[jax-rs-spec users] [jsr339-experts] Re: security is a big hole in client API

From: Marek Potociar <>
Date: Mon, 29 Oct 2012 11:53:11 +0100

I think we should still try to do something in this space. It would be good if we could reuse as much of Java SE APIs as possible. Specifying user name and password as well as setting a SSL context should be the minimum we do.


On Oct 29, 2012, at 12:59 AM, Bill Burke <> wrote:

> Security configuration on the client side is really the only non-portable, undefined part of JAX-RS 2.0. Should we define something? Is it too late?
> * standard property names for username and password
> * standard property name for authentication mode, maybe match servlet? BASIC, DIGEST, CLIENT_CERT, and FORM. FORM is a little weird, but the semantics are well defined and understood. No reasons we couldn't support it out of box.
> * login URL for FORM authentication?
> * Standard property for setting client certificate for CLIENT-CERT
> * Ability to specify a trust-store through a property for HTTPS.
> Would just defining this set of common standard properties work? Seems simple enough, or am I missing something?
> Thoughts?
> --
> Bill Burke
> JBoss, a division of Red Hat