RE: Re: Authenticator and Component XML configuration
Thank you very much for your answer. I think I would use the classes approach using the createInboundRoute as in the book. How about my second question? Can I attach the authenticator to only some of the methods of my resources? I.e. protect only PUT, POST, and DELETE while keeping GET public? Maybe using roles? Is there some example I can see? If not, I'm thinking about splitting my services in two families of resources /apps/ which will implement authentication and /info which will be public. Do you think it is a good solution? Moreover, do you know of any open-source real web service implementation using restlet? I would like to see some code, tutorials and Restlet in action are quite simple. Thanks again, Sergio -- http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447dsMessageId=3078322
Re: Transparent reverse proxying using org.restlet.routing.Redirector
Arjohn Kampman-2 wrote We've updated from restlet 2.1.4 to 2.2.0 now and to our surprise this fixed the Redirector problems. In fact, Redirector works perfectly out-of-the-box, including the digest authentication. No subclassing required. So probably this was a bug in 2.1.4 that has been fixed somewhere in the 2.2 development. Thanks for this info, which gives me some confidence that I can get this working too with some help. In order to set the authentication information for a MODE_SERVER_OUTBOUND redirection, I added a filter (code shown below), in front of the Redirector, to set the ChallengeResponse as shown below. But I could never get this authentication work successfully, since the server always fails authentication for the passed username/password. I would appreciate if you could share the details on how you passed the authentication details to the Redirector. public class MyRedirectorAuthenticatorFilter extends Filter { public MyRedirectorAuthenticatorFilter(Context context) { this.setContext(context); } @Override protected int doHandle(Request request, Response response) { String username = username; String password = plaintext password; request.setProxyChallengeResponse(new ChallengeResponse( ChallengeScheme.HTTP_DIGEST, username, password)); return super.doHandle(request, response); } } And in my application, I have, String target2 = http://localhost:8080/MyWebApp{rr};; Redirector redirector2 = new Redirector(getContext(), target2, Redirector.MODE_SERVER_OUTBOUND); MyRedirectorAuthenticatorFilter myfilter = new MyRedirectorAuthenticatorFilter(getContext()); myfilter.setNext(redirector2); router.attach(/myapp, myfilter); Appreciate your help on this. -- View this message in context: http://restlet-discuss.1400322.n2.nabble.com/Transparent-reverse-proxying-using-org-restlet-routing-Redirector-tp7579113p7579179.html Sent from the Restlet Discuss mailing list archive at Nabble.com. -- http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447dsMessageId=3078323
Re: Re: Authenticator and Component XML configuration
On Wed, May 14, 2014 at 4:46 AM, Sergio sertin...@gmail.com wrote: Can I attach the authenticator to only some of the methods of my resources? I.e. protect only PUT, POST, and DELETE while keeping GET public? Maybe using roles? You can do per-resource or even per-method authorization: Remember that authentication and authorization are separate steps, and that you can make authentication optional. You can attach an authenticator at an outer level and then in specific methods you can examine the authenticated user (if any) and its roles to determine whether to allow or forbid a method. The authenticated user can be obtained via getClientInfo().getUser(). You can even combine these approaches: Authenticator - Authorizer - ... - Resource method - per-resource/method authorization This might be useful, for example, if you have a common level of authorization for a group of resources, but you have specific additional authorization requirements on certain resources. If not, I'm thinking about splitting my services in two families of resources /apps/ which will implement authentication and /info which will be public. Do you think it is a good solution? It depends on whether your resources naturally decompose into mutable and read-only resources. If they do, that's probably preferable. In my work I confine resource-specific authorization to a few places where it is much more natural to say something like You must have the ADMIN role to PUT this resource, but anyone can GET it than to break things up into separate resources. Most of the time, though, I try to keep read-only resources under separate paths in my routing structure. --tim -- http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447dsMessageId=3078329
RE: Re: Authenticator and Component XML configuration
Hi again, I want to protect some resources under /apps/{appid}: /apps/{appId}/object To avoid flooding I have pasted my code here: http://pastebin.com/gqc2dbFS I use the tracer filter to print the details of the request. The requested URI is: Resource URI : http://localhost:8080/apps/1; Which, as far as I understood, according to my createInBoundRoute() method should be routed to AppServerResource class after pass through the authenticator and the tracer. However I got a 404 error. If I remove the credentials from my client, I got a 401 error, also the tracer print the information of the request correctly, then I think the first router is working properly. How can I implement a router1 - authenticator -tracer - router2 routing scheme? I want the authenticator to only guard resources under /apps/{appId}. Thanks in advance, Sergio -- http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447dsMessageId=3078331