The Servlet Profile defines the use of jsr 196 in the context of security constraint processing by a servlet container; which is basically acting as a web server; thus it profiles the use of the server-side interception points (only).
to use jsr 196 to achieve http client side auth mechanism pluggabillity; e.g., in support of OAUTH; would require integration of the spi in an http client runtime or toolkit.
Coincidentally, I am working on trying to put something like that together. I am pretty distracted, so you may be able to get it done faster than me. In particular, I have been looking into defining a Jersy client side filter with embedded jsr 196 client side interception points. I have also been exchanging emails with JF Arcand about including a jsr 196 client side interception point in his Asynchronous http client library. The same could be done with the Apache Http client, or in an extension of httpurlconnection. It may ultimately be feasible to define and standardize an Http client profile.
I have been looking into integrating OAUTH via jsr 196, and one challenge that I am investigating is how to chain redirections recieved by a jax-rs client embedded in a servlet, to the user (of the servlet) back at a browser (and who must authorize an access token).
Ron
[Message sent by forum member 'monzillo']
http://forums.java.net/jive/thread.jspa?messageID=485228