Expose webservice directly to webclients or keep a thin server-side script layer in between?

Posted by max on Stack Overflow See other posts from Stack Overflow or by max
Published on 2010-04-20T13:08:13Z Indexed on 2010/04/20 13:23 UTC
Read the original article Hit count: 194

Filed under:
|
|

Hi,

I'm developing a REST webservice (Java, Jersey). The people I'm doing this for want to directly access the webservice via Javascript. Some instinct tells me this is not a good idea, but I cannot really explain that instinct. My natural approach would have been to have the webservice do the real logic and database access, but also have some (relatively thin) server-side script layer (e.g. in PHP). Clients would talk to the PHP layer which in turn would talk to the webservice. (The webservice would be pretty local to the apache/PHP server and implicitly trust calls from the script layer. The script layer would take care of session management.) (Btw, I am not talking about just hiding the webservice behind an Apache which simply redirects calls.)

But as I find myself at a lack of words/arguments to explain my instinct, I wonder whether my instinct is right - note that while I have been developing all kinds of software in all kinds of languages and frameworks for like 17 years, this is the first time I develop a webservice.

So my question is basically: what are your opinions? Are there any standard setups? Is my instinct totally wrong? Or partially? ;P

Many thanks,

Max

PS: I might add a few bits of information about the planned usage of the whole application:

  • will be accessed by different kinds of users, partly general public, partly privileged
  • thus, all major OS/browser combinations can be expected as clients
  • however, writing the client is not my responsibility
  • will potentially have very high load/traffic
  • logic of webservice will later be massively expanded for another product which is basically a superset of the functionality of the current project
  • there is a significant likelihood that at some point an API should be exposed which can be used by 3rd party developers - obviously, with some restrictions
  • at some point, the public view of the product should become accessible via smartphones, too (in other words, maybe a customized version of the site to adapt to the smaller display and different input methods)

© Stack Overflow or respective owner

Related posts about web-services

Related posts about java