Thanks, but role-based authorization was not exactly what I was after. When I said instance-specific authorization I meant authorization based on particular resource instances.
So, as a crude example, if I have a Resource type called House and I have a role called HouseOwner - not every HouseOwner can retrieve every House Resource, only the HouseOwner associated with a particular House can retrieve it. So, currently, the way I'm going to tackle this is to throw a custom exception on unauthorized access and get a custom StatusService to translate my exception into a Status.CLIENT_ERROR_UNAUTHORIZED, am pretty sure this will work (I haven't done it yet), but was wondering if this was the best way to achieve this. Ishaaq On 17 April 2011 02:39, Thierry Boileau <thierry.boil...@noelios.com> wrote: > Hello Ishaaq, > > you can have a look at the sample application provided at the bottom of > this page http://wiki.restlet.org/docs_2.0/13-restlet/46-restlet.html. > Basically, a set of Resources are guarded by a dedicated Authenticator. > This filter is set up with a password Verifier and an Enroler. The enroler > is in charge to complete the Request#ClientInfo with the list of Roles of > the current User. > public void enrole(ClientInfo clientInfo) { > // Gives the role according to a user. > if ("scott".equals(clientInfo.getUser().getIdentifier())) { > clientInfo.getRoles().add(PUBLISHER); > } else if ("admin".equals(clientInfo.getUser().getIdentifier())) { > clientInfo.getRoles().add(ADMINISTRATOR); > } > > Then, at the Application level, you can complete the list of known Roles, > by updating the Application#getRoles list, for example in the constructor. > Once this has been done, you can call the ServerResource#isInRole(String) > method. It simply checks that the given role name corresponds to a known > role of the Application, and that this role is assigned to the current user. > > Best regards, > Thierry Boileau > > > > Hi all, >> >> Am using Restlet 2.0.6. >> >> Trying to figure out how to implement fine grained authorization on my >> Resources. The authorization checks need to be instance-specific. >> >> According to >> http://wiki.restlet.org/docs_2.0/13-restlet/27-restlet/46-restlet/113-restlet.html, >> I should be able to leverage ServerResource.isInRole() for this. However, I >> can't see how this works even if I implement that method as I see nothing in >> the Restlet source code that actually calls it other that some old >> deprecated jaxrs code. >> >> Suggestions? >> >> Ishaaq > > > ------------------------------------------------------ http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2720870
