Form based login while also applying REST principles

Question

I am a Spring/JavaEE web programmer and am starting to investigate the principles of REST for future web applications, but I can't figure out how to do usable logins. For a Web API it makes sense, but what about end user facing web applications? I have looked into the HTTP Basic/Digest Authentication but that only produces an ugly dialog box. Anyone have any ideas?

Answer 1

That really depends on how you approach form-based login.

The way it's defined in J2EE spec, login page is only shown to the (yet authenticated) user when s/he tries to access a protected resource; it's not (or should not be) accessible by itself. In that scenario login page does not have to be governed by REST principles as it's not a "resource" by itself. In other words, the workflow is:

1. User tries to GET REST url, '/products/0332425'
2. S/he is redirected to '/login', POSTs his credentials, is redirected back (as GET) to the original page ('/products/0332425')
3. Subsequent attempts to get to '/login' result in error (403?) or redirect to "root".

If that does not work for you and you need to have your login form available on multiple pages , treat it as part of the page and its submission as you would any other POST.