custom authentication ??

Hi,
I am trying to implement my own authentication (and then authorisation) in restlet; but I am having some trouble.  Hopefully someone can give me a hand; the doco seems somewhat out of date with respect to jax-rs.

I have a jax-rs restlet server that will receive a HTTP message that includes the final part of the HTTP_NTLM challenge/response process: type3 NTLM content inside the autheticate header.

I want my restlet to decode the type3 NTLM (I already have this code) and pull out the userId, domainName and workstationId and check them against the content of the URI and my own database.  If they all match then the request should be processed.

The client code I have is:
ClientResource resource= new ClientResource(serverAddress);
ChallengeResponse challenge = new ChallengeResponse(ChallengeScheme.HTTP_NTLM, ntlmType3Data);
resource.setChallengeResponse(challenge);
Representation representation = resource.get();

The server code I have is:
component = new Component();
component.getServers().add(protocol, ipAddress, port);
JaxRsApplication application = new JaxRsApplication(component.getContext().createChildContext());
application.add(new MyApplication());

final MyAuthenticator guardMyApplication = new MyAuthenticator(application.getContext(), false, ChallengeScheme.HTTP_NTLM, "MyApp");
MyVerifier verifier = new MyVerifier();
guardMyApplication.setVerifier(verifier);
application.setGuard(guardMyApplication);

component.getDefaultHost().attach(application);


The MyAuthenticator class extends ChallengeAuthenticator and has no custom code in it.

The MyVerifier class extends Verifier and has an implementation for the verify() method.  This is what I do in my verify() method:

ChallengeResponse cRes = request.getChallengeResponse();
String credentials = cRes.getCredentials();
String identifier = cRes.getIdentifier();

I get an exception when getCredentials() is called.  This is a dead end for me because I need the data from the authorization header to do the verification.

I also get an warning message saying that restlet does not support HTTP_NTLM: "Challenge scheme HTTP_NTLM not supported by the Restlet engine."

I assume I havn't got this hooked together properly.  

Can someone please help.

Thanks,
Ty

------------------------------------------------------
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2412883

After a bit more testing I have something working. I seem to have a couple simple mistakes in my last post.

Instead of this:
MyVerifier verifier = new MyVerifier();
guardMyApplication.setVerifier(verifier);
application.setGuard(guardMyApplication);

I just do this now (ignoring the verifier all together):
application.setGuard(guardMyApplication);

I'm not sure if the verifier is really necessary. I have a feeling that it could make it easier to get an unauthorsed response to happen... If anyone knows could they please enlighten me.

I still can't get the credential when using the HTTP_NTLM scheme: request.getChallengeResponse() returns null. I suppose I need to implement some more stuff to hook it into the processing...

As luck would have it I don't really want to process HTTP_NTLM properly; I have a proxy that does all that for me. All I need is to get my hands on the credential (which should be the type-3 NTLM header).

So I changed the scheme to HTTP_DIGEST and now I can get hold of the credential.

Can anyone think of a reason why it would be a bad idea to do this the way I am doing it now? Or a better way of doing it. This code will end up running in my production systems; so I want to avoid any gotcha's early if I can.

Thanks,
Ty

------------------------------------------------------
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2413135

Hi Ty,

You have two options on the server side:
 - register a new NtlmAuthenticatorHelper on the Restlet engine doing the
parsing/formatting of the HTTP authentication headers, so you can use high
level Restlet credential objects
 - retrieve the raw HTTP headers directly. See this FAQ:
http://www.restlet.org/documentation/1.1/faq#01

Best regards,
Jerome Louvel
--
Restlet ~ Founder and Lead developer ~ http://www.restlet.org
Noelios Technologies ~ Co-founder ~ http://www.noelios.com




-----Message d'origine-----
De : [hidden email] [mailto:[hidden email]]
Envoyé : vendredi 30 octobre 2009 22:59
À : [hidden email]
Objet : RE: custom authentication ??

After a bit more testing I have something working. I seem to have a couple
simple mistakes in my last post.

Instead of this:
MyVerifier verifier = new MyVerifier();
guardMyApplication.setVerifier(verifier);
application.setGuard(guardMyApplication);

I just do this now (ignoring the verifier all together):
application.setGuard(guardMyApplication);

I'm not sure if the verifier is really necessary. I have a feeling that it
could make it easier to get an unauthorsed response to happen... If anyone
knows could they please enlighten me.

I still can't get the credential when using the HTTP_NTLM scheme:
request.getChallengeResponse() returns null. I suppose I need to implement
some more stuff to hook it into the processing...

As luck would have it I don't really want to process HTTP_NTLM properly; I
have a proxy that does all that for me. All I need is to get my hands on the
credential (which should be the type-3 NTLM header).

So I changed the scheme to HTTP_DIGEST and now I can get hold of the
credential.

Can anyone think of a reason why it would be a bad idea to do this the way I
am doing it now? Or a better way of doing it. This code will end up running
in my production systems; so I want to avoid any gotcha's early if I can.

Thanks,
Ty

------------------------------------------------------
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=24131
35

------------------------------------------------------
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2413771