REST (Representational State Transfer) has been growing in usage, especially with support from early service adopters like Amazon, Google, and eBay. One of the issues often raised in conjunction with REST is the lack of a WSDL (Web Services Description Language) like contract that describes the resources available.

The folks over at java.net have come up with what may well be the answer: WADL (Web Application Description Language).

Example of WADL for Amazon's Search Service from the specification:

<application xmlns="http://research.sun.com/wadl/2006/07"
     xmlns:aws="http://webservices.amazon.com/AWSECommerceService/2005-07-26"
     xmlns:xsd="http://www.w3.org/2001/XMLSchema">

<grammars>
    <include href="AWSECommerceService.xsd"/>
</grammars>

 <resources base="http://webservices.amazon.com/onca/">
    <resource path="xml">
       <method href="#ItemSearch"/>
    </resource>
 </resources>

 <method name="GET" id="ItemSearch">
    <request>
       <param name="Service" style="query"  fixed="AWSECommerceService"/>
       <param name="Version" style="query" fixed="2005-07-26"/>
       <param name="Operation" style="query" fixed="ItemSearch"/>
       <param name="SubscriptionId" style="query" type="xsd:string" required="true"/>
       <param name="SearchIndex" style="query" type="aws:SearchIndexType" required="true">
           <option value="Books"/>
           <option value="DVD"/>
           <option value="Music"/>
       </param>
       <param name="Keywords" style="query" type="aws:KeywordList" required="true"/>
       <param name="ResponseGroup" style="query" type="aws:ResponseGroupType" repeating="true">
          <option value="Small"/>
          <option value="Medium"/>
          <option value="Large"/>
         <option value="Images"/>
       </param>
    </request>
    <response>
        <representation mediaType="text/xml" element="aws:ItemSearchResponse"/>
    </response>
 </method>
 </application>

What's cool about the specification is the ability to lock down parameters to either a specific type, such as "xsd:string", or a list of options, e.g. "Small, Medium, Large, Images". This is exciting not only because of the ability to nail down query parameters for REST and AJAX (Asynchronous Javascript and XML), but web applications in general.

While web application firewalls provide this particular functionality for web applications today, the use of WADL - or a similar specification - could provide even better security for all types of web applications. Using XML Schema to control the type and values of parameters is one of the founding principles of XML security in general, with no real standardized mechanism for providing this functionality for traditional web applications or non-XML applications. WADL appears to solve that issue and offers a way to lock down and secure more tightly the parameters and URIs allowable for any application.

That's an exciting prospect, both for emerging technologies like AJAX and REST, but also for traditional web applications that continue to suffer in the security area due to a lack of definition of what's acceptable and what's not.

Imbibing: Coffee