[jax-rs-spec users] [jsr339-experts] Client security APIs?

From: Bill Burke <>
Date: Mon, 18 Jun 2012 11:50:56 -0400

Was just thinking about authentication and certification validation and
the client layer...

Any client that needs to set up authentication will immediately require
a vendor-specific interface. That sets up the possibility of a lot of
non-portable code. Should we define APIs or specific config properties
to cover this? Cover the 3 authentication models offered by servlet
container: basic, digest, and client-cert.

Also, server certification validation falls into the categry as well,
and maybe a property targeted towards a trust store.

COuld be this:

WebTarget target = ...;

target.setProperty(Security.USERNAME, "bill");
target.setProperty(Security.PASSWORD, "geheim");
target.setProperty(Security.AUTHENTICATION_TYPE, Security.DIGEST);
target.setProperty(Security.TRUST_STORE, trustStore);

trustStore could be a X509TrustManager or KeyStore

target.setProperty(Security.AUTHENTICATION_TYPE, Security.CLIENT_CERT);
target.setProperty(Security.CLIENT_CERTIFICATE, keyStore);

Bill Burke
JBoss, a division of Red Hat