Hello Randy, 'login' is always a hot topic on RESTful applications.
The Restlet flow you mention is basically this: Client --- Request --> Guard --> Protected Server Resource it's the Guard (usually org.restlet.security.ChallengeAuthenticator) the one that authenticates the user, making sure the system "knows" this user. The way to do that is by means of an Authenticator that will use a Verifier (which you have to implement for your scenario extending usually org.restlet.security.SecretVerifier) to check the user is who he claims to be. In a REST app, all requests to that Protected Server Resource need to provide the correct authentication credentials, there's no idea of 'state' (a session for example): this user has already been logged in, so it's OK to grant him access without credentials. This never happens in a REST app, all guarded resources require authentication. You usually don't see the above happening because the most popular web clients, read: web browsers, only ask you for authentication once, and then send all subsequent requests pre-authenticated. Your client iPhone app (as I understand, the client) will have to take care of doing this: reacting to the 401 the server will answer (with the above flow Restlet takes care of this for you) and asking the user, reading from a config file, or doing whatever it does to get the user's credentials, and retry the request with authentication info, and perform all subsequent such requests pre-authenticated (providing that authentication info). This works fine for HTTP Basic (needs encryption on the comms channel, using SSL for example, because the credentials are transmitted in clear text). I'll let other, more security-versed, people enhance this answer if they see fit. Hope this helps. On Thu, Jan 20, 2011 at 7:52 PM, Randy Paries <[email protected]> wrote: > Hello, > I am trying to create a RESTful application Server. > I am going to use the RestLet framework. > As i am designing the URL's i have some questions. > This app server is going to be the backend for an iPhone app. > The app will require authentication > > So here is where i get a little confused with the design. > > The app will make a call to > http://mydomain.com/api/users/{userid}/apps/ > this will return a XML with the available apps and their URI's > > here is where i can not seem to connect the dots, and i would like to do this > correctly the restful/reslet way. > > if they goto directly http://mydomain.com/api/users/{userid}/apps/ initially > they will get a 401 (unauthorized) > > With this app they can not do anything without being authenticated > > In my application i am using the CookieAuthenticator > > I do not understand the correct way for this client to start > > Should the app initially POST username and password to > https://mydomain.com/api/users ?? > > thanks for any help > > ------------------------------------------------------ > http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2699439 > -- Fabián Mandelbaum IS Engineer ------------------------------------------------------ http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2699916
