Davide Angelocola <davide.angelocola <at> tiscali.it> writes:
>
> I'm very confused about the logout action... the server should maintains a
> session? there is the need of a transient resource? i.e. a /user/session?
> this should be not restful, right?
>
> On Thursday 06 September 2007 22:47:18 Stanczak Group wrote:
> > I would guess you would have to send a message telling them to login
> > using that role. So you would then check that role in your Guard and if
> > it fails send them to that page to login as that role.
> >
> > Davide Angelocola wrote:
> > > Hi,
> > >
> > > this is my first post on this mailing list. I'm wondering about porting
> > > a servlet/JSP webapp to REST. I've several roles this webapp and I
> > > allow the same user to have multiple roles, but only one role at once
> > > can do login. In this scenario I use the server session to store the
> > > username and role.
> > >
> > > In respect of a restful design how to implement the login/logout
> > > actions? Any idea/hint would be appreciated.
> > >
> > > Best Regards,
> > > -- Davide Angelocola
>
In one of my projects I maintain sessions using a custom manager. On the web
server I have Restlets to handle login and logout requests. The login request
consists of email/password input via a form post. Once the pair is verified, I
create a session and return a cookie back that has a session token. The session
will live on the web server running the Restlets until the user requests a
logout or if it expires.
When the user requests a logout, I will remove that session using the token
stored in the cookie.
What follows is a simplified version...
/**
* Authenticates an email password combination submitted by a form
*/
public class LoginRestlet extends Restlet {
public LoginRestlet(Context context) {
super(context);
}
/*
* (non-Javadoc)
*
* @see org.restlet.Restlet#handle(org.restlet.data.Request,
* org.restlet.data.Response)
*/
@Override
public void handle(Request req, Response resp) {
// Read form parameters
Form form = req.getEntityAsForm();
String email = form.getFirstValue("email");
String password = form.getFirstValue("password");
String redirectUri = null;
if(authenticate(email, password)) {
MyWebSession session = MyWeb.createWebSession(email);
resp.getCookieSettings().add(new CookieSetting("sessionToken",
session.getId()));
redirectUri = "/userhome";
}
else {
redirectUri = "/unauthorized";
//resp.setStatus(Status.CLIENT_ERROR_UNAUTHORIZED, "Authentication
failed.");
}
if(redirectUri != null) {
resp.redirectSeeOther(redirectUri);
}
}
}
/**
* Ends the current user session
*/
public class LogoutRestlet extends Restlet {
public LogoutRestlet(Context context) {
super(context);
}
/*
* (non-Javadoc)
*
* @see org.restlet.Restlet#handle(org.restlet.data.Request,
* org.restlet.data.Response)
*/
@Override
public void handle(Request request, Response response) {
// Get the current session token from the request
String sessionToken = request.getCookies().getFirstValue("sessionToken");
if(sessionToken != null) {
MyWeb.removeWebSession(sessionToken);
}
response.redirectSeeOther("/login");
}
}
Make sure you attach your restlets
router.attach("/login", new LoginRestlet(context));
router.attach("/logout", new LogoutRestlet(context));
I can protect resources in this app by having a restlet to check for the session
token in the cookie I passed back. I can do this as a filter via
Filter.setNext() or checking directly in my resource. Here's one example where I
redirect to the login page if the session is not found or is invalid. If the
session is valid I can do some work to satisfy the request.
/*
* (non-Javadoc)
*
* @see org.restlet.resource.Resource#handleGet()
*/
@Override
public void handleGet() {
// Find the session token
String sessionToken = getRequest().getCookies().getFirstValue("sessionToken");
if(sessionToken != null) {
MyWebSession session = MyWeb.getWebSession(sessionToken);
if(webSession != null && webSession.isValid()) {
super.handleGet();
return;
}
}
getResponse().redirectPermanent("/login");
}
This is just one way to do it. Hope this helps to give you some ideas on how to
do it for your app.
Jim
