Not to start a fire, but I was curious what people thought about my approach to authentication with my RESTful application. I am currently using a Restlet authenticator (was using a Servlet filter) to authenticate incoming requests. Once authenticated the request and response have a cookie added to their cookie collection. This cookie is also stored in an authentication tokens table the REST application has access to. The benefit of this is that it allows for a "login once" architecture without having to deal with the hazards of BASIC auth (never expiring for example). However, I am pretty sure I am violating the spirit of REST by maintaining a form of state.
What do you think? -- -a "Only two things are infinite, the universe and human stupidity, and I'm not sure about the former." --Einstein ------------------------------------------------------ http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2394659