Comment 8 for bug 529348

I think the simplest way to distinguish OAuth-authenticated webservice requests is to create a new marker interface and apply it to the request object in WebServicePublication.getPrincipal(), which is where the OAuth authentication happens.

That part seems simple enough. However, right now I don't understand this bug well enough to know what to do with that interface once it exists...