[jax-rs-spec users] Re: [jsr339-experts] Why is there no generic Auth-Header support in JAX-RS?

From: Reto Bachmann-Gmür <>
Date: Thu, 2 May 2013 07:43:23 +0200

Hi Jan

From the comment on issue 43 it seems that the experts want to keep
everything out of the spec for now that is somehow related to

While for the header you're mentioning this is a nuisance this is a blocker
for the X509 certificates (issue 43) as support for these cannot be
implemented at all in a JAX-RS application unless using some implementation
specific method (such as by relying on the fact that the implementation is
servlet based).

My plea would be to add all the needed low-level authentication support
before and independently on whatever high level security API future version
might bring. (Which I'm not sure if it's needed anyway as the standard
Java-AccessController mechanism can well be used in Jax-RS implementations).


On Wed, May 1, 2013 at 1:55 PM, Jan Algermissen

> Hi experts,
> given that HTTP Authorization and WWW-Authenticate header syntaxes are
> defined in a generic way, independent of any specific Auth-Scheme, I wonder
> what the reason is that there is no support in the API for these headers.
> (E.g. there is for Cookie and Cache-Control and Link for example)
> Can anyone remember the reason?
> It's quite painful to implement and everybody seems to roll their own.
> Most of what I see out there is wrong and/or relies on a zillion of regexes
> - quite a bad situation.
> In addition, it would really help code clarity if Auth 'objects' would be
> integrated into the API, e.g. via injection of an AuthInfo or similar.
> Is this something for 2.1, maybe?
> Jan