Hello Arjohn, Jerome was willing to answer you, but as he is very overloaded and is working for a customer, I answer you, very lately. Sorry for this delay.
Just a few words about the security model in the Restlet framework. The Restlet framework has set up its own model (see here [0], [1]) based on some properties of the ClientInfo class: user and roles. This model gets along with ones that are based on principals that are closer or are based on JAAS. These models are distinct, and some bridges are required in some situations. Let's see what may happen, and what may be the bridges. The security model tries to distinguish the authentication and authorization aspects. First the incoming request is to be authenticated. At this step, the credentials taken from the request are verified by a secretVerifier and if everything is correct, the latter sets the ClientInfo's user with the credential's identifier, and the Enroler defined on the Authenticator filter lists the roles of the user. Then comes the authorization phase. If you decide to follow the Restlet model, the user and list of roles are available and ready to be handled. If you decide to follow a model based on principals, you can use the jaas extension that provides a few tools : a JaasVerifier that takes the clientInfo's principals and generates a Subject instance and a JaasUtils class that creates a Subject instance with an instance of UserPrincipal class (based on the user attribute), and instances of RolePrincipals populated with the user's roles. You can of course decide to populate the ClientInfo#principals with your own strategy. In the case of the servlet adapter, some principals already exist (due to the configuration of the servlet container). And as you notice, the user - and roles - are not retrieved (see [2]), which is from our point of view an issue. The idea is to make an application portable. It must be possible to make it run as a standalone application with the Restlet security model (based on User and Role object), and simply take it inside a servlet container. However, there is still a constraint:in order to make the list of Role correct, the servlet container and the Restlet application must define the same list of roles. I hope these few words make the things clearer. Best regards, Thierry Boileau [0] http://wiki.restlet.org/developers/172-restlet/212-restlet.html#dsy212-restlet_authenticationModel [1] http://wiki.restlet.org/developers/172-restlet/212-restlet.html#dsy212-restlet_authorizationModel [2] http://restlet.tigris.org/issues/show_bug.cgi?id=503 > Hi all, > > I'm having a hard time understanding the differences between > ClientInfo.getPrincipals() and getUser() and when to use which method. > > I'm trying to get hold of the username in a ServerResource and figured I > should use one of these methods. When using a ChallengeAuthenticator > from the restlet package, the username is (only) available via > getUser(). But when running inside Tomcat and relying on a servlet > security-constraint, the username is only available via the > getPrincipals() method. I'm using on HTTP Basic authentication in both > cases. > > Looking through the ServerServlet's code, it seems that the user > principals are copied from the incoming HttpServletRequest. > HttpServletRequest.getRemoveUser() is never called though. Is this is > bug in the connector? > > Any insights in this subject are highly appreciated! > > -- > Arjohn > > ------------------------------------------------------ > http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2435769 > > ------------------------------------------------------ http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2440271
