Dj, I'm glad you asked this. I've really lucked out so far and have always worked in an environment that uses client certificates for authentication. The identity of the user is established on every single connection, and I never have to worry about it. But in the near future, I'm going to have to solve the same problem that you're looking at now.
You make some astute observations, HTTP_BASIC is only safe over HTTPS, which is very limiting, especially when deploying to GAE. HTTP_DIGEST has some poorly understood compatibility problems with different HTTP clients, furthermore, it isn't what GAE uses natively. It seems that for the GAE edition in particular it would be nice to have an Authenticator that could integrate with the GAE APIs. I'm sure if it isn't done by the time I have to tackle that project that I'll wind up writing one. Does the restlet team have any specific advice for creating a subclass of Authenticator that can get the Google account identity? Specifically a way to use a restlet to write the login example given on this link: http://code.google.com/appengine/docs/java/users/overview.html -Matt On Apr 20, 2010, at 11:37 AM, dj wrote: > Hey Stephen, > > Ok so I get that sessions shouldn't be supported by rest, totally fine with > that. I'm confused about how to use basic auth then instead, if that's the > preferred method. > > If we use basic auth, then we need to send the username and password as plain > text, right? This could be fixed by using https. > > But this also implies that every rest call made must supply username:password > in the request, right? > > In that case, then in order to protect the user, every rest call should be > done using https. Is that correct? > > Thanks > > ------------------------------------------------------ > http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2590591 ------------------------------------------------------ http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2590628