RE: Re: Authenticator and Component XML configuration
Thank you very much for your answer. I think I would use the classes approach using the createInboundRoute as in the book. How about my second question? Can I attach the authenticator to only some of the methods of my resources? I.e. protect only PUT, POST, and DELETE while keeping GET public? Maybe using roles? Is there some example I can see? If not, I'm thinking about splitting my services in two families of resources /apps/ which will implement authentication and /info which will be public. Do you think it is a good solution? Moreover, do you know of any open-source real web service implementation using restlet? I would like to see some code, tutorials and Restlet in action are quite simple. Thanks again, Sergio -- http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447dsMessageId=3078322
Re: Transparent reverse proxying using org.restlet.routing.Redirector
Arjohn Kampman-2 wrote
We've updated from restlet 2.1.4 to 2.2.0 now and to our surprise this
fixed the Redirector problems. In fact, Redirector works perfectly
out-of-the-box, including the digest authentication. No subclassing
required. So probably this was a bug in 2.1.4 that has been fixed
somewhere in the 2.2 development.
Thanks for this info, which gives me some confidence that I can get this
working too with some help. In order to set the authentication information
for a MODE_SERVER_OUTBOUND redirection, I added a filter (code shown below),
in front of the Redirector, to set the ChallengeResponse as shown below. But
I could never get this authentication work successfully, since the server
always fails authentication for the passed username/password. I would
appreciate if you could share the details on how you passed the
authentication details to the Redirector.
public class MyRedirectorAuthenticatorFilter extends Filter {
public MyRedirectorAuthenticatorFilter(Context context) {
this.setContext(context);
}
@Override
protected int doHandle(Request request, Response response) {
String username = username;
String password = plaintext password;
request.setProxyChallengeResponse(new ChallengeResponse(
ChallengeScheme.HTTP_DIGEST, username,
password));
return super.doHandle(request, response);
}
}
And in my application, I have,
String target2 = http://localhost:8080/MyWebApp{rr};;
Redirector redirector2 = new Redirector(getContext(), target2,
Redirector.MODE_SERVER_OUTBOUND);
MyRedirectorAuthenticatorFilter myfilter = new
MyRedirectorAuthenticatorFilter(getContext());
myfilter.setNext(redirector2);
router.attach(/myapp, myfilter);
Appreciate your help on this.
--
View this message in context:
http://restlet-discuss.1400322.n2.nabble.com/Transparent-reverse-proxying-using-org-restlet-routing-Redirector-tp7579113p7579179.html
Sent from the Restlet Discuss mailing list archive at Nabble.com.
--
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447dsMessageId=3078323
Re: Re: Authenticator and Component XML configuration
On Wed, May 14, 2014 at 4:46 AM, Sergio sertin...@gmail.com wrote: Can I attach the authenticator to only some of the methods of my resources? I.e. protect only PUT, POST, and DELETE while keeping GET public? Maybe using roles? You can do per-resource or even per-method authorization: Remember that authentication and authorization are separate steps, and that you can make authentication optional. You can attach an authenticator at an outer level and then in specific methods you can examine the authenticated user (if any) and its roles to determine whether to allow or forbid a method. The authenticated user can be obtained via getClientInfo().getUser(). You can even combine these approaches: Authenticator - Authorizer - ... - Resource method - per-resource/method authorization This might be useful, for example, if you have a common level of authorization for a group of resources, but you have specific additional authorization requirements on certain resources. If not, I'm thinking about splitting my services in two families of resources /apps/ which will implement authentication and /info which will be public. Do you think it is a good solution? It depends on whether your resources naturally decompose into mutable and read-only resources. If they do, that's probably preferable. In my work I confine resource-specific authorization to a few places where it is much more natural to say something like You must have the ADMIN role to PUT this resource, but anyone can GET it than to break things up into separate resources. Most of the time, though, I try to keep read-only resources under separate paths in my routing structure. --tim -- http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447dsMessageId=3078329
RE: Re: Authenticator and Component XML configuration
Hi again,
I want to protect some resources under /apps/{appid}:
/apps/{appId}/object
To avoid flooding I have pasted my code here:
http://pastebin.com/gqc2dbFS
I use the tracer filter to print the details of the request. The requested URI
is:
Resource URI : http://localhost:8080/apps/1;
Which, as far as I understood, according to my createInBoundRoute() method
should be routed to AppServerResource class after pass through the
authenticator and the tracer. However I got a 404 error. If I remove the
credentials from my client, I got a 401 error, also the tracer print the
information of the request correctly, then I think the first router is working
properly.
How can I implement a
router1 - authenticator -tracer - router2
routing scheme?
I want the authenticator to only guard resources under /apps/{appId}.
Thanks in advance,
Sergio
--
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447dsMessageId=3078331
