Multi-part question...
Part #1
-------
I'm having trouble figuring out how you'd do something simple like fetch the
current (authenticated) user's username from inside a resource method. I
perused the docs, but saw only a reference to an AuthenticationHandler:
public class AuthenticationHandler implements RequestHandler {
public Response handleRequest(Message m, ClassResourceInfo resourceClass) {
AuthorizationPolicy policy =
(AuthorizationPolicy)m.getContent(AuthorizationPolicy.class);
policy.getUserName();
policy.getPassword();
return null;
}
}
However, I'm not clear on how I'd make use of this in a way that gets the
information into a resource method. From the things that are flat-out
available to a resource method, I don't see a way to get the username...
Really, it looks (to me) like an authentication handler is more like a way to
define your own authentication mechanism.
To that end:
Part #2
-------
How *would* I implement a custom authentication mechanism? Obviously, I could
read the HTTP headers from inside the resource method, and figure things out
from there, but that seems cumbersome. What I'm trying to do is make use of
WSSE UsernameToken (the way Atom does), which would seem to require some custom
code. Thoughts on how best to approach this?
Part #3
-------
Really, what I ultimately want is to have basic authentication turned on for
one particular resource (for all HTTP methods), WSSE UsernameToken turned on
for certain methods on certain other resources, and no authentication at all
for everything else. Something like:
/foo - GET, PUT, POST and DELETE all use HTTP basic authentication
/bar - GET not authenticated at all, but
/bar - PUT, POST and DELETE all use WSSE UsernameToken
/baz - all methods unauthenticated
Is there a nice, declarative way to accomplish this, or will I need to resort
to calls from within each resource method, to do/not-do the authentication in
appropriate ways?
Thanks!
