Put versus Post - REST

Question

While looking at the code in "petclinic", part of Spring 3.0 samples I noticed the following lines

<c:choose>
  <c:when test="${owner.new}"><c:set var="method" value="post"/></c:when>
  <c:otherwise><c:set var="method" value="put"/></c:otherwise>
</c:choose>

In this discussion at SO it seems that PUT should be used for "create/update" and POST for "updates".

Which is right?

What is the impact of using post for "create" and put for "update"?

Note : According to the HTTP/1.1 spec. quoted in the referenced SO discussion, the code given above seems to have the correct behavior.

Answer 1

It's quite simple:

• POST allows anything to happen, and it isn't restricted to creating "subordinate" resources, but allows the client to "provide a block of data ... to a data-handling process" (RFC 2616 sec 9.5). POST means "Here's that data you asked for just now"
• PUT is used as an opposite of GET. The usual flow is that you GET a resource, modify it somehow, and then you PUT it back at the same URI that you got it from. PUT means "Please store this file at this URI".

The uniformity of PUT (which is to store a file) allows intermediaries (e.g. caches) to invalidate any cached responses they might have at that exact URI (since they know that it's about to change). The uniformity of PUT also allows clients (that understand this) to modify a resource by first retrieving it (GET) and then send a modified copy back (PUT). It also allows clients to retry on a network failure, due to PUT's idempotency.

Side note: Using PUT to create resources is dubious. While it's possible within the spec, I don't see it as a good idea, just as using POST to perform searches isn't a good idea, just as tunneling SOAP over HTTP isn't a good idea. AtomPub explicitly states that PUT isn't used to create atom entries.

POSTs ubiquitousness comes from the fact that HTML defines <form> elements that result in POSTing a application/x-www-form-urlencoded entity, with which the recipient can do anything it pleases, including

• creating subordinate resources (The repsonse is usually accompanied by a 201 response and Location header)
• creating a completely different resource (again usually a 201 response and Location header)
• creating many subordinate and/or unrelated resources (perhaps with a simple response indicating the URIs of the created resources)
• doing nothing except return a response (e.g. 200 or 302) (a case where perhaps GET should have been used)
• modifying the resource that received the POST itself (returning or redirecting back to the updated resource).
• delete one or more resource.
• any combination of the above.

The only one who knows what will happen in a POST request is the user who initiated the request (by clicking the huge "yes I confirm deleting my Facebook profile" button) and the server that's handling the request. To the rest of the world, the request is opaque and doesn't mean anything other than "this URI is being passed some data".

So the answer to your question is that both POST and PUT can be used for both create and update.

1. POST is often use to create resources (like AtomPub 9.2)
2. PUT semantics fits well for modifying resources (like AtomPub 9.3)
3. POST may be used to modify resources (like a www form edit your profile)
4. PUT can technically be used to create resources (although I advise against it)

Answer 2

Both POST and PUT are have well defined behavior as per HTTP spec.

The result of a POST request should be a new resource that is subordinate to the request URL; the response should contain Location header with the URL of the newly created resource.

The result of a PUT should be an update of the resource at the request URL. if there is no existing resource at the request URL, a new one can be created.

The confusion arises from the fact that POST is also used with forms as a mechanism to pass the form data. Most common implementation of forms is to post back to the same URL at which the form page is located, thus giving the false idea that the POST operation is used for an update. However, in this particular usage, the form page is not the resource.

With all this in mind, here's the correct (in my opinion of course :-)) usage:

POST should be used to create new resources when:
- the new resource is subordinate to an existing resource - the resource identity/URL is not known at creation time

PUT should be used to update existing resources with well-known URL. It can be used to create a resource at well-known URL as well; however, it does help to think about this scenario in a different way - if the resource URL is known before the PUT request is made, this could be treated the same as the resource at this location already existing but being empty.