On 27 Feb 2010, at 12:55, Ross Gardler wrote:
The REST documentation makes no mention of needing to authenticate. Is it intentional that some requests need to be authenticated, e..g. participantsIf so how and where is the authentication details created?
The only requests that require authentication are those that are equivalent to admin interface functions for creating/updating/deleting services/categories, and these are documented at
http://incubator.apache.org/wookie/wookie-rest-api.html e.g.POST {wookie}/services/ {param:name} Creates a new service with the name provided using the name parameter. If there is already a service with this name, a http 409 (conflict) error is returned. This method requires authentication using a widgetadmin role, e.g. using HTTP Basic authentication.
This is set in web.xml here:
<security-constraint>
<web-resource-collection>
<web-resource-name>WidgetServices
Controller</web-resource-name>
<url-pattern>/services/*</url-pattern>
<http-method>DELETE</http-method>
<http-method>PUT</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>widgetadmin</role-name>
</auth-constraint>
</security-constraint>
The authn details are the same as for the admin interface.
All other API requests only use the API key for authentication - if
Basic auth is being requested for these (such as participants), then
this is a configuration problem.
Ross
smime.p7s
Description: S/MIME cryptographic signature
