I was sort of able to find the answer to my question. Since Atlassian is using the REST plugin module themselves to implement the built-in REST API for Crowd, I was able to find some clues by looking at the source.
It turns out that all of the REST exposed methods are actually marked as @AnonymousAllowed which would seem to imply that you do not need to authenticate at all to call these. That is not the case however because there is a ServletFilter in place that is enforcing the BASIC authentication on all resources deployed at /rest/usermanagement/*. I wish Crowd Development documentation explained those things.
My workaround to get the same authentication scheme, as the built-in REST API uses, applied to my custom resources is to deploy them under /usermanagement by specifying that in my atlassian-plugin.xml for the <rest> module.
I was unable to get the authentication working when my resources were deployed to a different URL as the implementation class (BasicApplicationAuthenticationFilter) for the filter is not exported in any of the OSGI bundles and thus I couldn't use it in my plugin to apply that filter to a different URL.
I'm not sure if there is a way to not use the @AnonymousAllowed on the custom REST extensions and successfully authenticate to Crowd - I was unable to get it working...
Hope this helps someone...
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.