为细粒度授权创建 Restlet Authorizer [英] Creating a Restlet Authorizer for fine grained authorization

问题描述

我正在尝试使用 Restlet 实现 RESTful API，但除了基本的角色和方法授权器之外，几乎没有发现任何其他内容.我已经在数据库中存储了用户可以访问的那些路由的路由和方法.我现在遇到的问题是如何在 Authorizer 中获取路径.这是我需要收集的资源吗?我究竟应该如何路由到授权人?我已经发布了到目前为止我所拥有的内容，正在查看如何在我的 Authorizer 中获取路径或资源.感谢您提供任何信息，我查看了书籍和许多通用示例，但没有找到我正在寻找的内容.

I'm attempting to implement a RESTful API using Restlet and have found very little on anything more than the basic Role and Method Authorizers. I have stored in a database the routes and methods for those routes that a user can access. The issue I'm running into now is how to get the path in the Authorizer. Is it the resource I'm needing to gather? And how exactly am I supposed to route to the authorizer? I've posted what I have so far an am looking how in my Authorizer to get the path or resource. Any information is appreciated, I've looked though books and many generic examples and haven't found quiet what I'm looking for.

我的路由应用程序:

public class MyRoutingApp extends org.restlet.Application {

    @Override  
    public synchronized Restlet createInboundRoot() { 

        Context context = getContext();
        Router router = new Router(context);

        router.attach("/user", Users.class);
        router.attach("/post", Posts.class);
        router.attach("/comment", Comments.class);

        ChallengeAuthenticator authenticator = new ChallengeAuthenticator( 
                context, ChallengeScheme.HTTP_BASIC, "My test realm" );

        //create Verifier to ensure that the user is authenicated
        MyVerifier verifier = new MySecretVerifier();
        //grab user Roles and add them to the request
        MyEnroler enroler = new MyEnroler();

        authenticator.setVerifier( verifier );
        authenticator.setEnroler( enroler );

        //Looks up if user can be allowed to resource
        MyAuthorizer authorizer = new MyAuthorizer();
        authorizer.setNext( router );

        authenticator.setNext( authorizer );
        return authenticator; 
    }
}

我的授权人:

public class MyAuthorizer extends Authorizer {

    @Override
    protected boolean authorize( Request request, Response response ) {

        //has the security roles and user from verifier and enroler
        ClientInfo info = request.getClientInfo();
        //get http method
        Method method = request.getMethod();

        //need to get the route or resource user is attempting to access
        //allow or disallow access based on roles and method
    }
}

推荐答案

目标资源 URI 可通过 Request#getResouceRef().getRemainingPart().

The target resource URI is available via the Request#getResouceRef().getRemainingPart().

这篇关于为细粒度授权创建 Restlet Authorizer的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！