On 23/01/13 15:02, Bill Burke wrote:
> If you accept the SSL additions I'm proposing, IMO, the only thing that
> is left is Basic and Form Auth. There's 3 ways you could probably
> provide it.
>
> #1 register(new BasicAuthenticator(username, password));
>
> BasicAuthenticator would be a ClientRequestFilter. This is simple, but
> the downside is you either need to provide an implementation of this
> filter within the public API or have hooks so that a vendor can provide
> an implementation. The latter requires providing Base64 encoding support
> too :(
>
> #2 add a basicAuth(username, password) method to Client and WebTarget
>
> client.basicAuth(username, password);
> webTarget.basicAuth(username, password);
>
> #3 add a Authenticator class so you can do this:
>
> client.auth().basicAuth(username, password);
> webTarget.auth().basicAuth(username, password).request().get();
>
> Any of the above works well with OAuth2 bearer token auth. You could have:
>
> webTarget.auth().bearer(String token);
>
> Or define a filter for Bearer auth.
>
> Servlet FORM authentication can work quite easily by just posting form
> parameters "j_username" and "j_password" to a "j_security_check" URL.
> The only spec additional requirement would be support for cookie caching
> and retransmittal which, IMO, we should require support for.
I'm for #1 as it offers most flexibility + a limited support
specifically for basic auth:
client.auth().authenticate(name, password)
something like that - may be that can even be done earlier - and when is
not sufficient then #1 can be used;
Sergey