Authenticator and Component XML configuration

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Authenticator and Component XML configuration

Sergio-2
Hello,

I'm quite a newbie with restlet. I'm creating an application with this resources:

/
/apps
/apps/{id}
/apps/{id}/objects

To attach the different URI to resources I have used the XML component configuration:

<?xml version="1.0"?>
<component xmlns="http://www.restlet.org/schemas/2.0/Component"
        name="AndroPi RESTful server"
        description="Configures NAT and output interface for nodes into the inner network"
        owner="GRC UPV"
        author="Sergio Martínez Tornell">
        <client protocol="CLAP" />
        <server protocol="HTTP" port="8080">
                <parameter name="tracing" value="true" />
        </server>

        <defaultHost>
                <attach uriPattern="/"
        targetClass="es.upv.grc.andropi.server.RootServerResource"/>
                <attach uriPattern="/apps"
        targetClass="es.upv.grc.andropi.server.AppsServerResource"/>
                <attach uriPattern="/apps/{appId}"
        targetClass="es.upv.grc.andropi.server.AppServerResource"/>
                <attach uriPattern="/apps/{appId}/objects"
    targetClass="es.upv.grc.andropi.server.ObjectsServerResource"/>
"
        </defaultHost>
</component>

It works properly, but now I want to protect the /apps/{id} and /apps/{id}/objects from non-authorized users.

I have read the book "Restlet in action" and the tutorials available on the website, but I can't find how to do it.

How can I define a ChallengeAuthenticator to act as a filter to only come of my resources?

Can I define the ChallengeAuthenticator only for som methods of my resources? for example to protect PUT or POST but keep GET public.

Thank you very much.
Sergio

------------------------------------------------------
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=3078257
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Authenticator and Component XML configuration

Jerome Louvel-3
Hi Sergio,

I think you should attach a Restlet Application subclass to your default host. 

Inside this application, you can add a ChallengeAuthenticator filter, then a Router and attach your four resources to this router.

If you want to do it all in XML, maybe you should consider using Spring XML support instead which is more flexible/powerful.




On Tue, May 13, 2014 at 6:11 AM, Sergio <[hidden email]> wrote:
Hello,

I'm quite a newbie with restlet. I'm creating an application with this resources:

/
/apps
/apps/{id}
/apps/{id}/objects

To attach the different URI to resources I have used the XML component configuration:

<?xml version="1.0"?>
<component xmlns="http://www.restlet.org/schemas/2.0/Component"
        name="AndroPi RESTful server"
        description="Configures NAT and output interface for nodes into the inner network"
        owner="GRC UPV"
        author="Sergio Martínez Tornell">
        <client protocol="CLAP" />
        <server protocol="HTTP" port="8080">
                <parameter name="tracing" value="true" />
        </server>

        <defaultHost>
                <attach uriPattern="/"
                targetClass="es.upv.grc.andropi.server.RootServerResource"/>
                <attach uriPattern="/apps"
                targetClass="es.upv.grc.andropi.server.AppsServerResource"/>
                <attach uriPattern="/apps/{appId}"
                targetClass="es.upv.grc.andropi.server.AppServerResource"/>
                <attach uriPattern="/apps/{appId}/objects"
        targetClass="es.upv.grc.andropi.server.ObjectsServerResource"/>
"
        </defaultHost>
</component>

It works properly, but now I want to protect the /apps/{id} and /apps/{id}/objects from non-authorized users.

I have read the book "Restlet in action" and the tutorials available on the website, but I can't find how to do it.

How can I define a ChallengeAuthenticator to act as a filter to only come of my resources?

Can I define the ChallengeAuthenticator only for som methods of my resources? for example to protect PUT or POST but keep GET public.

Thank you very much.
Sergio

------------------------------------------------------
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=3078257

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Re: Authenticator and Component XML configuration

Sergio-2
Thank you very much for your answer. I think I would use the "classes" approach using the createInboundRoute as in the book.

How about my second question? Can I attach the authenticator to only some of the methods of my resources? I.e. protect only PUT, POST, and DELETE while keeping GET public? Maybe using roles? Is there some example I can see?

