If you accept the SSL additions I'm proposing, IMO, the only thing that
is left is Basic and Form Auth. There's 3 ways you could probably
provide it.
#1 register(new BasicAuthenticator(username, password));
BasicAuthenticator would be a ClientRequestFilter. This is simple, but
the downside is you either need to provide an implementation of this
filter within the public API or have hooks so that a vendor can provide
an implementation. The latter requires providing Base64 encoding
support too :(
#2 add a basicAuth(username, password) method to Client and WebTarget
client.basicAuth(username, password);
webTarget.basicAuth(username, password);
#3 add a Authenticator class so you can do this:
client.auth().basicAuth(username, password);
webTarget.auth().basicAuth(username, password).request().get();
Any of the above works well with OAuth2 bearer token auth. You could have:
webTarget.auth().bearer(String token);
Or define a filter for Bearer auth.
Servlet FORM authentication can work quite easily by just posting form
parameters "j_username" and "j_password" to a "j_security_check" URL.
The only spec additional requirement would be support for cookie caching
and retransmittal which, IMO, we should require support for.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com