Hi,
I think I misunderstood your original question. I thought that you could
only know the owner of the resource once you got to that resource (e.g.
by loading it from a database).
If the path is your what determines ownership, then you should be able
to do this by chaining the putting the authorizer after the router and
before the resource, rather than the resource class directly.
Avoid to mix authentication and authorization if you can.
Best wishes,
Bruno.
On 29/06/10 10:15, Carles Barrobés wrote:
> In the end it should be simpler than that. All I need to do is be able to
> decode the URL (same as I used as the route to the resource), match it to
> the current request (same as the router does) and check the parameters.
>
> Since I did not want to add authorization checks in all my resources
> (although it could be done rather cleanly with aspects and annotations), for
> the time being I solved it by using an authenticator that extends
> ChallengeAuthenticator and overrides authenticate.
>
> I added a method setRoutes to my authenticator to initialise it with the
> list of routes:
>
>
> RouteList routes = router.getRoutes();
> authenticator.setRoutes(routes);
>
>
> Then within the authenticator I can access the matching capabilities of the
> routes:
>
>
> // get the matching route
> Route best = this.routes.getBest(request, response, 0);
> final String remainingPart =
> request.getResourceRef().getRemainingPart(false, true);
> // match and add parameters to the request map (or I could use a
> fresh map)
> best.getTemplate().parse(remainingPart, request.getAttributes());
> String username = (String)request.getAttributes().get("username");
> String userAuthenticated =
> request.getClientInfo().getUser().getIdentifier();
> return username.equals(userAuthenticated);
>
>
> This way everything is centralised within the authenticator.
>
> --
> Carles
------------------------------------------------------
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2627324
