[jax-rs-spec users] [jsr339-experts] security is a big hole in client API

From: Bill Burke <>
Date: Sun, 28 Oct 2012 19:59:28 -0400

Security configuration on the client side is really the only
non-portable, undefined part of JAX-RS 2.0. Should we define something?
  Is it too late?

* standard property names for username and password
* standard property name for authentication mode, maybe match servlet?
BASIC, DIGEST, CLIENT_CERT, and FORM. FORM is a little weird, but the
semantics are well defined and understood. No reasons we couldn't
support it out of box.
* login URL for FORM authentication?
* Standard property for setting client certificate for CLIENT-CERT
* Ability to specify a trust-store through a property for HTTPS.

Would just defining this set of common standard properties work? Seems
simple enough, or am I missing something?

Bill Burke
JBoss, a division of Red Hat