I'm assuming you mean OAuth2? http://oauth.net/2/ or http://www.auth2.com/ I agree on the query parameter, request URLs are routinely logged by application servers. HTTP Header is the way to go, along with some kind of expiration mechanism.
On Sun, Jun 9, 2013 at 10:38 AM, Kurt T Stam <[email protected]> wrote: > On 6/9/13 10:34 AM, Alex O'Ree wrote: >> >> I'm writing a REST style wrapper for the inquiry api and started >> thinking about how to support authenticated users to the REST inquiry >> binding. I came up with two options >> >> 1) Use servlet container authentication, then just trust the container >> provided identity. We'll need a way to provide that info to the >> existing service code >> 2) Create a REST endpoint for the Security API that uses post, then >> pass the auth token as a query parameter or something to the REST >> bindings >> >> Any one else have any ideas or comments? > > How about using an AUTH2 approach, and the AUTH2 token is the UDDI token? > I think this might align pretty nicely? This way 3rd party apps can embed > UDDI interaction > participating in the same security context? It's a bit like option 2. I > think in AUTH2 > you pass the auth token in the header. I think it's risky to put it as an > argument anyway. >
