SOA, REST and Flash/Flex – why Flash does not PUT

Adobe’s Duane Nickull has an illuminating post on how the Flash player handles REST. Nickull is responding to a post by Malcolm Box in which he complains how hard it is to use Flash with a REST web service. Box observes that Flash cannot send POST, PUT and DELETE requests when running in the browser, and does not send cookies.

Nickull defends the Flash behaviour:

Flash’s HTTP libraries currently support GET and POST. My architectural view of this is that the HTTP libraries only should really support these and not worry about the others.

He also notes that cookies are a poor way to manage state:

Cookies are for the browser and belong in the browser. Having Flash Player able to access cookies would be a mistake in my own opinion. Any logic that is facilitated by a browser should probably be dealt with at the browser layer before Flash Player is used.

Now, I think the comments on REST are important to read if you are engaged in designing a web service, as many of us in these days of cloud+device. There is a kind-of “word on the street” approach to web services which says that REST is good, SOA/SOAP is bad; but in reality it is not so simple, and these distinctions are muddled. REST is arguably a form of SOA, you can do SOAP with REST, and so on.

One factor is that reading data in a web client is far more common than writing data. It is easy to be an advocate of the simplicity of REST if all you are doing is GET.

The question Nickull asks is whether the transport protocol has any business dictating how the data it transports should be processed, for example whether it is an operation to retrieve or to write data:

In an SOA world, the transport functionality (usually implemented using SOAP) should focus on just delivering the message and it’s associated payload(s) to the destination(s), optionally enforcing rules of reliability and security rather than declaring to the application layer processing instructions to the service endpoint.

Read the post for more of the rationale behind this. Maybe, even if you are doing REST, restricting your web service to GET and POST is not such a bad idea after all.

That said, whatever you think about the architectural principles, you may find yourself having to write a browser-hosted Flash client for a service that requires an HTTP verb other than GET or POST. There are ways round it: see this discussion of Amazon S3 (which uses PUT) and Flash for an example.