If not, I'm thinking about splitting my services in two families of resources /apps/ which will implement authentication and /info which will be public. Do you think it is a good solution?

Moreover, do you know of any open-source real web service implementation using restlet? I would like to see some code, tutorials and "Restlet in action" are quite "simple".

Thanks again,
Sergio

------------------------------------------------------
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=3078322
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Re: Authenticator and Component XML configuration

Tim Peierls
On Wed, May 14, 2014 at 4:46 AM, Sergio <[hidden email]> wrote:
Can I attach the authenticator to only some of the methods of my resources? I.e. protect only PUT, POST, and DELETE while keeping GET public? Maybe using roles? 

You can do per-resource or even per-method authorization: Remember that authentication and authorization are separate steps, and that you can make authentication optional. You can attach an authenticator at an outer level and then in specific methods you can examine the authenticated user (if any) and its roles to determine whether to allow or forbid a method.

The authenticated user can be obtained via getClientInfo().getUser().

You can even combine these approaches: 

  Authenticator -> Authorizer -> ... -> Resource method -> per-resource/method authorization

This might be useful, for example, if you have a common level of authorization for a group of resources, but you have specific additional authorization requirements on certain resources.

 
If not, I'm thinking about splitting my services in two families of resources /apps/ which will implement authentication and /info which will be public. Do you think it is a good solution?

It depends on whether your resources naturally decompose into mutable and read-only resources. If they do, that's probably preferable.

In my work I confine resource-specific authorization to a few places where it is much more natural to say something like "You must have the ADMIN role to PUT this resource, but anyone can GET it" than to break things up into separate resources. Most of the time, though, I try to keep read-only resources under separate paths in my routing structure.

--tim
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Re: Authenticator and Component XML configuration

Sergio-2
In reply to this post by Sergio-2
Hi again,

I want to protect some resources under /apps/{appid}:

/apps/{appId}/object

To avoid flooding I have pasted my code here:

http://pastebin.com/gqc2dbFS

I use the tracer filter to print the details of the request. The requested URI is:

"Resource URI : http://localhost:8080/apps/1"

Which, as far as I understood, according to my createInBoundRoute() method should be routed to AppServerResource class after pass through the authenticator and the tracer. However I got a 404 error. If I remove the credentials from my client, I got a 401 error, also the tracer print the information of the request correctly, then I think the first router is working properly.

How can I implement a

router1 -> authenticator ->tracer -> router2

routing scheme?

I want the authenticator to only guard resources under /apps/{appId}.

Thanks in advance,
Sergio

------------------------------------------------------
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=3078331
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Re: Authenticator and Component XML configuration

Tim Peierls
I don't think the nested router works the way you expect. You might be able to tweak it to work, but consider creating a separate authenticator (and tracer) instance for each guarded resource. I've written this up several times, but I can never find my old postings when I need them, so I've created a new pastebin example from yours to demonstrate the idea:


It compiles, but obviously won't actually run.

--tim


On Wed, May 14, 2014 at 7:33 AM, Sergio <[hidden email]> wrote:
Hi again,

I want to protect some resources under /apps/{appid}:

/apps/{appId}/object

To avoid flooding I have pasted my code here:

http://pastebin.com/gqc2dbFS

I use the tracer filter to print the details of the request. The requested URI is:

"Resource URI : http://localhost:8080/apps/1"

Which, as far as I understood, according to my createInBoundRoute() method should be routed to AppServerResource class after pass through the authenticator and the tracer. However I got a 404 error. If I remove the credentials from my client, I got a 401 error, also the tracer print the information of the request correctly, then I think the first router is working properly.

How can I implement a

router1 -> authenticator ->tracer -> router2

routing scheme?

I want the authenticator to only guard resources under /apps/{appId}.

Thanks in advance,
Sergio

------------------------------------------------------
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=3078331

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Re: Re: Authenticator and Component XML configuration

Sergio-2
Hi Tim,

Thank you very much. It worked like a charm :).

It's true, this topic searcher doesn't work, it is almost impossible to find anything.

Thanks again, I'll be back soon with new questions.

Regards,
Sergio

------------------------------------------------------
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=3078389
Loading...