Overall great stuff. Note, some of the items are questions from me, and some are questions I could see being asked by others :-)
* HTTP Digest authentication - why this? What alternatives exist
* Client library support
* Where does Crypto.SHA1 come from
* should list that
* We will want to collapse JS into mini-lib imo
* Not relative path?
* can be point to other places?
* phase 1
* authorization only right
* Can you use CDI to inject a user object?
* for further work.
* Web mobile --> web/mobile
* Define the domain a little better
* does getUser return a user object, or a Long?
* What happens when the you access secured resources and you're not logged inject
* Where and how are users created, edited, removed?