Hello Randy. Even with HTTP Basic auth the provided credentials (user+pass) are encoded. They are not transmitted like this on the wire:
user=the_user password=the_password but, rather, like this, in a standard HTTP header: Authorization Basic YWRtaW5AY2FsZW5jby5jb206MTExMTEx That YW...MTEx 'thing' is not encrypted, but encoded. However, you don't have to even care about this, because Restlet takes care of all these details. As I said before, I don't know about Cookie authentication, but I've successfully setup an authenticator that verifies credentials stored on JCR. The code is Open Source, you can take a look at the relevant sources here to 'find inspiration': http://trac.calenco.com/browser/branches/stable/src/com/calenco/security/JcrVerifier.java (this is the analog to what your DBVerifier should be) http://trac.calenco.com/browser/branches/stable/src/com/calenco/CalencoV2App.java (look around line 221) Hope this helps. Good luck! On Mon, Jan 31, 2011 at 1:39 PM, Randy Paries <[email protected]> wrote: > Fabián, > sorry i will try to provide more details. > > the problem i am having is the what is passed in to > verify in my DBverify(see below) the secret is encrypted and i did not > encrypt it and i do not know where in the process i am doing something > incorrect that it is getting encrypted. > > > In my application i have > > public Restlet createInboundRoot() { > > Router router = new Router(getContext()); > router.attach("/", RootServerResource.class); > router.attach("/login/{username}/", UserAuthorizationResource.class); > > Router wrouter = new Router(getContext()); > wrouter.attach("/tb/",testResource.class); > > DBVerifier verifier = new DBVerifier(); > > MyAuthenticator authenticator = new > MyAuthenticator(getContext(), "Cookie Test"); > authenticator.setVerifier(verifier); > authenticator.setNext(wrouter); > > router.attach("/{userID}", authenticator); > > return router; > } > ----------------------------------------------------- > in MyAuthenticator (snippet ): > > protected int beforeHandle(Request request, > Response response) { > > /*passwd is not encrypted here*/ > request.setChallengeResponse(new ChallengeResponse( > ChallengeScheme.HTTP_BASIC, username, passwd )); > > return super.beforeHandle(request, response); > > } > > ----------------------------------------------------- > public class DBVerifier extends SecretVerifier { > > public boolean verify(java.lang.String identifier, > char[] secret) { > > System.out.println("identifier=["+identifier+"] > secret=["+secret.toString()+"]"); > > return true; > } > } > > > > > > > > > > > > > > >> Hello Randy, >> >> you usually know the hash function to encrypt the secret to persist in >> encrypted in the DB. >> >> So, you just need to get the secret from the request, apply that >> hash/encryption function, and compare it with the already encrypted >> value you read from the DB, in the Verifier's verify() implementation. >> >> Maybe you are encrypting the password twice somehow? >> >> I couldn't fully understand what you wrote. What you 'cannot get >> anything useful from'? >> >> Hope the above helps guide you in the right direction... >> >> On Sat, Jan 29, 2011 at 3:43 PM, Randy Paries <rtparies at gmail dot com> >> wrote: >> > Fabian, >> > i am getting closer, but i am one step away i think. >> > >> > each time my service is called i pass in an encrypted string >> > >> > I decrypt it and in my ChallengeAuthenticator i have >> > request.setChallengeResponse( >> > new ChallengeResponse( ChallengeScheme.HTTP_COOKIE, keyArray[1], >> > keyArray[2].toCharArray() )); >> > >> > here is my problem >> > >> > I have created a class DBVerifier extends SecretVerifier >> > >> > i was assuming in the verify method i would query the DB and authenticate, >> > but the secret is in a format that i can not get anything useful from. >> > >> > in the authenticator request.getChallengeResponse().getSecret() gives me >> > what i need, so i know the correct value is in there. >> > >> > thanks for your patience and insight >> > >> > randy >> > >> > >> > >> >> Hello Randy, >> >> >> >> indeed your custom Verifier will have to query the DB on each request >> >> to, well, verify, the provided credentials are valid. You can also >> >> build an in-memory (provided the passwords are stored on the DB >> >> already encrypted, to tighten security a bit) credentials 'cache' >> >> which is populated (reading from the DB) when the system starts, and >> >> then your custom Verifier can query that credentials cache instead of >> >> the DB. >> >> >> >> As you can see, Restlet is very flexible and provides you with many >> >> possibilities to handle authentication. OTOH, that flexibility means a >> >> little more work on your side to implement the authentication >> >> 'architecture' the way you want or need it. >> >> >> >> On Wed, Jan 26, 2011 at 7:46 PM, Randy Paries <rtparies at gmail dot com> >> >> wrote: >> >> > Fabian , >> >> > thanks for the response. >> >> > >> >> > that helped, i am now getting closer. >> >> > >> >> > So there is one last part i am not getting. >> >> > >> >> > from the book there is the example " >> >> > //snippet >> >> > >> >> > @Override >> >> > public Restlet createInboundRoot() { >> >> > >> >> > Router router = new Router(getContext()); >> >> > MapVerifier verifier = new MapVerifier(); >> >> > verifier.getLocalSecrets().put("scott", >> >> > "tiger".toCharArray()); >> >> > >> >> > CookieAuthenticator authenticator = >> >> > new CookieAuthenticator(getContext(), "Cookie Test"); >> >> > >> >> > //end snippet >> >> > >> >> > My usernames and passwords are in a DB >> >> > So is the flow, each time someone makes a request I need to query and >> >> > get the username/password so i can put it into the verifier? I am >> >> > thinking that after they login i will generate somekind of key based on >> >> > their username/password and that is what will be passed back and forth >> >> > or set as a cookie. >> >> > >> >> > thanks for your help >> >> > >> >> >> >> >> >> >> >> -- >> >> Fabián Mandelbaum >> >> IS Engineer >> > >> >> >> >> -- >> Fabián Mandelbaum >> IS Engineer > -- Fabián Mandelbaum IS Engineer ------------------------------------------------------ http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2701818
