Hello Arjohn,
Jerome was willing to answer you, but as he is very overloaded and is
working for a customer, I answer you, very lately. Sorry for this delay.
Just a few words about the security model in the Restlet framework.
The Restlet framework has set up its own model (see here [0], [1]) based
on some properties of the ClientInfo class: user and roles.
This model gets along with ones that are based on principals that are
closer or are based on JAAS. These models are distinct, and some bridges
are required in some situations.
Let's see what may happen, and what may be the bridges.
The security model tries to distinguish the authentication and
authorization aspects.
First the incoming request is to be authenticated. At this step, the
credentials taken from the request are verified by a secretVerifier and
if everything is correct, the latter sets the ClientInfo's user with the
credential's identifier, and the Enroler defined on the Authenticator
filter lists the roles of the user.
Then comes the authorization phase. If you decide to follow the Restlet
model, the user and list of roles are available and ready to be handled.
If you decide to follow a model based on principals, you can use the
jaas extension that provides a few tools : a JaasVerifier that takes
the clientInfo's principals and generates a Subject instance and a
JaasUtils class that creates a Subject instance with an instance of
UserPrincipal class (based on the user attribute), and instances of
RolePrincipals populated with the user's roles. You can of course decide
to populate the ClientInfo#principals with your own strategy.
In the case of the servlet adapter, some principals already exist (due
to the configuration of the servlet container). And as you notice, the
user - and roles - are not retrieved (see [2]), which is from our point
of view an issue. The idea is to make an application portable. It must
be possible to make it run as a standalone application with the Restlet
security model (based on User and Role object), and simply take it
inside a servlet container. However, there is still a constraint:in
order to make the list of Role correct, the servlet container and the
Restlet application must define the same list of roles.
I hope these few words make the things clearer.
Best regards,
Thierry Boileau
[0]
http://wiki.restlet.org/developers/172-restlet/212-restlet.html#dsy212-restlet_authenticationModel
[1]
http://wiki.restlet.org/developers/172-restlet/212-restlet.html#dsy212-restlet_authorizationModel
[2] http://restlet.tigris.org/issues/show_bug.cgi?id=503
Hi all,
I'm having a hard time understanding the differences between
ClientInfo.getPrincipals() and getUser() and when to use which method.
I'm trying to get hold of the username in a ServerResource and figured I
should use one of these methods. When using a ChallengeAuthenticator
from the restlet package, the username is (only) available via
getUser(). But when running inside Tomcat and relying on a servlet
security-constraint, the username is only available via the
getPrincipals() method. I'm using on HTTP Basic authentication in both
cases.
Looking through the ServerServlet's code, it seems that the user
principals are copied from the incoming HttpServletRequest.
HttpServletRequest.getRemoveUser() is never called though. Is this is
bug in the connector?
Any insights in this subject are highly appreciated!
--
Arjohn
--
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447dsMessageId=2435769
--
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447dsMessageId=2440271
