tags:

views:

599

answers:

1
+5  Q: 

Fine-grained Authentication with RESTlet

Hi,

I want to expose a resource using RESTlet with a fine-grained authentication. My ServerResource should be accessable via GET only for authenticated members (using BASIC Authentication). However, requests using POST should be available also for callers without any authentication.

In order to clearify: http://path/myapp/user should allow anyone to register using POST, but only registered members should be able to GET a list of all users.

I'm unfortunately not much into RESTlet and I only find examples using coarser authentication for whole Restlets or Routers.

So how do I enable optional authentication for resources and check them on a per-method level?

Thanks in advance!

+5  A: 

To do basic authentication in RESTlet 2.0 (I assume you're using 2.0 since you mention ServerResource), you need to use a ChallengeAuthenticator. If this is configured with optional = true then authentication will only be requested if you invoke ChallengeAuthenticator.challenge().

You can create your application with an authenticate() method, and call this whenever you need access to a resource to be secured:

Application:

package example;

import org.restlet.*;
import org.restlet.data.ChallengeScheme;
import org.restlet.routing.Router;
import org.restlet.security.*;

public class ExampleApp extends Application {

    private ChallengeAuthenticator authenticatior;

    private ChallengeAuthenticator createAuthenticator() {
        Context context = getContext();
        boolean optional = true;
        ChallengeScheme challengeScheme = ChallengeScheme.HTTP_BASIC;
        String realm = "Example site";

        // MapVerifier isn't very secure; see docs for alternatives
        MapVerifier verifier = new MapVerifier();
        verifier.getLocalSecrets().put("user", "password".toCharArray());

        ChallengeAuthenticator auth = new ChallengeAuthenticator(context, optional, challengeScheme, realm, verifier) {
            @Override
            protected boolean authenticate(Request request, Response response) {
                if (request.getChallengeResponse() == null) {
                    return false;
                } else {
                    return super.authenticate(request, response);
                }
            }
        };

        return auth;
    }

    @Override
    public Restlet createInboundRoot() {
        this.authenticatior = createAuthenticator();

        Router router = new Router();
        router.attach("/user", UserResource.class);

        authenticatior.setNext(router);
        return authenticatior;
    }

    public boolean authenticate(Request request, Response response) {
        if (!request.getClientInfo().isAuthenticated()) {
            authenticatior.challenge(response, false);
            return false;
        }
        return true;
    }

}

Resource:

package example;

import org.restlet.data.MediaType;
import org.restlet.representation.EmptyRepresentation;
import org.restlet.representation.Representation;
import org.restlet.representation.StringRepresentation;
import org.restlet.resource.ServerResource;

public class UserResource extends ServerResource {

    @Override
    public Representation get() {
        ExampleApp app = (ExampleApp) getApplication();
        if (!app.authenticate(getRequest(), getResponse())) {
            // Not authenticated
            return new EmptyRepresentation();
        }

        // Generate list of users
        // ...
    }     

    @Override
    public Representation post(Representation entity) {
        // Handle post
        // ...
    }

}
sea36  2010-02-08 09:41:47
First of all thanks for your answer, this looks promising. However, I have some problems getting your code to work. For instance, there is no `getSubject()` method for ClientInfo (I'm using 2.0m7). Also, I'm not sure if your `authenticate()` method is correct?
PartlyCloudy  2010-02-08 20:38:10
I was using an earlier snapshot; I've updated the examples to work with 2.0m7.
sea36  2010-02-08 23:00:45
Thanks, again, now the code compiles and POST is always available. Unfortunately, GET is never. No matter if I provide no, wrong or correct BASIC credentials, I always get a 401.
PartlyCloudy  2010-02-09 08:40:39
I've tried it again and the example works for me using RESTlet 2.0m7. Are you running the example, or trying to adapt it to your code?
sea36  2010-02-09 11:06:56
Ok, I'm sorry, your code works fine! Thank you very much for your sustainable help!
PartlyCloudy  2010-02-09 14:26:28
Thank you for the example, it was very useful!Just one question: why are you overriding the authenticator to check if the challengeResponse is null?
artgon  2010-09-15 19:31:23

related questions

Java Time Zone is messed up
Eclipse on win64
Automate builds for Java RCP for deployment with JNLP
Why are professors or schools picking Java over C++ to teach to students?
Is there a real benefit of using J#?
Public/Popular Websites using JavaServer Faces
Why can't I use a try block around my super() call?
Accessing post variables using Java Servlets
Personal Linux web server
Is this really widening vs autoboxing?
How can I Java webstart multiple, dependent, native libraries?
Why can't I call toString() on a Java primitive?
How do I use Java to read from a file that is actively being written?
What code analysis tools do you use for your Java projects?
IllegalArgumentException or NullPointerException for a null parameter?
How do I configure and communicate with a serial port?
What is the best way to parse strings in Java
Getting started with a custom JXTA PeerGroup
Creating a custom button in Java
How to get started "writing" a code coverage tool?
Which Build-/Configuration Management Tool?
What is the difference between an int and an Integer in Java/C#?
What is the meaning of the type safety warning in certain Java generics casts?
How would you access Object properties from within an object method?
Converting CSV File to XML in Java