RE: Re: Authenticator and Component XML configuration
Thank you very much for your answer. I think I would use the classes approach using the createInboundRoute as in the book. How about my second question? Can I attach the authenticator to only some of the methods of my resources? I.e. protect only PUT, POST, and DELETE while keeping GET public? Maybe using roles? Is there some example I can see? If not, I'm thinking about splitting my services in two families of resources /apps/ which will implement authentication and /info which will be public. Do you think it is a good solution? Moreover, do you know of any open-source real web service implementation using restlet? I would like to see some code, tutorials and Restlet in action are quite simple. Thanks again, Sergio -- http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447dsMessageId=3078322
Re: Re: Authenticator and Component XML configuration
On Wed, May 14, 2014 at 4:46 AM, Sergio sertin...@gmail.com wrote: Can I attach the authenticator to only some of the methods of my resources? I.e. protect only PUT, POST, and DELETE while keeping GET public? Maybe using roles? You can do per-resource or even per-method authorization: Remember that authentication and authorization are separate steps, and that you can make authentication optional. You can attach an authenticator at an outer level and then in specific methods you can examine the authenticated user (if any) and its roles to determine whether to allow or forbid a method. The authenticated user can be obtained via getClientInfo().getUser(). You can even combine these approaches: Authenticator - Authorizer - ... - Resource method - per-resource/method authorization This might be useful, for example, if you have a common level of authorization for a group of resources, but you have specific additional authorization requirements on certain resources. If not, I'm thinking about splitting my services in two families of resources /apps/ which will implement authentication and /info which will be public. Do you think it is a good solution? It depends on whether your resources naturally decompose into mutable and read-only resources. If they do, that's probably preferable. In my work I confine resource-specific authorization to a few places where it is much more natural to say something like You must have the ADMIN role to PUT this resource, but anyone can GET it than to break things up into separate resources. Most of the time, though, I try to keep read-only resources under separate paths in my routing structure. --tim -- http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447dsMessageId=3078329
RE: Re: Authenticator and Component XML configuration
Hi again, I want to protect some resources under /apps/{appid}: /apps/{appId}/object To avoid flooding I have pasted my code here: http://pastebin.com/gqc2dbFS I use the tracer filter to print the details of the request. The requested URI is: Resource URI : http://localhost:8080/apps/1; Which, as far as I understood, according to my createInBoundRoute() method should be routed to AppServerResource class after pass through the authenticator and the tracer. However I got a 404 error. If I remove the credentials from my client, I got a 401 error, also the tracer print the information of the request correctly, then I think the first router is working properly. How can I implement a router1 - authenticator -tracer - router2 routing scheme? I want the authenticator to only guard resources under /apps/{appId}. Thanks in advance, Sergio -- http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447dsMessageId=3078331
Re: Authenticator and Component XML configuration
Hi Sergio, I think you should attach a Restlet Application subclass to your default host. Inside this application, you can add a ChallengeAuthenticator filter, then a Router and attach your four resources to this router. If you want to do it all in XML, maybe you should consider using Spring XML support instead which is more flexible/powerful. Thanks, Jerome -- http://restlet.org @jlouvel http://twitter.com/#!/jlouvel On Tue, May 13, 2014 at 6:11 AM, Sergio sertin...@gmail.com wrote: Hello, I'm quite a newbie with restlet. I'm creating an application with this resources: / /apps /apps/{id} /apps/{id}/objects To attach the different URI to resources I have used the XML component configuration: ?xml version=1.0? component xmlns=http://www.restlet.org/schemas/2.0/Component; name=AndroPi RESTful server description=Configures NAT and output interface for nodes into the inner network owner=GRC UPV author=Sergio MartÃnez Tornell client protocol=CLAP / server protocol=HTTP port=8080 parameter name=tracing value=true / /server defaultHost attach uriPattern=/ targetClass=es.upv.grc.andropi.server.RootServerResource/ attach uriPattern=/apps targetClass=es.upv.grc.andropi.server.AppsServerResource/ attach uriPattern=/apps/{appId} targetClass=es.upv.grc.andropi.server.AppServerResource/ attach uriPattern=/apps/{appId}/objects targetClass=es.upv.grc.andropi.server.ObjectsServerResource/ /defaultHost /component It works properly, but now I want to protect the /apps/{id} and /apps/{id}/objects from non-authorized users. I have read the book Restlet in action and the tutorials available on the website, but I can't find how to do it. How can I define a ChallengeAuthenticator to act as a filter to only come of my resources? Can I define the ChallengeAuthenticator only for som methods of my resources? for example to protect PUT or POST but keep GET public. Thank you very much. Sergio -- http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447dsMessageId=3078257 -- http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447dsMessageId=3078316