HTTP Response Code Musings

Fri, 15 Jun 2007 18:18 UTC

I’ve been catching up on reading old blog posts (and, by old, I mean older than 6 months)—I’ve sort of been out of the loop lately—and I came across a November 2006 post by Adam Trachtenberg questioning the proper use of HTTP response codes in a Web Service. In particular, he was wondering when it is acceptable to return certain response codes.

I find this particularly interesting (“yes, I am serious”) since I’ve been pondering HTTP response codes and request methods a lot in light of my recent focus on RESTful applications. Adam’s question is closely in line with what I’ve been considering in a recent application (that’s not particularly RESTful).

For example, in this application, a user can set a particular item of content as “private.” That is, only the user has access to view the content on the page. Originally, when unauthorized users viewed the page, they received a 404 Not Found response. However, I didn’t feel this was the correct response to send, since the resource is clearly available on the server, and RFC 2616 states that 404 means ”[t]he server has not found anything matching the Request-URI.” In addition, we were actually specifying the reason they could not see the page in the response body, and, again, the RFC states that 404 should be used “when the server does not wish to reveal exactly why the request has been refused, or when no other response is applicable.” Thus, I opted to use the 403 Forbidden response instead because ”[t]he server understood the request, but is refusing to fulfill it” and we are describing “the reason for the refusal in the entity.” Another option is to use an actual 200 OK response and deliver another entity rather than the requested resource. I imagine this is what most applications do. However, I felt that 200 OK signifies to the client that it is actually getting back the requested resource. Since that’s not happening, I wanted the client to know that it wasn’t getting the resource.

Furthermore, we’re using a McAfee HTTP API to do some virus scanning of documents. The API returns a 200 OK response when the document has finished scanning and is free from viruses, but it returns a 406 Not Acceptable response if it encounters a virus. While it doesn’t really matter to me what response code McAfee returns for a failure—what’s important is that they’ve defined what a failed response looks like and I can capture it and take appropriate action—it is interesting to note that the 4xx error codes are not intended to report responses like this. “The 4xx class of status code is intended for cases in which the client seems to have erred.” Clearly, the client did not err in this case; there was no Accept header present for which the resource could not generate a response. Instead, the POSTed file was successfully processed, and while the request was successful, McAfee found a virus and needs to report it to a client. They chose to use 406 to make this clear. Instead, I think they should use 200 OK because the POST request was successful, and the response body should indicate the status of the document (clean or infected).

So, going back to Adam’s post, he questions when to use 4xx responses and when to use 5xx. In general, if the client errs, use 4xx. If the error occurs on the server, use 5xx. However, I would recommend against using these response codes if the server can successfully fulfill the request. HTTP error codes have semantic meaning for clients, and if you apply your own meaning to them, then the client can’t respond appropriately. For example, if you use 400 Bad Request to tell the user that they provided the wrong data and you can’t process the request, then the client assumes that the server it telling it that it sent headers with malformed syntax.

The problem is that developers are attempting to apply HTTP response codes to applications that shouldn’t use HTTP response codes for communication. HTTP response codes are intended for use by HTTP servers communicating with HTTP clients. While we’re using HTTP for transfer of data in our applications, we probably shouldn’t be using the response codes provided in RFC 2616 for anything other than what they are intended since improper use of them might cause some clients to take improper action.

That said, Adam mentions the book RESTful Web Services by Leonard Richardson and Sam Ruby (published just last month). This book includes an appendix explaining when to use each status code. I’ve just ordered it and should receive it in another day or two, so expect another post from me soon continuing my rambling musings on HTTP response codes.

3 Comments »  Permalink  Tags: http, rest

PHP and Oracle Manual

Wed, 13 Jun 2007 1:18 UTC

Maggie writes about an Oracle problem over which we were pulling out our hair. In the end, the solution was fairly simple, but I’ll let you read her post for all the details. I’ll just mention that Christopher Jones pointed me to a freely available book he and Alison Holloway wrote specifically for PHP developers using Oracle: The Underground PHP and Oracle Manual.

