Hi Simon, To complete my previous answer: the default security model proposed by Restlet (Organization/User/Group/Role) is optional. They are not required to make the Authenticator/Authorizer/Verifier/Guard/ChallengeGuard classes work.
So, the usage scenario that you propose should work fine. Then, the RoleAuthorizer class relies on Request#clientInfo#isInRole(Role) method to check if the authenticated user has (or not) a given role. This method simply iterates through the Request#clientInfo#subject property (via getPrincipals() method) to find a matching RolePrincipal. In your case, your custom Verifier would simply need to update the subject of sucessfully authenticated request with a new RolePrincipal. Best regards, Jerome Louvel -- Restlet ~ Founder and Lead developer ~ http://www.restlet.org Noelios Technologies ~ Co-founder ~ http://www.noelios.com -----Message d'origine----- De : Simon Reinhardt [mailto:simon.reinha...@koeln.de] Envoye : mercredi 11 fevrier 2009 14:13 A : discuss@restlet.tigris.org Objet : Using roles & state of the snapshot (was: Re: Using ChallengeGuard) Hi Jerome Jerome Louvel wrote: > The new security package is now usable! You can test it with a recent > 1.2 snapshot. That's great news, I was trying to use it as well. :-) Can you make any comment on the state of release 1.2? How stable/functional/complete is the current snapshot? I'm not planning to use it in a production system but in a uni project so I'm fine with things not being tested thoroughly yet but would only switch to the snapshot if I can be sure that it's actually usable. :-) That aside I'm trying to figure out how to use the different parts of the security system. One of my requirements is that all the data about the users (their relationship to roles and their credential-checking details (user ID, hashed password)) are stored in a database (an RDF store to be exact) and should retrieved from there on every request. I guess that's a rather common situation. So I was thinking to use one Authenticator shared by all Guards that holds a connection to the database and checks the credentials by comparing them to data from the database (actually the Verifier will do that). Then I want to use the RoleAuthorizer for the authorisation step in the Guard. But that of course needs information about the relationship between the user and the roles. I'm not sure where and how to tell it about that. Since the Verifier retrieves details about the user anyway it might as well request the user's roles (even though that is not really its task and couples the verification step with the role authorisation step). But where would I put the data about the user-role relationships? I see Context has a method map(User, Role). But the RoleAuthorizer doesn't seem to care much about those mappings but only about RolePrincipals that were set on the Subject in the ClientInfo. Am I going in the right direction at all here? :-) Thanks, Simon ------------------------------------------------------ http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=1138788 ------------------------------------------------------ http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=1177272
