I concur with Mitch, RESTful authentication is done per request -- there are lots of good ways to do it; if each request contains sufficient information to be independently authenticated and acted upon by the server, it's RESTful.
It sounds from your description that you might be building some sort of delegated authentication, authorization and/or profile facility that back-ends other services. A draft specification I wrote earlier this year for such a facility is here (which, in turn, is also open for comment). http://www.solertium.com/downloads/specs/GoGoEgo+User+Service.pdf ----- Original Message ----- From: "Mitch Stewart" <[EMAIL PROTECTED]> To: [email protected] Sent: Tuesday, October 2, 2007 2:30:43 PM (GMT-0500) America/New_York Subject: RE: Restful Login/Identifier JC, We do a combination of Basic Authentication and AWS Authentication (both available in Restlet). First the user logs in using Basic Authentication to retrieve tokens (identifiers) that are then used on subsequent requests. The token is used to generate a hash which is sent with every request within the Authorization header using the AWS Authentication scheme. Basic Authentication works for us because we push all requests via HTTPS...you might need to use something else if you are not SSL-encrypted. I think the "Restful approach" will require you to send authentication credentials for every request. You can pass the digested password for each request, but the AWS Authentication scheme provides a nice layer of redirection so you are not storing the password anywhere on the client. Hope that helps, Mitch > -----Original Message----- > From: news [mailto:[EMAIL PROTECTED] On Behalf Of JC > Sent: Tuesday, October 02, 2007 1:44 PM > To: [email protected] > Subject: Restful Login/Identifier > > I am trying to develop a Restful login system. Using a web > service I want to identify a user based on their user name > and password, but I am not sure the best (Restful) approach. > > I would like to avoid the RPC approach of calling an > authenticate method, passing in a user name and password. > > The best (Restful) solution I have come up w/ so far is to > have the URL HTTPS://www.example.com/user/{user}. The {user} > placeholder would be the MD5 value of the concatenated string > of user name + password. > > Ex. > User name: MyName > Password: MyPassword > {user} = MD5(MyName+MyPassword) > > If the user is found return a XML representation of the user, > if not return a > 404 error. > > Thoughts, comments, suggestions? >
