I am trying to understand the behavior I am seeing while using a Validator,
Extractor, and Authorizer to process requests to my application. I am
authorizing requests to my resources based on a cookie set by a different
application. I have my Restlet objects chained together like this (also see
sample code below):
Router -> Validator -> Extractor -> Authorizer -> Resource
My intention is that the Extractor and Authorizer don't have to run if the
Validator does not pass. The Validator is there to ensure that the account
number specified in the URL is exactly 5 numeric digits. If it is not a valid
account number, proceeding with the Extractor and Authorizer is pointless.
The behavior I'm seeing is that the Extractor and Authorizer both run even if
the requested URL does not pass validation. If the Authorizer is successful, it
appears to run the Validator at that point and I get the expected response with
HTTP status 400 (Bad Request). If the Authorizer fails, I get HTTP status 403
(Forbidden) and it appears as though the Validator never runs.
How can I prevent the Extractor and Authorizer from running at all unless the
Validator is successful?
Sample Code:
------------
public synchronized Restlet createInboundRoot()
{
Router router = new Router(getContext());
Validator validator = new Validator();
// Account Number must be 5 numeric digits
validator.validate("accountNumber", true, "[0-9]{5}");
router.attach("/{accountNumber}", validator, Template.MODE_EQUALS);
Extractor extractor = new Extractor();
extractor.extractFromCookie("authToken", "cookieName", true);
validator.setNext(extractor);
MyCustomAuthorizer customAuthorizer = new MyCustomAuthorizer();
extractor.setNext(customAuthorizer);
customAuthorizer.setNext(MyResource.class);
return router;
}
------------
Thanks,
Byron
------------------------------------------------------
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2700704
