I have a variety of resources that have specific authorization rules, e.g.
collection resources that allow anonymous users to GET, authenticated users
to GET or POST (to create a new item), and admins to GET/PUT/POST/DELETE.
I'm looking at MethodAuthorizer and RoleAuthorizer, but I'm not sure of the
proper way to apply them on a per-resource basis or to combine them to
achieve my goals.
It seems like maybe I could chain together a MethodAuthorizer, a
RoleAuthorizer, and my ServerResource class and provide that chain to
Router.attach(). Or, similarly, I could group together resource classes
sharing the same method/role rules and associate them with distinct routers,
and then attach different authorizers to each router. Am I on the right
track here? But MethodAuthorizer doesn't take the Role into account, and
RoleAuthorizer doesn't take the method into account; thus chaining them
doesn't seem it like it would work.
This seems like it would be a common use case. Should I create my own
MethodRoleAuthorizer class, or am I overlooking something?
On a related note, it seems like it would be a nice convenience to be able
to eliminate this coding from my createInboundRoot methods by using
annotations, e.g.
public interface MyCollectionResource {
@Get
public MyCollection getMyCollection();
@Post
@RestrictTo("authenticated")
public MyCollectionItem createMyCollectionItem(Form form);
@Put
@RestrictTo("role:admin")
public void setMyCollection(MyCollection coll);
@Delete
@RestrictTo("role:admin")
public void deleteMyCollection();
}
-Andy
--
View this message in context:
http://restlet-discuss.1400322.n2.nabble.com/combining-role-and-method-authorization-tp7366193p7366193.html
Sent from the Restlet Discuss mailing list archive at Nabble.com.
------------------------------------------------------
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2934509
