细粒度的认证与的Restlet [英] Fine-grained Authentication with RESTlet
问题描述
我要揭露使用的Restlet了细粒度的身份验证的资源。我的 ServerResource
应该可以通过 GET
accessable只对经过验证的成员(使用基本身份验证)。然而,要求用 POST
应可也没有任何身份验证呼叫者。
I want to expose a resource using RESTlet with a fine-grained authentication. My ServerResource
should be accessable via GET
only for authenticated members (using BASIC Authentication). However, requests using POST
should be available also for callers without any authentication.
为了clearify:
的http://路径/ MyApp的/使用者应该允许任何人使用 POST
注册,但只有注册会员应当能够 GET
所有用户的列表。
In order to clearify:
http://path/myapp/user should allow anyone to register using POST
, but only registered members should be able to GET
a list of all users.
我遗憾的是没有太多成的Restlet,我只能找到使用粗糙的身份验证整个的Restlet
取值例子或路由器
秒。
I'm unfortunately not much into RESTlet and I only find examples using coarser authentication for whole Restlet
s or Router
s.
那么,如何使资源可选的认证和检查他们在每个方法级别的?
So how do I enable optional authentication for resources and check them on a per-method level?
在此先感谢!
推荐答案
要做好基本身份验证的Restlet 2.0(我假设你使用的是2.0,因为你提到 ServerResource
) ,你需要使用 ChallengeAuthenticator
。如果配置了可选= TRUE
则认证将只有当你调用请求 ChallengeAuthenticator.challenge()
。
To do basic authentication in RESTlet 2.0 (I assume you're using 2.0 since you mention ServerResource
), you need to use a ChallengeAuthenticator
. If this is configured with optional = true
then authentication will only be requested if you invoke ChallengeAuthenticator.challenge()
.
您可以创建与进行身份验证()
方法您的应用程序,并调用这个每当你需要访问资源进行担保:
You can create your application with an authenticate()
method, and call this whenever you need access to a resource to be secured:
应用:
package example;
import org.restlet.*;
import org.restlet.data.ChallengeScheme;
import org.restlet.routing.Router;
import org.restlet.security.*;
public class ExampleApp extends Application {
private ChallengeAuthenticator authenticatior;
private ChallengeAuthenticator createAuthenticator() {
Context context = getContext();
boolean optional = true;
ChallengeScheme challengeScheme = ChallengeScheme.HTTP_BASIC;
String realm = "Example site";
// MapVerifier isn't very secure; see docs for alternatives
MapVerifier verifier = new MapVerifier();
verifier.getLocalSecrets().put("user", "password".toCharArray());
ChallengeAuthenticator auth = new ChallengeAuthenticator(context, optional, challengeScheme, realm, verifier) {
@Override
protected boolean authenticate(Request request, Response response) {
if (request.getChallengeResponse() == null) {
return false;
} else {
return super.authenticate(request, response);
}
}
};
return auth;
}
@Override
public Restlet createInboundRoot() {
this.authenticatior = createAuthenticator();
Router router = new Router();
router.attach("/user", UserResource.class);
authenticatior.setNext(router);
return authenticatior;
}
public boolean authenticate(Request request, Response response) {
if (!request.getClientInfo().isAuthenticated()) {
authenticatior.challenge(response, false);
return false;
}
return true;
}
}
资源:
package example;
import org.restlet.data.MediaType;
import org.restlet.representation.EmptyRepresentation;
import org.restlet.representation.Representation;
import org.restlet.representation.StringRepresentation;
import org.restlet.resource.ServerResource;
public class UserResource extends ServerResource {
@Override
public Representation get() {
ExampleApp app = (ExampleApp) getApplication();
if (!app.authenticate(getRequest(), getResponse())) {
// Not authenticated
return new EmptyRepresentation();
}
// Generate list of users
// ...
}
@Override
public Representation post(Representation entity) {
// Handle post
// ...
}
}
这篇关于细粒度的认证与的Restlet的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!