For tracking purpose, this question has led to the fix of a bug in the computation of HTTP Digest values. We now properly take into account request URIs different from the one used during the pre-initialization of the ChallengeResponse. The fix will ship in 2.0.10 and 2.1 RC1 today.
Thanks to Steve and ForgeRock for the help in resolving this issue. Best regards, Jerome -- http://www.restlet.org http://twitter.com/#!/jlouvel De : Thierry Boileau [mailto:[email protected]] Envoyé : jeudi 11 août 2011 16:18 À : [email protected] Objet : Re: Using DIGEST authentication with multiple routes Hello Steve, I send you an idea of what could be a solution for your problem. It is based on a filter, placed just after the ClientResource that will handle the unauthorized response and complete the round trip. ****** ClientResource cr = new ClientResource("http://localhost:8182/";); cr.setChallengeResponse(new ChallengeResponse(ChallengeScheme.HTTP_DIGEST, "scott", "tiger".toCharArray())); Filter filter = new Filter() { @Override protected void afterHandle(Request request, Response response) { if (Status.CLIENT_ERROR_UNAUTHORIZED.equals(response.getStatus()) && request.getChallengeResponse() != null) { ChallengeRequest c1 = null; for (ChallengeRequest challengeRequest : response.getChallengeRequests()) { if (ChallengeScheme.HTTP_DIGEST.equals(challengeRequest.getScheme())) { c1 = challengeRequest; break; } } ChallengeResponse c2 = new ChallengeResponse(c1, response, request.getChallengeResponse().getIdentifier(), request.getChallengeResponse().getSecret()); request.setChallengeResponse(c2); handle(request, response); } else { super.afterHandle(request, response); } } }; cr.setNext(filter); filter.setNext(new Client(Protocol.HTTP)); ***** There are several ways to associate the filter with client resources depending the calls are issued from an Application, or not. You can also create subclass of ClientResource, etc. Best regards, Thierry Boileau I've read the following: http://wiki.restlet.org/docs_2.0/13-restlet/27-restlet/46-restlet/112-restle t.html But I am unable to work how I should protect the following application: Application app = new Application() { @Override public synchronized Restlet createInboundRoot() { Router router = new Router(getContext()); router.attach(TestResource.URI, TestResourceImpl.class); router.attach(Test2Resource.URI, Test2ResourceImpl.class); return router; } }; With a single DIGEST authentication round trip on the client. At the moment I need to do this: ClientResource authResource = new ClientResource("http://localhost:8182/foo"; + TestResource.URI); TestResource myTest = authResource.wrap(TestResource.class); authResource.setChallengeResponse(ChallengeScheme.HTTP_DIGEST, "login", "secret"); for each and every different ClientResource; they are not transferrable as on the server the DIGEST authentication implementation matches on the specific URI. I have tried using the Directory class and implementing the Digest auth to guard that; but I cannot see how to setup the ChallengeResponse on the client. Any help gratefully accepted. regards Steve ------------------------------------------------------ http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447 <http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2807 742> &dsMessageId=2807742 ------------------------------------------------------ http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2850122
