简体繁体 English

用于不存在的资源上的GET的REST标准

[英]REST standard for GET on a resource that doesn't exist

原文 2009-10-07 18:57:42 3 9 rest

The resource /user/12345 doesn't exist. 资源/ user / 12345不存在。 Lets say the consumer is trying different ids randomly. 让我们说消费者正在随机尝试不同的ID。 There is no authorization. 没有授权。 Any user can view any user. 任何用户都可以查看任何用户。 In a broader sense, my question is "What should you return if you do a GET on a resource that doesn't exist?" 从更广泛的意义上讲，我的问题是“如果您对不存在的资源进行GET，您应该返回什么？”

Should I return an empty user for an id that doesn't exist or should I return an error message with proper status code? 我应该为一个不存在的id返回一个空用户，还是应该返回一个包含正确状态代码的错误消息？

What is the typical/usual/recommended practice? 什么是典型/通常/推荐的做法？

9 个解决方案

返回404状态代码。

It depends on your security concerns a little bit. 这取决于您的安全问题。 I would either send a 404 if it is OK that the guesser finds out if that user id does not exist, or send 401 for all attempts on unauthenticated accesses to any resource under /user 如果guesser确定该用户id是否不存在，我会发送404，或者对/ user下任何资源的未经身份验证的访问发送401

404 404

That said, this assumes you first checked authorization to that operation -> /user/[id] and if the user wasn't allow to access Other users accounts you would return 401 . 也就是说，这假设您首先检查了对该操作的授权 - > / user / [id]，如果用户不允许访问其他用户帐户，则返回401 。

Never rely on the user not knowing user ids ... 永远不要依赖用户不知道用户ID ...

@Byron is right, return HTTP 404. You want to leverage all of the capabilities of HTTP, and these include response status codes. @Byron是对的，返回HTTP 404.您希望利用HTTP的所有功能，其中包括响应状态代码。 So if there is a client error, return a 4xx error code, and if your server code has an internal problem, return a 5xx error code, etc. 因此，如果存在客户端错误，则返回4xx错误代码，如果您的服务器代码存在内部问题，则返回5xx错误代码等。

Richardson and Ruby's RESTful Web Services (O'Reilly) has a good discussion of this, and an appendix with all the most important HTTP error codes and when to use them. Richardson和Ruby的RESTful Web服务（O'Reilly）对此进行了很好的讨论，并附带了所有最重要的HTTP错误代码以及何时使用它们。

如果用户经过身份验证和授权，则返回404.如果用户未经身份验证且未经授权，请将其发送到页面以获得授权。

A GET should only retrieve something that exists. GET应该只检索存在的东西。

So I would return a 404. 所以我会回复404。

这对我来说看起来像404错误 - 找不到资源。

From your original question, with no authorization, this is clearly a 404. If you were to add authorization, then it would actually be acceptable to return a 404 for all unauthorized requests; 从你原来的问题，没有授权，这显然是404.如果你要添加授权，那么为所有未经授权的请求返回404实际上是可以接受的; this prevents random ID guessing by distinguishing 401 or 403 (exists, but unauthorized) from 404s (nonexistent) as some of the other answers suggest. 这可以通过区分401或403（存在但未经授权）与404（不存在）来防止随机ID猜测，正如其他一些答案所暗示的那样。 Per the RFC : 根据RFC ：

10.4.5 404 Not Found ... This status code is commonly used when the server does not wish to reveal exactly why the request has been refused, or when no other response is applicable. 10.4.5 404 Not Found ...当服务器不希望确切地说明请求被拒绝的原因，或者没有其他响应适用时，通常会使用此状态代码。

My opinion: Return an empty 200. 我的意见：回归空200。

Quite frankly, if a REST resource doesn't exist, it doesn't exist. 坦率地说，如果REST资源不存在，它就不存在了。 That means return 404. In your case, however, 12345 is a parameter you are using to identify/lookup a return entity. 这意味着返回404.但是，在您的情况下，12345是您用于标识/查找返回实体的参数。 Resource /user/{userId} does actually exist, so technically I don't believe it is proper to return a 404, although it's clear to see the argument for either side. 资源/用户/ {userId}确实存在，所以从技术上讲，我不认为返回404是正确的，尽管很明显看到任何一方的论据。

If you feel like returning two status codes exposes your system in some way, however, I'd say stick with an empty 200 OK. 如果您想返回两个状态代码以某种方式暴露您的系统，我会说坚持空200 OK。