Hi Matt,
basically, an authenticator aims at extracting all interesting data from
the request in order to authenticate the request, that is to say check
that the credentials conveyed by the request correspond to a known user.
The enroler is then used to complete the Request#clientInfo attribute in
order to give the application all necessary data about the current user.
Another step is to say that this user is authorized according to the
application policy to access the requested resource (via an authorizer
filter). If the current user is not authorized, a 401 status code is
returned.
Having said that, one subclass of Authenticator, called
ChallengeAuthenticator aims at handling requests based on "challenge
schemes".
This filter relies on an instance of the Verifier class that checks the
credentials and authenticates users. In addition, due to the challenge
mecanism, it ensures that the response to a unauthenticated request
contains the necessary data (a ChallengeRequest object, corresponding to
the "WWW-Authenticate" HTTP header) that will help the client to
understand what happens and to correctly fulfill the next request. Thus,
the 401 status code is used (perhaps a "unauthenticated request" status
code would be better).
I should mention that the DigestAuthenticator class is a subclass of
ChallengeAuthenticator that specifically handles the case of the
HTTP_DIGEST challenge scheme.
Of course, this must not be confused with the "authorization" step which
help to decides if an authenticated user is allowed or not to access
precisely to a resource.
Best regards,
Thierry Boileau
> I'm trying to implement a custom authenticator class and I'm a little stumped
> by the behavior so far. When I override the authenticate() method to always
> return false, I get back an HTTP 204 error. However, if I have it always
> return true, then the request goes through correctly, so I think I have
> everything wired up the right way. Based on my reading of the available
> documentation, if authentication is set as required in the Authenticator
> subclass (which is the default setting), then a 401 response should be sent.
> Is this a bug? Or am I missing a required step in my subclass implementation?
>
> Thanks,
> Matt
>
> The following illustrates the problem (in Groovy):
>
> import org.restlet.*;
> import org.restlet.data.*;
> import org.restlet.security.Authenticator;
> import org.restlet.representation.*;
>
> class TestAuthenticator extends Authenticator
> {
> @Override
> public TestAuthenticator(Context ctx){ super(ctx); }
>
> @Override
> protected boolean authenticate(Request request, Response response)
> {
> return false;
> //return true;
> }
> }
>
> class TestRestlet extends Restlet
> {
> @Override
> public void handle(Request request, Response response)
> {
> response.setEntity(new StringRepresentation("hello, world\n",
> MediaType.TEXT_PLAIN));
> }
> }
>
> def component = new Component();
> Server http = component.servers.add(Protocol.HTTP, 8181);
> component.clients.add(Protocol.FILE);
> Context workingCtx = http.context;
> def guard = new TestAuthenticator(workingCtx);
> def restlet = new TestRestlet();
> guard.setNext(restlet);
> component.defaultHost.attach(guard);
> component.start();
>
> ------------------------------------------------------
> http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2426801
>
>
------------------------------------------------------
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2428784
