Authentication is a tricky problem for REST web services. On the one hand, HTTP provides three different authentication mechanisms and thus the default thinking should be to leverage one of those three approaches. It turns out, however, that the problem of identity management and access control for system-to-system communication is very different than the user-to-system identity management around which the HTTP authentication models were developed. As a result, you generally need to define your own.
This does *not* mean roll your own!!
