Hi Sergey, Andy, Dennis, all,
it would definitely make sense, but there are always issues when
you need to provide credentials.
Since JAX-RS client is generally an object, which should be
retained for a "long time", it doesn't make sense to have
credentials stored within it (you can access multiple resources
(targets) with it and they could have different security
requirements. So we would need to introduce something like
credentials provider / store, which would return credentials per
request (based on host, port, path, ...).
Then there are multiple authentication mechanisms - which ones
should we support? Basic and Digest are no-brainers, but should we
have it in the API? It is already very simple to implement those
using request filters. Then, when we start with security, OAuth
users will start to request OAuth support (which makes perfect
sense and I'd like to see it on the client), but that's completely
different set of APIs...
I mean - as I mentioned - I'd be all for introducing better
security support for the client. But it feels like "just another
security api"; ideally, we'd just integrate with something which
is already available, unfortunately that's not the case. Look
around for other clients from Java EE. Supporting any security
(other than certificate based / https) is rare. I would hope that
separate security spec would provide guidance and ideally an API
to integrate with, but that did not happen yet.
As I don't like to use the phrase "sorry, it's already too late",
it almost seems that it is appropriate here.
Best regards,
Pavel
toggle quoted messageShow quoted text
On 25/05/2017 23:48, Sergey Beryozkin
wrote:
Hi Andy, Pavel
Would it make sense to consider extending the security related
part of the API a bit ?
It already has some methods for setting up HTTPS the portable
way.
Cheers, Sergey
On 25/05/17 22:35, Andy McCright wrote:
Hi Pavel,
The java properties will specify proxy
host/port for the entire JVM. Some of my customers are
using JAX-RS clients in hybrid cloud environments where they
may need a proxy server to access certain endpoints but not
others - so they really need a per-client solution. We can
provide that per-client solution with a vendor-specific
property, but then it is no longer portable.
I'm fine if we want to push this out to the
next rev of JAX-RS though. I think it is an important
issue, but not worth holding up the spec's release.
Thanks,
Andy
J. Andrew McCright
IBM WebSphere Development
+1 507 253 7448
TL 553-7448
andymc@...
-----
Original message -----
From: "Pavel Bucek" <pavel.bucek@...>
Sent by: jaxrs-spec@javaee.groups.io
To: jaxrs-spec@javaee.groups.io
Cc:
Subject: Re: [jaxrs] Built-in proxy support in Client API?
Date: Thu, May 25, 2017 3:08 PM
Hi Andy, Dennis,
proxy port and proxy host can be already be defined by
java property (http.proxyHost and http.proxyPort).
I'm not sure whether we can add proxy auth schemes at
this point - if we'd start talking about security,
wouldn't make sense to add auth support for standard
client invocations?
Regards,
Pavel
On 25/05/2017 20:36, Andy McCright wrote:
Yeah, I think that makes sense. So
maybe instead of new methods on the
Client/ClientBuilder we could add the following
properties to Client:
public static final String
PROXY_HOST_PROPERTY =
"javax.ws.rs.client.http.proxy.host";
public static final String
PROXY_PORT_PROPERTY =
"javax.ws.rs.client.http.proxy.port";
public static final String
PROXY_BASIC_AUTH_USERNAME_PROPERTY =
"javax.ws.rs.client.http.proxy.auth.username";
public static final String
PROXY_BASIC_AUTH_PASSWORD_PROPERTY =
"javax.ws.rs.client.http.proxy.auth.password";
Assuming we have consensus, do we want
to add this as part of Dennis's pull request[1], or
should I create a new one?
Thanks,
Andy
J. Andrew McCright
IBM WebSphere Development
+1 507 253 7448
TL 553-7448
andymc@...
----- Original message -----
From: "Dennis Kieselhorst" <deki@...>
Sent by: jaxrs-spec@javaee.groups.io
To: jaxrs-spec@javaee.groups.io
Cc:
Subject: Re: [jaxrs] Built-in proxy support in
Client API?
Date: Mon, May 22, 2017 2:01 AM
Hi Pavel,
I don't want to hijack the topic, I'm just saying
that we can handle both cases in a common way.
Regards
Dennis