What Is REST? | 197
From an HTTPperspective, it would seem rather odd that another mechanism
would have to be introduced for authentication. HTTPalready provides methods for
authenticating users, and they work statelessly.
However, the standard HTTPBasic and Digest authentication mechanisms have
many problems, and they are rarely used on the public Web. There are several factors
affecting their widespread adoption:
??? They use the standard browser/operating system controls to prompt for credentials;
they cannot be styled.
??? They do not easily facilitate logout.
??? There is no easy way to request login conditionally, or return different representations
based on whether or not the user is logged in.
??? HTTPBasic authentication does not really even attempt to hide the username
and password when transmitting across the network; in Base64 encoding, they
are essentially plain text. Digest authentication is much more secure, but is not
universally supported in older browsers.
Thus, a web application requiring authentication usually presents login forms itself
and keeps track of user authentication using a cookie. Most implementations of this
run contrary to the principles of REST by keeping additional application state outside
of the request envelope. The cookie itself is stored and transmitted just like an
HTTPauthentication request would be, but the difference is that authentication
cookies usually gain their validity from being tied to server-side application state.
Pages:
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309