...
3. Configuration and support of both protected and public endpoints (Greg Jansen)
Andrew summarizes Greg's point about two war files: (1) standard file with no auth enabled by default; (2) war file with a repo.json to point to auth classes and web.xml specifying protected resources.
Main questions: (1) how do we support auth out of the box; (2) does it make sense to push these challenges to the application layer versus the servlet container.
Esme discusses details about an auth implementation for a file delivery application at UCSD (contained a parameter to present a login challenge). Says having a single policy would not allow people to do what they want to do with auth.
Andrew: Having 2 end points is not sufficient. E.g. in a the case of some hierarchy, where the parent is not open to public but the images should be.
Greg: Haven't thought about suppressing the challenge. Having 2 end points doesn't seem RESTful.
Esme: Having a 401 and 403. 403 was the default in the file delivery auth layer.
Greg: Makes sense; the session could be checked.
Andrew: Doing this in aplication, not in servlet container. Create a ticket to explore.
Greg: sure.
4.Bring the meat ax down on our leakage of JCR abstractions through our API and RDF (Michael Durbin)
...