Eduard Moraru wrote:
We should provide a standard way accessible both to a
browser and a
command-line tool like curl.
WDYT?
I agree.
I have to catch up today's discussion but I think it's worth that I
detail what I have implemented yesterday:
--- With Firefox:
*
http://localhost:8080/xwiki/rest/spaces (gets all spaces as guest)
*
http://localhost:8080/xwiki/rest/browser_authentication (sends a
challenge that makes the browser pop up the username password dialog)
Type Admin, admin and from now on we are recognized as admin (Firefox
starts to send Authorization headers in subsequent requests)
*
http://localhost:8080/xwiki/rest/spaces (gets all spaces as Admin)
Logout by clearing your private data and authenticated session (or
restarting Firefox)
*
http://localhost:8080/xwiki/rest/spaces (gets all spaces as guest)
--- With curl:
$ curl
http://localhost:8080/xwiki/rest/spaces (gets all spaces as guest)
$ curl -u Admin:amdin
http://localhost:8080/xwiki/rest/spaces (gets all
spaces as Admin)
Isn't it an acceptable implementation (modulo security via HTTPS, etc.)?
Logout is not really necessary. Each request bears the Authorization
header if the user wants to be recognized (i.e., it like a login at each
request, consistent with the REST stateless constraint)
-Fabio