I'm trying to do the following: for URLs matching a pattern
"/user/{username}/resource...", where username designates the resource's
owner, I want to grant access only if the authenticated user matches the
owner of the resource.
I created a custom authorizer that looks like:
import org.restlet.Request;
import org.restlet.Response;
import org.restlet.security.Authorizer;
import org.restlet.security.User;
public class UserAuthorizer extends Authorizer {
@Override
protected boolean authorize(Request request, Response response) {
User user = request.getClientInfo().getUser();
String userAuthenticated = user.getIdentifier();
String userInRequest =
(String)request.getAttributes().get("username");
return userAuthenticated.equals(userInRequest);
}
}
The problem is that the request attribute username is applied by a router,
and I haven't found a way to chain "a router" to my Authorizer and then this
one to another router that points to the real resources. Maybe there is
another natural way to do this in Restlet, so that the route to the resource
gets parsed (and its {parameters} added to the request) before the
authorizer can be applied.
Otherwise it looks like I have to perform the authorization step manually in
all resources.
--
View this message in context:
http://restlet-discuss.1400322.n2.nabble.com/Chaining-an-authorization-filter-after-a-router-tp5231286p5231286.html
Sent from the Restlet Discuss mailing list archive at Nabble.com.
------------------------------------------------------
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2626939
