[jax-rs-spec users] [jsr339-experts] Re: Re: security is a big hole in client API

From: Bill Burke <>
Date: Tue, 30 Oct 2012 14:16:19 -0400

On 10/30/2012 6:28 AM, Sergey Beryozkin wrote:
> On 29/10/12 21:27, Marek Potociar wrote:
>> Yes, I meant specifically SSLContext and the related APIs (KeyManager,
>> TrustManager ...)
>> I did not have any specific APIs in mind when it comes to auth modes
>> in general - there may be something more in JAAS, but i'm not
>> extremely familiar with it...
> JAAS is the server side thing. At the client side, what can be handy, is
> to introduce a property (as Bill suggested), something like
> "client.authenticator" which will map to ClientAuhenticator interface,
> and JAX-RS will offer few well-known imlpementations, I would limit it
> to BasicClientAuhenticator for a start. and the runtime would do:
> String authorizationHeader =
> get("client.authenticator").toAuthorizationHeader();

I really do not want to define a security SPI. IMO, we don't need one
as filters/interceptors can pretty much implement anything. I just want
a simple portable way to connect to and interact with Java EE servlet
containers, i.e. support for HTTPS, Basic, Digest, Client-cert, and Form
based authentication. I prefer a simple property-based approach, but
would support a more type-safe interface as long as it didn't impose an
implementation constraints.
Bill Burke
JBoss, a division of Red Hat