Pascal Voitot wrote: > Look at this article which shows an even worse example by SUN:) > http://developers.sun.com/identity/reference/techart/id-svcs.html > > To my mind: > /authentication could be a resource > /authentication/logout is not resource but an action... > Right.
> so something like "GET /authorization?state=logout" might not be exactly > RESTful but it is acceptable for my intellect ;) > A way to do authentication is the way Google does. You post your credentials to /authorization and you get as a response a token that you provide in subsequent request with an Authorization header. The POST operation could also generate a URI that you will DELETE in order to logout. Or you can also put a timeout on the token so you don't have to logout at all. The problem here is that, while this is perfectly RESTful, it's not very practical to do with a plain browser because, unless you do some javascript magic, you cannot add headers to a request just by typing something in the URL bar. A solution could be as other suggested to use the http://username:passw...@uri in order to leverage Basic auth, or as I proposed to expose a special uri that when requested challenges the browser to ask for an authentication. Subsequent requests will have the Authorization header set and, hence, login performed. -Fabio _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
