The RESTful architecture doesn't have too much to say about authentication, and (at the time of writing) there are no supplementary standards to define how authentication should be implemented. And because REST runs over HTTP we don't get any particular support from the network stack either. In fact, because HTTP is stateless we don't even get the notion of a session or a connection.
Restful Objects therefore uses Naked Objects' authentication mechanism, with authentication performed for each RESTful call. What this means depends on the deploymentType:
if running in SERVER_EXPLORATION mode, then authentication is in effect switched off; no credentials are supplied, and Naked Objects will use the first exploration user defined in nakedobjects.properties, or a fallback "exploration" user otherwise
For example, if running in SERVER_EXPLORATION mode, then you can specify the user using:
nakedobjects.exploration.users=sven:role1, dick:role2, bob:role1|role2
otherwise (if running SERVER_PROTOTYPE or SERVER), then authentication credentials are needed.
Note
You can if you want run in EXPLORATION (or PROTOTYPE) mode rather than SERVER_EXPLORATION (or SERVER_PROTOTYPE) mode. The difference is that former only support single-users, while SERVER_* supports multiple concurrent users.
Calling Restful Objects in SERVER mode with no credentials will result in an exception:
On the other hand, if user and password parameters are supplied, then we can login:
This behaviour is pluggable however, at two levels:
NakedObjectsSessionFilteruses theauthenticationManagerLookupStrategyproperty to specify a strategy for both finding credentials and for validating them against the Naked Objects authentication manager.The implementation provided by Restful Objects -
AuthenticationSessionLookupStrategyExtendedin the packageorg.starobjects.restful.viewer.authentication- is responsible for looking up credentials using the username and password parameters. Once validated, it also binds the results to theHttpSessionso that future interactions do not credentials.If you lookup strategy implementation delegates to the Naked Objects authentication manager (recommended), you might also want to change the Naked Objects'
AuthenticationManagerimplementation itself. This is done using thenakedobjects.authenticationkey innakedobjects.properties:nakedobjects.authentication=com.mycompany.nakedobjects.authentication.MyAuthenticationManagerInstaller
In the future there will doubtless be standardized (WS-* style) approaches for RESTful authenticatication, but the above should provide enough flexibility in the meantime.