Re: Using JAAS with JAX-RS

Thu, 24 Jul 2008 01:54:34 -0700 

Hello Stephan

Thanks for your reply.
Does this mean, that there is currently no way to access the org.restlet.data.Request object from within a JAX-RS resource class? 

Thanks,
-- Roman

Stephan Koops wrote:

Hi Roman,
I've planned to allow Servlet authentification etc. for JAX-RS. Because the Restlet team plans to redesign the authentication etc., it was moved to later, after Restlet 1.1, to have enough time for implementing and testing. 

Roman Geus schrieb:

Hi all
I'm new to Restlet and I would like to implement a REST interface for my Java application using the JAX-RS API.
My application uses the JAAS framework for authentication vs a Windows Active Directory and also for authorization.
I have written a custom Guard for doing HTTP basic authentication vs the Active Directory: 

public class JaasBasicAuthGuard extends Guard {
     private String jaasConfigName;
   private Context context;

   public JaasBasicAuthGuard(Context context, String realm,
           String jaasConfigName) {
       super(context, ChallengeScheme.HTTP_BASIC, realm);
       this.context = context;
       this.jaasConfigName = jaasConfigName;
   }

   @Override
public boolean checkSecret(Request request, String identifier, char[] secret) 
   {
CallbackHandler handler = new DummyCallbackHandler(identifier, secret); 

       try {
           LoginContext lc = new LoginContext(jaasConfigName, handler);
           lc.login();
           request.getAttributes().put("test.restlet.jaxrs.Subject",
                   lc.getSubject());
           return true;
       } catch (LoginException e) {
           return false;
       }
   }
}
Now, in order to use JAAS in my application, I need to have the Subject object, obtained using lc.getSubject(), available in my JAX-RS resource class. To the is end I have added the Subject to the request attributes. However I don't know how to get access to the Request object and its attributes in my JAX-RS resource 
class.
Here you missuse the return value of this method! The true means, that the request is authenticated now. 
You should check the password with the Subject in this method.
Why do you need access to the Subject object in the JAX-RS resource methods? 

best regards
  Stephan

Reply via email to