Fabián,
sorry i will try to provide more details.
the problem i am having is the what is passed in to
verify in my DBverify(see below) the secret is encrypted and i did not encrypt
it and i do not know where in the process i am doing something incorrect that
it is getting encrypted.
In my application i have
public Restlet createInboundRoot() {
Router router = new Router(getContext());
router.attach("/", RootServerResource.class);
router.attach("/login/{username}/", UserAuthorizationResource.class);
Router wrouter = new Router(getContext());
wrouter.attach("/tb/",testResource.class);
DBVerifier verifier = new DBVerifier();
MyAuthenticator authenticator = new
MyAuthenticator(getContext(), "Cookie Test");
authenticator.setVerifier(verifier);
authenticator.setNext(wrouter);
router.attach("/{userID}", authenticator);
return router;
}
-----------------------------------------------------
in MyAuthenticator (snippet ):
protected int beforeHandle(Request request,
Response response) {
/*passwd is not encrypted here*/
request.setChallengeResponse(new ChallengeResponse( ChallengeScheme.HTTP_BASIC,
username, passwd ));
return super.beforeHandle(request, response);
}
-----------------------------------------------------
public class DBVerifier extends SecretVerifier {
public boolean verify(java.lang.String identifier,
char[] secret) {
System.out.println("identifier=["+identifier+"]
secret=["+secret.toString()+"]");
return true;
}
}
> Hello Randy,
>
> you usually know the hash function to encrypt the secret to persist in
> encrypted in the DB.
>
> So, you just need to get the secret from the request, apply that
> hash/encryption function, and compare it with the already encrypted
> value you read from the DB, in the Verifier's verify() implementation.
>
> Maybe you are encrypting the password twice somehow?
>
> I couldn't fully understand what you wrote. What you 'cannot get
> anything useful from'?
>
> Hope the above helps guide you in the right direction...
>
> On Sat, Jan 29, 2011 at 3:43 PM, Randy Paries <rtparies at gmail dot com>
> wrote:
> > Fabian,
> > i am getting closer, but i am one step away i think.
> >
> > each time my service is called i pass in an encrypted string
> >
> > I decrypt it and in my ChallengeAuthenticator i have
> > request.setChallengeResponse(
> > new ChallengeResponse( ChallengeScheme.HTTP_COOKIE, keyArray[1],
> > keyArray[2].toCharArray() ));
> >
> > here is my problem
> >
> > I have created a class DBVerifier extends SecretVerifier
> >
> > i was assuming in the verify method i would query the DB and authenticate,
> > but the secret is in a format that i can not get anything useful from.
> >
> > in the authenticator request.getChallengeResponse().getSecret() gives me
> > what i need, so i know the correct value is in there.
> >
> > thanks for your patience and insight
> >
> > randy
> >
> >
> >
> >> Hello Randy,
> >>
> >> indeed your custom Verifier will have to query the DB on each request
> >> to, well, verify, the provided credentials are valid. You can also
> >> build an in-memory (provided the passwords are stored on the DB
> >> already encrypted, to tighten security a bit) credentials 'cache'
> >> which is populated (reading from the DB) when the system starts, and
> >> then your custom Verifier can query that credentials cache instead of
> >> the DB.
> >>
> >> As you can see, Restlet is very flexible and provides you with many
> >> possibilities to handle authentication. OTOH, that flexibility means a
> >> little more work on your side to implement the authentication
> >> 'architecture' the way you want or need it.
> >>
> >> On Wed, Jan 26, 2011 at 7:46 PM, Randy Paries <rtparies at gmail dot com>
> >> wrote:
> >> > Fabian ,
> >> > thanks for the response.
> >> >
> >> > that helped, i am now getting closer.
> >> >
> >> > So there is one last part i am not getting.
> >> >
> >> > from the book there is the example "
> >> > //snippet
> >> >
> >> > @Override
> >> > public Restlet createInboundRoot() {
> >> >
> >> > Router router = new Router(getContext());
> >> > MapVerifier verifier = new MapVerifier();
> >> > verifier.getLocalSecrets().put("scott",
> >> > "tiger".toCharArray());
> >> >
> >> > CookieAuthenticator authenticator =
> >> > new CookieAuthenticator(getContext(), "Cookie Test");
> >> >
> >> > //end snippet
> >> >
> >> > My usernames and passwords are in a DB
> >> > So is the flow, each time someone makes a request I need to query and
> >> > get the username/password so i can put it into the verifier? I am
> >> > thinking that after they login i will generate somekind of key based on
> >> > their username/password and that is what will be passed back and forth
> >> > or set as a cookie.
> >> >
> >> > thanks for your help
> >> >
> >>
> >>
> >>
> >> --
> >> Fabián Mandelbaum
> >> IS Engineer
> >
>
>
>
> --
> Fabián Mandelbaum
> IS Engineer
------------------------------------------------------
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2701699
