Search code examples
javasessionrestrestlethttpsession

Sessions in Restlet?

I have just implemented my first Restlet application (finally :]) and now I'm onto a bigger question. I built a really simple resource called LoginResource, which allows a POST and a GET operation to allow users to login and to check if they're logged in, respectively. Now that I've implemented this and I can actually have a client call the server, "log in," and see a result, how can I actually keep track of whether someone is logged in or not?

My application needs the following:

  1. I need a way to have a client initially log in and be able to see if they're logged in via a resource.
  2. I need to provide "secured" access to a list of objects via another resource. It's pretty simple, but it depends on me being able to control access, which as of right now I'm unable to do as I don't have any sense of sessions activated.

Is there an easy way to allow for me to enable sessions and keep users logged in for a time? If this were PHP, this would be my code:

// login.php: login code
$username = $_POST['username'];
$password = $_POST['password'];

if (validate($username, $password)) {
    session_start();
    $_SESSION['is_logged_in'] = "yarp";
    echo get_login_success();
} else {
    echo get_login_failure();
}

// list.php: display list of objects
if (isset($_SESSION['is_logged_in']))
    echo get_object_list();
else
    echo get_security_error();

I hate to bring it all back to PHP, but hey, it makes for quick pseudo-code.

Solution

  • Have a look at HTTP Basic, HTTP Digest and HTTP OAuth authentications (all supported by Restlet).

    For some clients such as browsers, cookie based authentication is still used in REST but without a server-side sesssion.

    Check this link: http://restlet.tigris.org/issues/show_bug.cgi?id=605