Re: [xwiki-devs] [RFC] RESTful API + Authentication

Vincent Massol wrote: Because resources are not restricted and they can be browsed as "guest". Even there they state that "A user may be authenticated by providing their credentials to /authentication/login OR to any restricted resource in the form of HTTP Basic formatted data in the Authorization HTTP header of the request. The response will include the authToken as a value in the data response to the request." Now since in our case, imho, every resource can be considered "restricted" (starting from the space list, because its representation depends on the actual user requesting it) this boils down to what I was saying. But the link you provided contains an interesting alternative! (To be verified) We could provide a /authentication resource which provides a challenge for plain browser users. So basically if the user requests a resource, it will always be served as if he were guest. In order to access to the "restricted" representation it must before visit the /authentication and provide credentials (through the popup). Then he could visit other resources that will be server by taking into account the auth header that the browser (hopefully) sends. The only concern is whether the browser, after the authentication, sends at each subsequent request to the site the auth header. Of course here I am speaking only about an interaction with a plain browser. Anyway this is an important aspect that must be discusses in depth. Others, WDYT? -Fabio