Thanks Bruno, what you suggest is what I first tried - but gosh I didn't
find the way to do the chaning. In a hierarchical setup such as:
public Restlet createRoot() {
ChallengeAuthenticator authenticator = createAuthenticator();
Router router = new Router(getContext());
router.attach("/users/{username}/", UserResource.class);
router.attach("/users/{username}/docs/", DocsResource.class);
router.attach("/users/{username}/docs/{id}/", DocResource.class);
// ...
authenticator.setNext(router);
return authenticator;
}
How do I sneak in my authorizer in between the router and the resource
totally escapes me, and believe me I made a few trials.
Thanks again,
Carles
Bruno Harbulot [via Restlet Discuss] wrote:
> Hi,
>
> I think I misunderstood your original question. I thought that you could
> only know the owner of the resource once you got to that resource (e.g.
> by loading it from a database).
>
> If the path is your what determines ownership, then you should be able
> to do this by chaining the putting the authorizer after the router and
> before the resource, rather than the resource class directly.
>
> Avoid to mix authentication and authorization if you can.
>
> Best wishes,
>
> Bruno.
>
> On 29/06/10 10:15, Carles Barrobés wrote:
>
> > In the end it should be simpler than that. All I need to do is be
> able to
> > decode the URL (same as I used as the route to the resource), match
> it to
> > the current request (same as the router does) and check the parameters.
> >
> > Since I did not want to add authorization checks in all my resources
> > (although it could be done rather cleanly with aspects and
> annotations), for
> > the time being I solved it by using an authenticator that extends
> > ChallengeAuthenticator and overrides authenticate.
> >
> > I added a method setRoutes to my authenticator to initialise it with
> the
> > list of routes:
> >
> >
> > RouteList routes = router.getRoutes();
> > authenticator.setRoutes(routes);
> >
> >
> > Then within the authenticator I can access the matching capabilities
> of the
> > routes:
> >
> >
> > // get the matching route
> > Route best = this.routes.getBest(request, response, 0);
> > final String remainingPart =
> > request.getResourceRef().getRemainingPart(false, true);
> > // match and add parameters to the request map (or I could
> use a
> > fresh map)
> > best.getTemplate().parse(remainingPart,
> request.getAttributes());
> > String username =
> (String)request.getAttributes().get("username");
> > String userAuthenticated =
> > request.getClientInfo().getUser().getIdentifier();
> > return username.equals(userAuthenticated);
> >
> >
> > This way everything is centralised within the authenticator.
> >
> > --
> > Carles
>
> ------------------------------------------------------
> http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2627324
>
> <http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2627324>
>
>
> ------------------------------------------------------------------------
> View message @
> http://restlet-discuss.1400322.n2.nabble.com/Chaining-an-authorization-filter-after-a-router-tp5231286p5234567.html
>
>
> To unsubscribe from Re: Chaining an authorization filter after a
> router, click here
> <http://restlet-discuss.1400322.n2.nabble.com/subscriptions/Unsubscribe.jtp?code=Y2JhcnJvYmVzQGlzaWdtYS5lc3w1MjM0MjM5fC02Njg0MDc3OQ==>.
>
>
>
--
View this message in context:
http://restlet-discuss.1400322.n2.nabble.com/Chaining-an-authorization-filter-after-a-router-tp5231286p5234673.html
Sent from the Restlet Discuss mailing list archive at Nabble.com.
------------------------------------------------------
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2627333
