Authenticating requests of Seaside REST filters (Using Zinc?)

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Authenticating requests of Seaside REST filters (Using Zinc?)

Esteban A. Maringolo
I want to add authentication to a Seaside app I'm programming.

Particularly to the REST API I implemented by means of a WARestfulFilter. I want to use HTTP authentication against my existing authentication subsystem.

But I don't know where to "hook in" the authentication process.
Options:
1) Should I have my own Zinc delegate for the API? Authenticating everything before it reaches the ZnSeasideServerAdaptorDelegate?

2) Should I have to use something different than WARestfulFilter and use instead a WARestfulHandler starting at a different URN path? (maybe with a different delegate at that path).
E.g. have the "common" seaside delegate installed a myhost/ui/ and the "REST" http authenticated delegate installed at "myhost/api/"?


Any suggestion is welcome.

--
Regards!




Reply | Threaded
Open this post in threaded view
|

Re: Authenticating requests of Seaside REST filters (Using Zinc?)

Sven Van Caekenberghe-2
Hi Esteban,

On 16 Sep 2013, at 04:25, "Esteban A. Maringolo" <[hidden email]> wrote:

> I want to add authentication to a Seaside app I'm programming.
>
> Particularly to the REST API I implemented by means of a WARestfulFilter. I
> want to use HTTP authentication against my existing authentication
> subsystem.
>
> But I don't know where to "hook in" the authentication process.
> Options:
> 1) Should I have my own Zinc delegate for the API? Authenticating everything
> before it reaches the ZnSeasideServerAdaptorDelegate?

I think both options are valid, but I am only going to answer how to do it in Zinc. You can keep the ZnSeasideServerAdaptorDelegate, authentication in Zinc is orthogonal to request handling. All you have to do is set an authenticator object for the Zn server.

Have a look at ZnServer>>#authenticator: and ZnBasicAuthenticator (and its usages in tests). Since authentication is quite specific to most projects, you will probably want to implement your own authenticator.

HTH,

Sven

> 2) Should I have to use something different than WARestfulFilter and use
> instead a WARestfulHandler starting at a different URN path? (maybe with a
> different delegate at that path).
> E.g. have the "common" seaside delegate installed a myhost/ui/ and the
> "REST" http authenticated delegate installed at "myhost/api/"?
>
>
> Any suggestion is welcome.
>
> --
> Regards!
>
>
>
>
>
>
>
>
> --
> View this message in context: http://forum.world.st/Authenticating-requests-of-Seaside-REST-filters-Using-Zinc-tp4708474.html
> Sent from the Seaside General mailing list archive at Nabble.com.
> _______________________________________________
> seaside mailing list
> [hidden email]
> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside



--
Sven Van Caekenberghe
http://stfx.eu
Smalltalk is the Red Pill

_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
Reply | Threaded
Open this post in threaded view
|

Re: Authenticating requests of Seaside REST filters (Using Zinc?)

Philippe Marschall
In reply to this post by Esteban A. Maringolo
On Mon, Sep 16, 2013 at 4:25 AM, Esteban A. Maringolo
<[hidden email]> wrote:

> I want to add authentication to a Seaside app I'm programming.
>
> Particularly to the REST API I implemented by means of a WARestfulFilter. I
> want to use HTTP authentication against my existing authentication
> subsystem.
>
> But I don't know where to "hook in" the authentication process.
> Options:
> 1) Should I have my own Zinc delegate for the API? Authenticating everything
> before it reaches the ZnSeasideServerAdaptorDelegate?
>
> 2) Should I have to use something different than WARestfulFilter and use
> instead a WARestfulHandler starting at a different URN path? (maybe with a
> different delegate at that path).
> E.g. have the "common" seaside delegate installed a myhost/ui/ and the

Add a WAAuthenticationFilter around it.

Cheers
Philippe
_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
Reply | Threaded
Open this post in threaded view
|

Re: Authenticating requests of Seaside REST filters (Using Zinc?)

Esteban A. Maringolo
Sven, Phillipe,

While I was debugging the request/response cycle I found I could plug in an authenticator in the Zinc delegate. Or as Philippe suggest I can also use the WAAuthenticationFilter.

But any of those options will require the authentication also for "normal" requests (it is, no REST) that go to the same URI.

The web application is authenticated at the app level (login form, custom WASession class, etc), but all HTTP requests are accepted.
On the other hand I want the REST API to authenticate all requests at HTTP level, because it is going to be 100% stateless.

Any of the proposed solutions seems to be all-or-nothing authentication at the delegate or seaside app level. Or maybe I'm not understanding something.

The only solution I found for this was to have my own Zinc delegate to the REST API, and move everything to different "branches" of the server.
It is:
* Regular not authenticated ZnSeasideServerAdaptorDelegate handling everything at myserver/webapp/*
* HTTP Authentication enabled ZnSeasideServerAdaptorDelegate handling everything at myserver/api/*

But maybe there is a simpler option.

Thank you!





Reply | Threaded
Open this post in threaded view
|

Re: Authenticating requests of Seaside REST filters (Using Zinc?)

Philippe Marschall
On Mon, Sep 16, 2013 at 2:04 PM, Esteban A. Maringolo
<[hidden email]> wrote:

> Sven, Phillipe,
>
> While I was debugging the request/response cycle I found I could plug in an
> authenticator in the Zinc delegate. Or as Philippe suggest I can also use
> the WAAuthenticationFilter.
>
> But any of those options will require the authentication also for "normal"
> requests (it is, no REST) that go to the same URI.
>
> The web application is authenticated at the app level (login form, custom
> WASession class, etc), but all HTTP requests are accepted.
> On the other hand I want the REST API to authenticate all requests at HTTP
> level, because it is going to be 100% stateless.
>
> Any of the proposed solutions seems to be all-or-nothing authentication at
> the delegate or seaside app level. Or maybe I'm not understanding something.
>
> The only solution I found for this was to have my own Zinc delegate to the
> REST API, and move everything to different "branches" of the server.
> It is:
> * Regular not authenticated ZnSeasideServerAdaptorDelegate handling
> everything at myserver/webapp/*
> * HTTP Authentication enabled ZnSeasideServerAdaptorDelegate handling
> everything at myserver/api/*

It sort of depends what you request handler set up is. If you have a
different request handler for 'webapp' and 'api' then you can add the
filter only to 'api'. Otherwise you can subclass
WAAuthenticationFilter, override #handleFiltered:, look at the path
consumer and decided whether to authenticate or not.

Cheers
Philippe
_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
Reply | Threaded
Open this post in threaded view
|

Re: Authenticating requests of Seaside REST filters (Using Zinc?)

Esteban A. Maringolo
2013/9/16 Philippe Marschall <[hidden email]>:
> Otherwise you can subclass
> WAAuthenticationFilter, override #handleFiltered:, look at the path
> consumer and decided whether to authenticate or not.

I thought this was some sort of hack, but now you also think about it,
maybe it's not. :)

I'll use this approach. It will save me from using two different
handlers. And I still be able to run the seaside delegate at the root
of the Zinc server (/).

Regards!
_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside