Hello Ishaaq, you can have a look at the sample application provided at the bottom of this page http://wiki.restlet.org/docs_2.0/13-restlet/46-restlet.html. Basically, a set of Resources are guarded by a dedicated Authenticator. This filter is set up with a password Verifier and an Enroler. The enroler is in charge to complete the Request#ClientInfo with the list of Roles of the current User. public void enrole(ClientInfo clientInfo) { // Gives the role according to a user. if ("scott".equals(clientInfo.getUser().getIdentifier())) { clientInfo.getRoles().add(PUBLISHER); } else if ("admin".equals(clientInfo.getUser().getIdentifier())) { clientInfo.getRoles().add(ADMINISTRATOR); }
Then, at the Application level, you can complete the list of known Roles, by updating the Application#getRoles list, for example in the constructor. Once this has been done, you can call the ServerResource#isInRole(String) method. It simply checks that the given role name corresponds to a known role of the Application, and that this role is assigned to the current user. Best regards, Thierry Boileau Hi all, > > Am using Restlet 2.0.6. > > Trying to figure out how to implement fine grained authorization on my > Resources. The authorization checks need to be instance-specific. > > According to > http://wiki.restlet.org/docs_2.0/13-restlet/27-restlet/46-restlet/113-restlet.html, > I should be able to leverage ServerResource.isInRole() for this. However, I > can't see how this works even if I implement that method as I see nothing in > the Restlet source code that actually calls it other that some old > deprecated jaxrs code. > > Suggestions? > > Ishaaq ------------------------------------------------------ http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2720568
