Monthly Archives: December 2003

More Zope notes

Leave a reply

The more I learn about Zope, the more I like. Mostly.

I’ve always had a keen interest in software composition, and so was particulary impressed with Zope’s notion of “acquisition”, which is just composition by aggregation. What’s really novel here is not that, which has been done before, many times, but the binding of the URI hierarchy to containment relationships. Kudos for that.

One of the very few criticisms I have about Zope though is the use of “URL Traversal”, to locate scripts named in a URI. I added some comments to that page (itself, a nifty feature!), as you can see there;

I was thoroughly impressed with most of what I’d seen in Zope, but not so much with this feature. Perhaps it’s convenient, but it’s also quite dangerous in general I think. The examples of “feed” and “wash” are are called “unsafe” methods in Web architecture terms (http://www.w3.org/TR/webarch/); that is, they change the state of the object. Therefore they, shouldn’t be invoked with GET, as Googlebot might come along and accidentally feed your hippos. If you want to change the hippo directly to the fed state, use PUT with a document which represents the state of that fed hippo. If you just want to give him food (that he may or may not choose to eat), use POST with a description of the food.

I also wonder if the same misunderstanding about GET vs. POST was responsible for some problems I noticed with object publishing. For example, both GET and POST end up invoking the “index_html” method (eek, a horrid name) of an object (basically the equivalent of doGet() for you servlet fans). It’s odd that the object model define ambiguous dispatch behaviour for GET/POST, yet define proper dispatch behaviour for PUT, HEAD, and the WebDAV extensions. Perhaps a legacy mistake that’s too costly to fix? Dunno. But the more I read the publishing section, the more it seems that Zope has a bit of split personality in supporting both the Web and RPC models.

Hopefully that doesn’t get in the way of what I want to do with it.

WS-I and URIs

Leave a reply

Today the WS-I announced a bunch of implementations of a sample application they’d speced out. Seems like a good idea.

I downloaded a couple of them, and was very pleased to see a series of URIs that appeared as though they were identifying domain objects;

http://localhost:8080/wsi/scm/logging
http://localhost:8080/wsi/scm/retailer
http://localhost:8080/wsi/scm/warehousea
http://localhost:8080/wsi/scm/warehouseb
http://localhost:8080/wsi/scm/warehousec
http://localhost:8080/wsi/scm/manufacturera
http://localhost:8080/wsi/scm/manufacturerb
http://localhost:8080/wsi/scm/manufacturerc

For a moment there, I thought my days of REST promotion were over and that secretly and collectively, WS-I members had “got it”. But alas, that wasn’t the case. Though you can invoke GET on the URIs, all they return – at least in the case of BEA’s WarehouseA URI is an HTML description of the object, include exposed operations and sample code. Bowstreet’s URI returns a SOAP fault, Sun’s returns an HTML page describing the state of the SOAP services, IBM’s returns a prophetic HTML page, and Microsoft’s returns an indication that GET isn’t supported at all. Ditto for Oracle.

So why wasn’t the returned document a description of the state of the warehouse, including inventory information? Once you’ve got the URI for a domain object (kudos on that, at least), why not serialize the state of that domain object as a response to GET requests?

What I’m working on

Leave a reply

I can finally give a bit of a glimpse into what I’ve been working on the past few months. It’s just a small piece of the big picture, but a really interesting part of it. Nanometrics has just announced Taurus(PDF), a portable seismograph. It’s Java/Linux/Web/Semantic-Web all the way. Definitely the coolest device I’ve ever worked on.

Roy Fielding pays Adam Bosworth a visit

Leave a reply

Thanks Roy. That’s really good to see. Roy’s far more articulate than I am on these matters, and I’d say that he picked the right guy to come out of the woodwork for too. My favourite bit;

I don’t buy the argument that programmers benefit from a Web Services toolkit. Such things do not build applications — at most they automate the production of security holes.

8-)

Winer blames me for his inability to understand REST

Leave a reply

I found this in in my aggregator, but it’s not on his site any longer;

Adam Bosworth admits he doesn’t get REST. I like that. It takes courage. The REST advocates promote by intimidation. A clear sign they don’t want you looking too closely. Now Bosworth is going to do exactly that. Bravo.

Apparently I intimidate Dave so much that he’s unable to dig deeply into the issues himself! I rule. Golly.

I am jazzed about Adam’s latest weblog entry though. I’ve always expected that he’d be one of the first big Web services proponents to really get the Web, since he’s such a bright guy. I’ll respond when I get a minute.

The Zope view on the Web & objects

Leave a reply

I’ve just been getting into Zope, and was reading The Zope Book when I stumbled upon this;

The technology that would become Zope was founded on the realization that the Web is fundamentally object-oriented. A URL to a Web resource is really just a path to an object in a set of containers, and the HTTP protocol provides a way to send messages to that object and receive its response.

I would have phrased the last part of the last sentence differently – perhaps “provides a way to request the state of the object, and to process the serialized state of objects” – but yah, close enough.

Identity; check.

State; check.

Behaviour; check.

Encapsulation; check.

Data hiding; nope, but I personally never considered data hiding axiomatic of OO-ness.

Securing protocols

Leave a reply

Sean points, indirectly via Jorgen to an effort out of Microsoft Research (CRL) called Project Samoa, which provides tools for verifying the security of Web services.

Cool stuff, but you realize that you’d have to apply this to every single application interface out there? Ouch.

Yet another example of a benefit of using a single application interface.