Fedora's SOAP API has historically been split into two: API-A and API-M. The REST API, being resource-oriented, naturally isn't. And the control over which endpoints can be set to require authentication is inconsistent across the two. The old "Authenticate for API-A? Authenticate for API-M?" options no longer make sense when you look at Fedora's APIs as a whole.
Here's one way the situation could be improved.
- For the SOAP API (all read-oriented and write-oriented methods), always require authentication.
- For the REST API, on a per-verb basis (POST/PUT/DELETE/GET), offer the following options at install time:
- Proactive Challenge: Always require authentication.
- Reactive Challenge: Only require authentication if an un-authenticated request failed due to AuthZ rules.
NOTE: This is being tracked as FCREPO-668