I've fleshed this out, probably in too much detail:
I have a Component made up of several cooperating Applications. There is a
need for common authentication (MyAuthenticator extending
CookieAuthenticator) across all applications. Rather than have each
Application duplicate the login and logout handling logic, I have a
separate AuthApplication at /auth. Let's say I have a SearchApplication
under /search, with a resource that needs authentication and authorization
at /search/private, PrivateServerResource.
SearchApplication.createInboundRoot looks like this in part:
// I have helper functions to do this wiring, but inlined here:
Authorizer authorizer = new MyAuthorizer(...);
authorizer.setNext(PrivateServiceResource.class);
Authenticator authenticator = new MyAuthenticator(...);
authenticator.setNext(authorizer);
router.attach("/private", authenticator);
MyAuthenticator's loginFormPath is /auth/loginForm, so the challenge on an
attempt to access /search/private redirects to:
/auth/loginForm?targetUri=/search/private (except the query value is
encoded)
The form that is returned from this POSTs the user-supplied credentials to:
/auth/login?targetUri=/search/private (except the query value is
encoded)
So far so good. This last URI is handled by AuthApplication, which has a
createInboundRoot like this:
// The loginForm resource should not have authentication.
router.attach("/loginForm", LoginFormServerResource.class);
// handles the login form with Freemarker template
Authenticator authenticator = new MyAuthenticator(...);
authenticator.setNext(new Restlet() {
@Override public void handle(Request request, Response response) {
getLogger().fine("Handling no-op restlet");
}
});
router.attachDefault(authenticator);
The /auth/login?... URI is handled by the default route, and is detected by
CookieAuthenticator.isLoggingIn(req, rsp) and sent to
CookieAuthenticator.login(req, rsp), so that the user is redirected to the
targetUri in beforeHandle, without ever touching the next Restlet.
Similarly with logout.
My original observation was that even though the authenticator's next
(no-op) Restlet isn't used, if you omit the call to setNext above, you get
an error message.
--tim
On Fri, Dec 21, 2012 at 12:20 PM, Thierry Boileau <[email protected]>wrote:
> Hi Tim,
>
> I've read your mail, and have a question about this :
> >an instance of my CookieAuthenticator extension around a
> >Restlet that does nothing. (If you leave out this vacuous Restlet, the
> >machinery complains about a Filter with no target.)
>
> Clearly, a filter is meant to transmit the request/response to a next
> Restlet.
> In this case, when a request is authenticated, I wonder what is the
> behaviour of the CookieAuthenticator.
> This is the end of the year, I'm a little bit tired, so my question may be
> confuse. :)
>
> Best regards,
> Thierry Boileau
>
> ------------------------------------------------------
>
> http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=3038051
>
------------------------------------------------------
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=3038076
