The ContentManager interface sports a login() method that takes a username and password. This will fit in well with repositories that use HTTP Basic authentication, but won't be quite as useful for HTTP Digest, or any sort of single sign on environment (OpenID, OAuth, etc.) where the client application that uses Chemistry might not actually have a plaintext password for the calling user.
In previous $JOB lives, when designing an API like this, I've sometimes created another interface called Authenticator (with an implementation HttpBasicAuthenticator, plus perhaps some others). Then: * I would add a login(Authenticator authenticator) method to the ContentManager interface -- I'd be fine with keeping the existing login() method as well because HTTP Basic will likely be a common use case, but it would not be strictly necessary). * The Authenticator instance would get a chance, just before the outbound HTTP request is sent, to add whatever HTTP headers it needed for the authentication mechanism it implements. * For completeness, Authenticator should also be able to receive some sort of callback if a 401 is received (perhaps similar to the way Acegi Security does this kind of thing). Would something like this be of interest to the Chemistry developers? If so, I can add a JIRA issue and take a crack at a patch to add this feature. Craig McClanahan PS: In my current role, I'm evaluating how to integrate our company's application (Jive SBS) more closely with various CMS environments, and CMIS (and therefore Chemistry) looks like it might be a good long term strategy.