Christopher says, “The book is designed to bridge the gap between the many PHP and the many Oracle texts available.” This is a must-read for anyone using Oracle and PHP together, and they continually maintain it and keep it up-to-date.

On page 80 of the manual, it states:

If you are using an Oracle Database 10g Release 2 database other than the Express Edition (“XE”), you may need to give the Apache process access to Oracle’s libraries and globalization data. Refer to the $ORACLE_HOME/install/changePerm.sh script. Each time you restart Apache, make sure you have the same environment variables set for Oracle. In particular ORACLE_HOME should always be set.

Wiser words were never writ…

1 Comment »  Permalink  Tags: oracle, php

Accepting Outlook Invites from Apple Mail

Fri, 8 Jun 2007 15:54 UTC

I’ve been using Thunderbird for quite some time for company e-mail, and for the most part, I’ve been happy with it, but when the company uses Microsoft Exchange Server for shared calendars and scheduling, anyone that’s not using Outlook on a PC gets left out in the cold. Keeping track of my schedule has been the source of increasing frustration. Our recommended solution is to simply use OWA to accept all calendar invitations. However, this defeats the purpose of using Thunderbird in the first place, and if you use a browser other than Internet Explorer, your experience is severely limited and downright fugly. The root of the problem is that I use a Mac. I could choose to use OWA or Entourage, but OWA is simply unacceptable, and Entourage is clunky and slow at best.

I don’t want to ramble too much longer before getting to the point, but I’ll just say: Thunderbird’s Lightning extension is also fugly and also doesn’t appear to recognize many calendar invitations. For those it did recognize, I couldn’t add them to the calendar.

Finally, I decided to try the combination of Apple Mail and iCal, but, again, I encountered problems. Some calendar invites included the proper .ICS calendar attachments, while others appeared not to have the .ICS attachment. However, this was misleading since the VCALENDAR data is clearly in the raw message source and the message includes the Content-Class header with a value of “urn:content-classes:calendarmessage.” What?! Why can’t Apple Mail read it?

Nevertheless, after some searching, I came across a nice AppleScript that will detect the calendar message and automatically add it to iCal for you to accept/reject. Your acceptance of the message still doesn’t communicate with the Exchange server, so others can’t see your free/busy times, but it does send an e-mail to the person who scheduled the event, and it gives me peace of mind knowing that iCal will notify me every time I have a meeting and I won’t miss any more.

After several years and many nice updates, I wonder why Apple Mail still has problems accepting Outlook calendar invitations…

7 Comments »  Permalink  Tags: apple-mail, calendar, exchange, ical, outlook, thunderbird

Intl PHP Conference Slides

Mon, 4 Jun 2007 14:24 UTC

I’ve been neglecting for far too long to post these slides, and I’ve been reminded several times by conference attendees that I need to post them. Thank you for the reminders, and I apologize that it has taken me this long to post these. Links to the slides are below…

I once again found myself in Germany—Ludwigsburg, specifically—for the International PHP Conference, Spring Edition. This location was much better than the hotel/conference location in Frankfurt because it was right in the town of Ludwigsburg. This made it easy to walk around, sight-see, and find things to do outside of the conference.

This time around, I gave two talks: Designing RESTful Web Applications and Give Your Site A Boost With memcached. Overall, I was very proud of these talks, especially the one on REST. The REST talk has been growing and changing over the last few times I’ve given it, and, now, I think it’s maturing into an excellent discussion of REST theory coupled with practical tips on designing a RESTful application. Perhaps I’ll spend some more time talking about REST on this blog in the coming weeks and months.

For now, enjoy the slides:

• Designing RESTful Web Applications (PDF, 2.1 MB)

• Give Your Site A Boost With memcached (PDF, 2.2 MB)

3 Comments »  Permalink  Tags: conferences, ipcse07, ipcse2007, memcache, memcached, php, php-conference, rest, talks