I am looking for best practices and solutions to using a REST service in combination with webauth.
I have a REST API that is hosted at med.stanford.edu/myapp/api/*. I have a web application (javascript with jQuery and backbone or some other framework) that is hosted at med.stanford.edu/myapp/app/*. Right now access to the REST API is granted to Stanford users based on workgroup membership and restricted by a privgroup using mod_webauth. Pretty standard stuff. In a production setting where an authenticated user loads the web application from med.stanford.edu/myapp and makes REST calls to med.stanford.edu/myapp everything works great. I believe the webAuth cookie granted when the HTML is served is allowing the REST calls to go through. However, we are having problems making this API easily accessible during development. This is where I need help. Q1: Web developers want to develop their HTML/JS/CSS on their local drive and have it invoke REST API calls on med.stanford.edu (or irt-dev.stanford.edu or whatever.stanford.edu). For example, they want to point their browser at file:///Users/jdoe/myapp/index.html and pickup local modifications to the javascript and develop against the API running remotely. However, all the REST calls just issue a 302 to the login page, and any existing webAuth cookies from other sessions at *.stanford.edu aren't sent with the request. Is there any way to make this work? To create an efficient local development environment for consumers of REST API services behind webAuth? Q2: On a slightly different topic, is there a way for a developer to invoke the REST api using curl? Should developers try posting credentials to https://weblogin.stanford.edu/login and store the resulting cookie? This does not seem like a good practice (if it would even work) since it encourages credentials in script files. I realize that someday soon we will have Stanford OAuth and all will be wonderful. But today I've got web developers installing Java development environments and hosting local Apache and Tomcat instances and various other hurdles in place in order for them just to develop javascript. That feels very wrong. If there's a better mailing list for these questions I'll gladly re-post there. Thanks in advance Darryl Darryl Dieckman Senior Applications Engineer Web and Systems Engineering Information Resources and Technology (IRT) Stanford University School Of Medicine darryl.dieck...@stanford.edu (650) 208-6082
