[Seaside] Re: Authenticating requests of Seaside REST filters
philippe.marschall at gmail.com
Mon Sep 16 14:38:32 UTC 2013
On Mon, Sep 16, 2013 at 2:04 PM, Esteban A. Maringolo
<emaringolo at gmail.com> wrote:
> Sven, Phillipe,
> While I was debugging the request/response cycle I found I could plug in an
> authenticator in the Zinc delegate. Or as Philippe suggest I can also use
> the WAAuthenticationFilter.
> But any of those options will require the authentication also for "normal"
> requests (it is, no REST) that go to the same URI.
> The web application is authenticated at the app level (login form, custom
> WASession class, etc), but all HTTP requests are accepted.
> On the other hand I want the REST API to authenticate all requests at HTTP
> level, because it is going to be 100% stateless.
> Any of the proposed solutions seems to be all-or-nothing authentication at
> the delegate or seaside app level. Or maybe I'm not understanding something.
> The only solution I found for this was to have my own Zinc delegate to the
> REST API, and move everything to different "branches" of the server.
> It is:
> * Regular not authenticated ZnSeasideServerAdaptorDelegate handling
> everything at myserver/webapp/*
> * HTTP Authentication enabled ZnSeasideServerAdaptorDelegate handling
> everything at myserver/api/*
It sort of depends what you request handler set up is. If you have a
different request handler for 'webapp' and 'api' then you can add the
filter only to 'api'. Otherwise you can subclass
WAAuthenticationFilter, override #handleFiltered:, look at the path
consumer and decided whether to authenticate or not.
More information about the seaside