I am developing a web site using XMLHttpRequest and REST/JSON
extensively. Now I want to add authentication to the REST Web
services.
The use case in question is having the user request some service and
getting an error like "Not authorized!" instead of the data to be GET
or POST.
Ideally I would like to use the servlet session. Do you guys know of
any successful implementation of REST/JSON authenticated Web Services
for use with XMLHttpRequest Web applications?
What would be the best way to signal authentication errors?
- Return a HTTP 2xx response with a JSON object that contains a error
object like:
{"error":"Not authorized!"}
- Return an error HTTP response with the error (possibly in plain
text) (I think this should not be used as the error is not in the HTTP
transport)
Anyway I would like to see a successful implementation for reference.
I would also like to see any standard way to protect from Cross-site
request forgery.