This morning I created a Web service for the identity management application that I have talked about a few times. We’re rolling out a new application and it needs to authenticate against our centralized user database. After a discussion with the developers who are working on the new application, we came up with a very basic spec for this single API call.
You submit a username, password, and application key (which is used to identify and authorize the calling application) via HTTP POST. If the authentication or application key are invalid, the application returns an HTTP status code of 401 (unauthorized). If the credentials are valid, it returns 200 (success) and an XML document containing the details of the user’s profile.
This is how I’ve been writing web services for the past couple of years, with the exception of taking advantage of HTTP status codes, that’s something new for me. I would have always said that I was writing REST Web services or at least REST-style Web services, but given recent debate, I’m no longer sure if I’m allowed to say that. It’s REST to me, but perhaps not to thee. I am certain that it works, and that it’s really easy to program against.