In researching the MySpace deprecated API exploit I came across the details on MySpace's REST (Representational State Transfer) API. I'm going to ignore the debate surrounding the definition of "high REST" versus "low REST" and concentrate on the bridging aspect, as it's something I've already touched on and find to be of more value than worrying over what it's called or whether it's a standard or whatever else might be the focus of these arguments.

You may recall that part of the problem with a true REST implementation is that many browsers do not support PUT and DELETE. Some even fail to properly support POST, but in most instances you can rely upon GET and POST support at the very least. In a prior post we looked at how to rewrite URIs to simulate RESTful behavior but after reading through MySpace's description of "High/Low REST bridging" I think I like their mechanism even better, because it still lets you implement a purer REST architecture on the servers while dealing with browser limitations.

This is one of the places where an application delivery controller imbued with the ability to inspect and transform application requests really shines. Because the application delivery controller is a proxy, it can mediate access and unify two disparate methods of application access. This means that even though third-party developers may use different ways to access the REST services that the actual implementation does not need to support them all. The application delivery controller can ensure that all requests appear in the right format using the desired method, and it can do so transparently such that third-party developers don't even realize it's happening.

We're going to implement just such a system using iRules for the BIG-IP.

Interestingly enough, you could use iRules URI rewrite capabilities to address the use of deprecated methods, assuming both the deprecated method and the new method use the same (or fewer) parameters.

The description and iRules are here on DevCentral, in this article.

Happy coding!

