Ethan,
Dont worry, this appears to be a confusing thing for many lift new-
commers. The role stuff is *only* for use with HTTP authentication...
for the scenario you described, it wont help you.
What is it you want to authenticate? A user? An api call?
Cheers, Tim
On Jan 8, 5:45 pm, Ethan Jewett <esjew...@gmail.com> wrote:
> Hi all,
>
> Let me preface this by saying that I'm learning Lift, so I'm a
> relative newbie. Please be gentle.
>
> I'm struggling to figure out a good way to do role-based authorization
> natively in Lift. Based on examples in the Lift book, the wiki, and
> reading the Lift source, I've gotten to
>
> val roles = AuthRole("super-admin",
> AuthRole("admin",
> AuthRole("user")
> ),
> AuthRole("integration-admin")
> )
>
> LiftRules.httpAuthProtectedResource.prepend {
> case ParsePath("api2" :: "users" :: _, _, _, _) =>
> roles.getRoleByName("integration-admin")
>
> }
>
> This is with the intention of introducing Lift-based roles into the
> ESME code base, starting with the API. (ESME is an enterprise
> micro-messaging system:http://cwiki.apache.org/confluence/display/ESME/Index)
>
> There are two issues with this approach:
>
> 1. Because LiftRules.httpAuthProtectedResource takes ParsePath() as
> its match instead of Req(), I can't require a different role for a
> GetRequest vs. a PostRequest, for example. This is a requirement for a
> pure resource-oriented (RESTful) approach, since we'll often want to
> authorize users to read on a resource (GetRequest), but not
> write/change it (Post/Put/DeleteRequest).
>
> 2. It appears to require use of HTTP basic or digest authentication in
> order to assign a role to a user (using userRoles). We don't currently
> want to use either. (For our API we're currently using a token-based
> login with headers for persisting the session.)
>
> I feel like I'm missing something in the area of #2 because the Lift
> book uses "LiftRules.protectedResource", which doesn't seem as
> authentication-bound on the surface, but this function is no longer in
> Lift. Also, I've seen references on the mailing list to "form-based"
> authentication, so I'm thinking that there is another way.
>
> Are there ways to handle both 1 & 2 in Lift, or is this something that
> people generally handle in their application logic?
>
> Thanks,
> Ethan
--
You received this message because you are subscribed to the Google Groups
"Lift" group.
To post to this group, send email to lift...@googlegroups.com.
To unsubscribe from this group, send email to
liftweb+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/liftweb?hl=en.
