Creating a Restlet Authorizer for fine grained authorization

StackOverflow https://stackoverflow.com/questions/16499192

Frage

I'm attempting to implement a RESTful API using Restlet and have found very little on anything more than the basic Role and Method Authorizers. I have stored in a database the routes and methods for those routes that a user can access. The issue I'm running into now is how to get the path in the Authorizer. Is it the resource I'm needing to gather? And how exactly am I supposed to route to the authorizer? I've posted what I have so far an am looking how in my Authorizer to get the path or resource. Any information is appreciated, I've looked though books and many generic examples and haven't found quiet what I'm looking for.

My Routing Application:

public class MyRoutingApp extends org.restlet.Application {

    @Override  
    public synchronized Restlet createInboundRoot() { 

        Context context = getContext();
        Router router = new Router(context);

        router.attach("/user", Users.class);
        router.attach("/post", Posts.class);
        router.attach("/comment", Comments.class);

        ChallengeAuthenticator authenticator = new ChallengeAuthenticator( 
                context, ChallengeScheme.HTTP_BASIC, "My test realm" );

        //create Verifier to ensure that the user is authenicated
        MyVerifier verifier = new MySecretVerifier();
        //grab user Roles and add them to the request
        MyEnroler enroler = new MyEnroler();

        authenticator.setVerifier( verifier );
        authenticator.setEnroler( enroler );

        //Looks up if user can be allowed to resource
        MyAuthorizer authorizer = new MyAuthorizer();
        authorizer.setNext( router );

        authenticator.setNext( authorizer );
        return authenticator; 
    }
}

My Authorizer:

public class MyAuthorizer extends Authorizer {

    @Override
    protected boolean authorize( Request request, Response response ) {

        //has the security roles and user from verifier and enroler
        ClientInfo info = request.getClientInfo();
        //get http method
        Method method = request.getMethod();

        //need to get the route or resource user is attempting to access
        //allow or disallow access based on roles and method
    }
}
War es hilfreich?

Lösung

The target resource URI is available via the Request#getResouceRef().getRemainingPart().

Lizenziert unter: CC-BY-SA mit Zuschreibung
Nicht verbunden mit StackOverflow
scroll top