0

Assume a blackboard type application. There are 2 Projects - ProjectA and ProjectB. User 'nupul' (me) is part of both projects. For A I'm an admin and for B I'm just a 'member' (no admin rights)

When accessing the resource at /MySite/ProjectA/Items I want to check if the user is an admin or not.

I know it can be simply done by picking out the {projectName} parameter from the request and using the identifier (of the user making the request) and forwarding that to check against a DB etc.,

My question is 'how' can I add the roles using an Enroler 'during' authentication itself. Since I don't have access to the {projectName} parameter at that stage. I don't know if you have to use Groups/Realms etc., to make this work, but honestly it's just taking me tooooooooooooooooooo long to even understand how to effectively use this? (i.e., before the request is forwarded to the resource)

I mean I know I can create these groups/realms but how do I access the correct 'role' from the resource???? Restlet seriously needs to have more realistic examples and a much better documentation showing the use of it's classes!! It's driving me insane!! Authentication shouldn't be THIS DIFFICULT! :)

PhD
  • 11,202
  • 14
  • 64
  • 112
  • Regarding the lack of documentation, we are finishing writing a "Restlet in Action" book including a security chapter. We are also regularly enhancing the online user guide, but some areas indeed need improvements. In version 2.2, we have planned writing a new detailed tutorial with a realistic example including security and persistence. We also welcome contributors on this front :) – Jerome Louvel Aug 30 '11 at 08:27
  • @Jerome: I love the framework so much that I'll be more than willing to contribute some examples :) I'll let you know once I have a stable solution. If not in the book, it can at least be a part of online examples/tutorials :) – PhD Aug 30 '11 at 12:24
  • That sounds great Nupul! See this page for documentation contribution instructions: http://wiki.restlet.org/authors/399-restlet.html – Jerome Louvel Aug 30 '11 at 13:53

1 Answers1

0

The way to do what you want is to split your routers basing on project name within your application (method createInboundRoot). In this case, the projectname will be evaluated before calling the authenticator. See below some examples of implementing such approach:

public Restlet createInboundRoot() {
    Router rootRouter = new Router(getContext());
    rootRouter.setDefaultMatchingMode(Template.MODE_STARTS_WITH);

    rootRouter.attach("/{projectname}/", createApplicationForProject());
    return rootRouter;
}

private Restlet createApplicationForProject() {
    Router router = new Router(getContext());

    ChallengeAuthenticator guard
             = new ChallengeAuthenticator(getContext(),
                        ChallengeScheme.HTTP_BASIC, "realm");
    guard.setVerifier(verifier);
    guard.setEnroler(enroler);
    guard.setNext(router);

    router.attach("items", ItemsServerResource.class);
    return guard;
}

Using such approach, you'll have access to the value of the projectname variable within the verifier and be able to use it in the authentication processing.

Hope it helps you, Thierry

Thierry Templier
  • 198,364
  • 44
  • 396
  • 360
  • Is using the `Template.MODE_STARTS_WITH` a good approach? Since I do have a hierarchical matching and I guess the default is `BEST_MATCH`? (don't recollect) but if it's the latter then won't it lead to incorrect matching?? This is a neat solution and I hadn't thought of it, but want to know of the 'repercussions' of using this approach.... – PhD Aug 30 '11 at 12:27
  • I mean hierarchical w.r.t. after `/{projectName}/` i.e, `myproject/items/{id}/options/{id}/part/{id}` with each part of the URL under myproject being a resource that can be returned...so my above question is "does it matter" if it's `MODE_STARTS_WITH`? – PhD Aug 30 '11 at 12:29