Hi at all I'm Stefano from Italy (so...sorry for my not so good english). I come from JSP-Relational DB and Java world (before 2007) and after some years of stop, I'm trying to develop a new platform for building collaborative journalistic stuffs (eg. article, newspapers and so on) using "new" technologies (REST, NOSQL, workflow engine). So the scenario is quite simple:
1) Different Kind of people can access to platform (anonimous users, writers, readers, editors, administrators) and everyone of them can be, for example, editor for one article and also only reader for another one) 2)collaborative resources can have different kind of protection policy in example, some articles are private (manageable only by their owner), other are manageable by a dinamic group of users, and finally other are public (manageable by every autentichated user) So I've already buy restlet in action MEAP ebook (great job) for better understand RESTLET powerful characteristics and after 6 chapter I'm in crisis on secure issues (probably because of my servlet stateful background). I mean that in JSP world , after a login form , usually I use session.setParameter ("user", User) using a POJO User with some methods like public Boolean checkModification(Article ID) that return true if current user can modify resource with given ID, and public Boolean checkView(Article ID) that return true if current user can view resource. Obviusly those methods have business logic that check in some way permission grant (i. e. a SQL query on a RDBMS). In my opinion, in this way is avoid also the problem of cross injection because the user pojo is in memory in context session on server side. I'm sure (or better, I hope) that the same kind of security can be reached also with RESTLET framework....but I'm confused about this topic and about the better solution for my project. For other features i need to use Restlet as Servlet in Tomcat , so please ..can everyone guide me in the choose of right secure architecture, to obtain content protection policy (like explained above)and also to avoid malicius injection, by using Tomcat and Restlet? I hope in your help...thanks in advance. Stefano -- View this message in context: http://restlet-discuss.1400322.n2.nabble.com/Solution-Design-Crisis-tp6264270p6264270.html Sent from the Restlet Discuss mailing list archive at Nabble.com. ------------------------------------------------------ http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2719024