As a followup to my previous question, just to make things more interesting, I also would like to mix in authorization based on identity and resource instance state. For example, in addition to the rules I mentioned, an authenticated user may PUT or DELETE a collection item they created, but not collection items created by someone else.
How do I create a single chain of filters in createInboundRoot that handles these different situations for a given collection's resource URI template? I just realized that I can't group resources with different rules by assigning them to different routers (as I posited in my previous post) because I can only return one Restlet from createInboundRoot. So, it seems that I need to create different filter chains and attach them to a single router appropriately, on a per-URI basis. The overall logic of the filter chain should be something like: if the method is GET, execute the method on the ServerResource. if the method is POST, authenticate the user and then execute the method on the ServerResource. if the method is PUT or DELETE, authenticate the user, enrole them, check the role to see if it is "admin", and if so, execute the method on the ServerResource. It would be nice to modularize this logic into different filters for authentication, enroling, and authorizing, but I'm getting the feeling that this is going to need to be wrapped up into a single filter, since the sub-rules are conditional rather than sequential. Or perhaps I could dynamically modify the filter chain at filter execution time? For example, in createInboundRoot, attach a custom MethodAuthorizer which is chained to the ServerResource to the router for the collection URI template. Then, in the custom MethodAuthorizer, if the method is POST, dynamically insert an authenticator filter before the next restlet (the ServerResource), and if the method is PUT/DELETE, dynamically insert an authenticator, enroler, and authorizer trio before the ServerResource. Am I getting closer? -- View this message in context: http://restlet-discuss.1400322.n2.nabble.com/combining-role-and-method-authorization-tp7366193p7368612.html Sent from the Restlet Discuss mailing list archive at Nabble.com. ------------------------------------------------------ http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2934971
