GuardedExample without using deprecated API

Thu, 30 Sep 2010 09:23:54 -0700 

Hy everybody

I was using CXF and change to Restlet because security looks to be easier to 
implement.

I am using JAX-RS and I hopefully found an example with security in the source 
code: org.restlet.example.ext.jaxrs.GuardedExample 

I had some difficulties to make it work : 
We need to call ChallengeAuthenticator after creating the Verifier.

        // set valid users and their passwords.
        MemoryRealm realm = new MemoryRealm();
        application.getContext().setDefaultEnroler(realm.getEnroler());
        application.getContext().setDefaultVerifier(realm.getVerifier());

        realm.getUsers().add(new User("admin", "adminPW".toCharArray()));
        realm.getUsers().add(new User("alice", "alicesSecret".toCharArray()));
        realm.getUsers().add(new User("bob", "bobsSecret".toCharArray()));

        // create a Guard
        final ChallengeAuthenticator guard = new ChallengeAuthenticator(
                application.getContext(), ChallengeScheme.HTTP_BASIC,
                "JAX-RS example");



Because the ChallengeAuthenticator constructor use the vertifier in the context 
: 
    public ChallengeAuthenticator(Context context, boolean optional,
            ChallengeScheme challengeScheme, String realm) {
        this(context, optional, challengeScheme, realm,
                (context != null) ? context.getDefaultVerifier() : null);
    }


Now it is working but I am wondering about the RoleChecker. My RoleChecker is 
like this : 

    /**
     * Class needed for BASIC AUTH.
     */
    @SuppressWarnings("deprecation")
    private static final class RestletRoleChecker implements RoleChecker {

        public boolean isInRole(Principal principal, String role) {
            throw new RuntimeException("[isInRole] was called. We don't know 
why this class is needed.");
        }
    }

And it is working with HTTP Basic Auth very well.

Because security is important, I am wondering why I need to call : 

        application.setAuthentication(guard, roleChecker); //with an unused 
RestletRoleChecker

and why : 

        application.setGuard(guard); //not deprecated

doesn't work instead.

Because application.setAuthentication is deprecated, how can I use 
ClientInfo.getRoles() instead ?

The only way I found to access ClientInfo is in Resource, and I would like to 
set the BasicAuth for every Resources.

Thank you

Romain

------------------------------------------------------
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2666646

Reply via email to