[jax-rs-spec users] [jsr339-experts] auth again

From: Bill Burke <>
Date: Wed, 23 Jan 2013 10:02:26 -0500

If you accept the SSL additions I'm proposing, IMO, the only thing that
is left is Basic and Form Auth. There's 3 ways you could probably
provide it.

#1 register(new BasicAuthenticator(username, password));

BasicAuthenticator would be a ClientRequestFilter. This is simple, but
the downside is you either need to provide an implementation of this
filter within the public API or have hooks so that a vendor can provide
an implementation. The latter requires providing Base64 encoding
support too :(

#2 add a basicAuth(username, password) method to Client and WebTarget

client.basicAuth(username, password);
webTarget.basicAuth(username, password);

#3 add a Authenticator class so you can do this:

client.auth().basicAuth(username, password);
webTarget.auth().basicAuth(username, password).request().get();

Any of the above works well with OAuth2 bearer token auth. You could have:

webTarget.auth().bearer(String token);

Or define a filter for Bearer auth.

Servlet FORM authentication can work quite easily by just posting form
parameters "j_username" and "j_password" to a "j_security_check" URL.
The only spec additional requirement would be support for cookie caching
and retransmittal which, IMO, we should require support for.
Bill Burke
JBoss, a division of Red Hat