users@jersey.java.net

Re: [Jersey] Doubt about URL validation

From: Paul Sandoz <Paul.Sandoz_at_Sun.COM>
Date: Thu, 05 Nov 2009 10:05:07 +0100

On Nov 5, 2009, at 9:12 AM, Jordi Domingo wrote:

> I didnt explained it well.
>
> There's authentication and authorization, but authorization is done
> by client id.
>
> Yes, diferent clients have diferent sets of buildings.
>
> The problem is that an url with clients/2 may contain a buildings/
> 30 that belongs to another client. The server should make a 404
> reponse to clients/2/buildings/30 because it doesnt exist and should
> be clients/1/buildings/30.
>

I guess it depends if building IDs are scoped to the client ID or are
global and clients can share sets of buildings.

If the former then a 404 is appropriate.

If the latter (and assuming the client has authenticated) then a 403
could be returned, but a 404 is also acceptable. It all depends on
what information the server wants to make available to the client.


> I know this is not a Jersey issue, I'm just asking wich way you
> think would be better to implement this king of url validation.
>

The Yahoo group rest-discuss is a great place to ask such questions.

Paul.