufacturera
http://localhost:8080/wsi/scm/manufacturerb
http://localhost:8080/wsi/scm/manufacturerc
For a moment there, I thought my days of REST promotion were over and that
secretly and collectively, WS-I members had “got it”. But alas, that wasn’t the
case. Though you can invoke GET on the URIs, all they return – at
least in the case of BEA’s WarehouseA URI
is an HTML description of the object, include exposed operations and sample code.
Bowstreet’s URI
returns a SOAP fault, Sun’s
returns an HTML page describing the state of the SOAP services,
IBM’s returns a
prophetic HTML page, and Microsoft’s
returns an indication that GET isn’t supported at all. Ditto for Oracle.
So why wasn’t the returned document a description of the state of the
warehouse, including inventory information? Once you’ve got the URI for a
domain object (kudos on that, at least), why not serialize the state of that
domain object as a response to GET requests?
When you double-click an application[…]
Isn’t that cute? It’s so 1988. Of course, any self-respecting application
developer today single-clicks theirs. 8-)
Thanks Roy.
That’s really good to see. Roy’s far more articulate than I am on these matters, and I’d say that he
picked the right guy to come out of the woodwork for too. My favourite bit;
I don’t buy the argument that programmers benefit from a Web Services toolkit. Such things do not build applications — at most they automate the production of security holes.
8-)
I found this in in my aggregator, but it’s not on his site any longer;
Adam Bosworth admits he doesn’t get REST. I like that. It takes courage. The REST advocates promote by intimidation. A clear sign they don’t want you looking too closely. Now Bosworth is going to do exactly that. Bravo.
Apparently I intimidate Dave so much that he’s unable to dig deeply into the issues
himself! I rule. Golly.
I am jazzed about Adam’s latest weblog entry
though. I’ve always expected that he’d be one of the first big Web services proponents to really get
the Web, since he’s such a bright guy. I’ll respond when I get a minute.
I’ve just been getting into Zope, and was reading
The Zope Book
when I stumbled upon this;
The technology that would become Zope was founded on the realization that the Web is fundamentally object-oriented. A URL to a Web resource is really just a path to an object in a set of containers, and the HTTP protocol provides a way to send messages to that object and receive its response.
I would have phrased the last part of the last sentence differently – perhaps “provides a way to request the state of the object, and to process the serialized state of objects” – but yah, close enough.
Identity; check.
State; check.
Behaviour; check.
Encapsulation; check.
Data hiding; nope, but I personally never considered data hiding axiomatic of OO-ness.
Sean points,
indirectly via Jorgen
to an effort out of Microsoft Research (CRL) called
Project Samoa,
which provides tools for verifying the security of Web services.
Cool stuff, but you realize that you’d have to apply this to every single
application interface out there? Ouch.
Yet another example of a benefit of using a single application interface.