I've been using Restlets "ChallengeResponse" mechanism to authenticate users so far.

ChallengeResponse challengeResponse = getRequest().getChallengeResponse();
if( challengeResponse == null ){
     throw new RuntimeException("not authenticated");
}
String login = challengeResponse.getIdentifier();
String password = new String(challengeResponse.getSecret());

From my understanding, "ChallengeResponse" requires that the username and password are put into headers. However a client needs to put the credentials into the url like so:

https://username:[email protected]/my_secure_document

When I looked at what was actually sent, it looks like the password is being hashed.

What is the proper way to authenticate in this fashion using Restlet?