Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News Interview: Pete Lacey on REST and Web Services

Interview: Pete Lacey on REST and Web Services

Pete Lacey is a well-known critic of the SOAP/WSDL-based approach to Web services, and a fierce advocate of the REST style. (See our previous coverage of his "S stands for Simple" post and an email interview InfoQ did back then.) In this interview, recorded at QCon San Francisco, Pete Lacey talks to Stefan Tilkov about the reasons for his disillusionment with SOAP in the light of his personal involvement with it for a long time:
When I was working for Systinet I was a true believer but then, as many people have gone through this experience, the more you try to use it the more time you spend bashing your head against the wall, especially in those early days where interoperability was incredibly difficult, and then you dive deep into the XML schemas and specifications, and you looked really closer to the WSDL specification, and find that there is a lot of cockroaches in the corner.
He describes the ideas behind REST and addresses some of its perceived shortcomings:
I mean from transactions for instance I don't think that transactions are missing. I actually have a feeling, I could be wrong, I don't think I am, but I think that nobody is actually going to use distributed WS-* transactions simply because that's never going to scale in any meaningful way, horizontally or vertically. So that's a case of you aren't going to need it I think. But if it turns out that you do need it, we actually have some nice patterns for you, and if you don't want to use the RESTful patterns for transactions, nobody is going to come and arrest you for cheating and inventing your own kind of transaction processing on the fly if you care to.

But you also said security and I would say there is kind of a big gaping hole as regards security, in a sense. The security picture of REST, REST doesn't talk about security really. We talk about security for HTTP and that amounts to SSL, HTTP Basic Authentication and HTTP Digest really it's about it. Now the good thing is that SSL just rocks my world. It's proven, it's been beaten to death for over ten years, trillions of dollars for business are conducted over SSL, it does its job. In fact there is a very strong argument that says you don't have security unless you have SSL. You combine SSL with HTTP Basic and you have a lot of what you need. You can meet more that ninety percent of all your security needs.
Finally, he discusses cases where SOAP/WS-* or RESTful HTTP might be more appropriate.

Watch the full interview (32 minutes).

Rate this Article