[jax-rs-spec users] [jsr339-experts] Re: auth again

From: Sergey Beryozkin <>
Date: Wed, 23 Jan 2013 16:19:50 +0000

On 23/01/13 15:02, Bill Burke wrote:
> If you accept the SSL additions I'm proposing, IMO, the only thing that
> is left is Basic and Form Auth. There's 3 ways you could probably
> provide it.
> #1 register(new BasicAuthenticator(username, password));
> BasicAuthenticator would be a ClientRequestFilter. This is simple, but
> the downside is you either need to provide an implementation of this
> filter within the public API or have hooks so that a vendor can provide
> an implementation. The latter requires providing Base64 encoding support
> too :(
> #2 add a basicAuth(username, password) method to Client and WebTarget
> client.basicAuth(username, password);
> webTarget.basicAuth(username, password);
> #3 add a Authenticator class so you can do this:
> client.auth().basicAuth(username, password);
> webTarget.auth().basicAuth(username, password).request().get();
> Any of the above works well with OAuth2 bearer token auth. You could have:
> webTarget.auth().bearer(String token);
> Or define a filter for Bearer auth.
> Servlet FORM authentication can work quite easily by just posting form
> parameters "j_username" and "j_password" to a "j_security_check" URL.
> The only spec additional requirement would be support for cookie caching
> and retransmittal which, IMO, we should require support for.

I'm for #1 as it offers most flexibility + a limited support
specifically for basic auth:

client.auth().authenticate(name, password)

something like that - may be that can even be done earlier - and when is
not sufficient then #1 can be used;