Re: Chaining an authorization filter after a router

Mon, 28 Jun 2010 10:05:26 -0700 

On 28/06/10 16:27, Carles Barrobés wrote:
> I'm trying to do the following: for URLs matching a pattern
> "/user/{username}/resource...", where username designates the resource's
> owner, I want to grant access only if the authenticated user matches the
> owner of the resource.

> I created a custom authorizer that looks like:

> public class UserAuthorizer extends Authorizer {
>
>      @Override
>      protected boolean authorize(Request request, Response response) {
>          User user = request.getClientInfo().getUser();
>          String userAuthenticated = user.getIdentifier();
>          String userInRequest =
> (String)request.getAttributes().get("username");
>          return userAuthenticated.equals(userInRequest);
>      }
>
> }

> The problem is that the request attribute username is applied by a router,
> and I haven't found a way to chain "a router" to my Authorizer and then this
> one to another router that points to the real resources. Maybe there is
> another natural way to do this in Restlet, so that the route to the resource
> gets parsed (and its {parameters} added to the request) before the
> authorizer can be applied.
>
> Otherwise it looks like I have to perform the authorization step manually in
> all resources.


That's not something you can do with an authorizer used as a filter. You 
can still use the authorizer class, but not in a chain of filter before 
the resource.
Instead, you will have to make a call to the authorizer (or write the 
authorization logic) explicitly within the resource.

You don't necessarily have to rewrite everything every time. For more 
flexibility, you could put this authorizer into the application context 
and perhaps populate a 'owner' request attribute from the resource.

Within the resource, this would look like this:
    Authorizer authorizer = 
(Authorizer)getContext().getAttributes().get('the_authorizer');
    getRequestAttributes().put('owner', ...);
    if (authorizer.authorize(getRequest(), getResponse())) { ... }



Best wishes,

Bruno.

------------------------------------------------------
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2626986

Reply via email to