Hi,
Took me a while but I did get it working,
Here is what I did.
In my restlet application I set up the CookieAuthenticator as follows
public class CMRestletApplication extends Application {...
@Override
public Restlet createInboundRoot() {
Router router = new Router(getContext());
...
router.attach("/rest/modules/login/login.ftl",
LoginFormServerResource.class, Template.MODE_STARTS_WITH);
...
CmCookieAuthenticator authenticator = new
CmCookieAuthenticator(getContext(), "My Realm", /*must be 16 bytes*/"My
Server KeyXXX".getBytes());
authenticator.setLoginPath("/rest/special/loginPost");
authenticator.setLoginFormPath("/cm/rest/modules/login/login.ftl");
authenticator.setRedirectQueryName("redirectUri");
authenticator.setNext(router);
MapVerifier mapVerifier = new MapVerifier();
mapVerifier.getLocalSecrets().put("chunkylover53",
"pwd".toCharArray());
authenticator.setVerifier(mapVerifier);
...
router.attach(mode resources);
...
return authenticator;
}
}
The login form via freemarker
<form action="/cm/rest/special/loginPost?redirectUri=${redirectUri}"
method="POST">
<input type="text" id="login" name="login" size="15"/>
<input type="password" id="password" name="password" size="15"/>
<input type="submit" value="Login"/>
</form>
The authenticator is a filter so I filter all urls that need authentication.
public class CmCookieAuthenticator extends CookieAuthenticator {...
@Override
protected int beforeHandle(Request request, Response response) {
if
(request.getResourceRef().getRemainingPart().startsWith("/css") ||
request.getResourceRef().getRemainingPart().startsWith("/rest/modules/login")
|| request.getResourceRef().getRemainingPart().startsWith("/jquery")) {
return CONTINUE;
} else {
int result = super.beforeHandle(request, response);
if (response.getStatus()== Status.REDIRECTION_SEE_OTHER) {
return STOP;
} else {
return result;
}
}
}
Still need to unhardcode the verifier part, but cookie authentication
slipped of the priority bus for now.
As far as I understand there is nothing further to do from the client
side as the browser sends the cookie details are sent through with every
request. The cookie is encrypted so security seems ok.
I used the default key security as defined by Restlet.
Logout happens via the default /logout path as specified in the
CookieAuthenticator.
My menu has the following logout url. <a
href="/cm/logout?redirectUri=cm/rest/modules/tools/dashboard.ftl">logout</a>
All this might not be exactly as intended but it works in my basic tests.
Hope that helps some.
Pieter
On 04/07/2013 19:18, Johanneke Lamberink wrote:
> So I'm trying to use the CookieAuthenticator, but there are some things
> unclear to me. The documentation focuses on explaining how to do HTTP Basic
> or HTTP Digest, I haven't been able to find an example of HTTP Cookie
> anywhere, which is a shame :(
>
> I am using Restlet 2.1.2.
>
> Question 1
> ------------
> According to the documentation:
> "public void challenge(Response response,
> boolean stale)
> This method should be overridden to return a login form representation.
> By default, it redirects the user's browser to the getLoginFormPath() URI,
> adding the URI of the target resource as a query parameter of name
> getRedirectQueryName().
> In case the getLoginFormPath() is not set, it calls the parent's method."
>
> How do you override the implementation to return a representation? The return
> type is already void.
>
> I now have a path in the router to a ServerResource with the uri of the login
> form that 'challenge' redirects to, which returns a Representation of a Form.
> Is that what is meant? Then do I have to implement GET, POST, PUT and DELETE,
> or only POST, or what?
> If not, how should I override 'challenge'?
>
> Question 2
> ------------
> And how do you handle this client side? I want to make my login form in the
> same style as the rest of the site. What is the flow when I return the form
> from the server side? My client is a javascript web application.
>
> Question 3
> ------------
> When a user is logged in, what do I send on subsequent requests? How do I
> handle this in the CookieAuthenticator? The authenticate method expects a
> cookie with a username and password, should I send that on every request?
> What if I want to use some sort of session security token? I know the server
> has no state, but I thought this is where the cookies came into play. I just
> have trouble understanding how exactly.
>
> ------------------------------------------------------
> http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=3059804
>
> ____________________________________________________________________________________
> Your personal email. Anytime, anywhere.
> Ridiculously affordable at $19.95. No contracts.
> http://www.getpeek.com/lavabit.html
> ____________________________________________________________________________________
------------------------------------------------------
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=3059867
