Hi there, we use Resltet in Nexus for 4 years now. I believe what you miss is that security is usually orthogonal concern, usually handled outside BL.
Look into Apache Shiro (former Ki/JSecurity). We combine it together with Restlet: http://shiro.apache.org/ Specifically, among other cool things in Shiro, this is example of Shiro support for REST environments: http://shiro.apache.org/static/current/apidocs/org/apache/shiro/web/filter/authz/HttpMethodPermissionFilter.html Usually, at least in case of Nexus, the permission check happens way before (in Servlet Filter) even the request enters Restlet. A better integration would be nice (having Shiro based Guards or so), but having restlet in Servlet Container + Shiro filter actually does it's job very well. Hope helps, ~t~ On Tue, Apr 12, 2011 at 10:26 AM, tornat <[email protected]> wrote: > Hi at all > I'm Stefano from Italy (so...sorry for my not so good english). I come > from > JSP-Relational DB and Java world (before 2007) and after some years of > stop, > I'm trying to develop a new platform for building collaborative > journalistic > stuffs (eg. article, newspapers and so on) using "new" technologies (REST, > NOSQL, workflow engine). So the scenario is quite simple: > > 1) Different Kind of people can access to platform (anonimous users, > writers, readers, editors, administrators) and everyone of them can be, for > example, editor for one article and also only reader for another one) > > 2)collaborative resources can have different kind of protection policy in > example, some articles are private (manageable only by their owner), other > are manageable by a dinamic group of users, and finally other are public > (manageable by every autentichated user) > > So I've already buy restlet in action MEAP ebook (great job) for better > understand RESTLET powerful characteristics and after 6 chapter I'm in > crisis on secure issues (probably because of my servlet stateful > background). > > I mean that in JSP world , after a login form , usually I use > session.setParameter ("user", User) using a POJO User with some methods > like public Boolean checkModification(Article ID) that return true if > current user can modify resource with given ID, and public Boolean > checkView(Article ID) that return true if current user can view resource. > Obviusly those methods have business logic that check in some way > permission > grant (i. e. a SQL query on a RDBMS). In my opinion, in this way is avoid > also the problem of cross injection because the user pojo is in memory in > context session on server side. > > I'm sure (or better, I hope) that the same kind of security can be reached > also with RESTLET framework....but I'm confused about this topic and about > the better solution for my project. > > For other features i need to use Restlet as Servlet in Tomcat , so please > ..can everyone guide me in the choose of right secure architecture, to > obtain content protection policy (like explained above)and also to avoid > malicius injection, by using Tomcat and Restlet? > > I hope in your help...thanks in advance. > Stefano > > > > -- > View this message in context: > http://restlet-discuss.1400322.n2.nabble.com/Solution-Design-Crisis-tp6264270p6264270.html > Sent from the Restlet Discuss mailing list archive at Nabble.com. > > ------------------------------------------------------ > > http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2719024 > ------------------------------------------------------ http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2719029
