In Restlet you have a class called SecretVerifier with an abstract method verify(String identifier, char[] secret) that you are to override in your subclass. The base class will also create a User object initialized with the identifier. So far so good.
Now the Enroler interface needs to be implemented to "add" roles to the aforementioned User object (that is passed to the subclass via the ClientInfo object). Here is where you "add" roles to the User object.
Let's assume that ChallengeAuthenticator is being used for authentication.
Question: Both these classes are quite distinct and you don't have access to the corresponding Request/Response objects. The very design sort of forces you to perform 2 round trips to the DB - one to verify the password and one to fetch the roles of the user. Is this an efficient design?
You can fetch everything in a single query, so to speak. And since both classes will invoke the corresponding DAOs separately, there will be 2 calls to the DB.
Of course you can have slightly convoluted code by overriding SecretVerifier.getIdentifier(Request req, Response resp) and then use that to fetch everything and add the roles - but the verify method seems to be a part of the template patter and you can't really control what's happening in the base class, unless you directly implement Verifier and reinvent the wheel and 'tweak' the code ever so slightly...but the question is about the design decision. I don't want to start a debate. I just want to know is something like this (2 trips) one for authentication, the other for roles quite common and is efficient under moderate-high loads?
I understand well your question. In fact, authentication and authorization are two distinct issues. In your case, you handle both in your applications but it's not always the case specially when you use external authentication providers through OpenID. In this case, the chosen provider does the authentication and you then manage roles for the current user.
Regarding your question, you can do authentication and authorization processing in one call to the database. You need to get user / role hints within the verifier entity and then pass them to the enroler entity using the current request instance.
Here is an example:
Verifier:
public class MySecretVerifier extends SecretVerifier {
private SecurityDao securityDao = (...);
public int verify(String identifier, char[] secret)
throws IllegalArgumentException {
ApplicationUser user = securityDao.loadUser(identifier);
//user contains both user hints and roles
if (user!=null
&& compare(user.getPassword().toCharArray(), secret)) {
Request request = Request.getCurrent();
request.getAttributes().put("currentUser", user);
return SecretVerifier.RESULT_VALID;
} else {
return SecretVerifier.RESULT_INVALID;
}
}
}
Enroler:
public class MyEnroler implements Enroler {
public void enrole(ClientInfo clientInfo) {
Request request = Request.getCurrent();
User user = request.getAttributes().put("currentUser");
if (user!=null) {
List<UserRole> roles = user.getRoles();
if (roles!=null) {
for (UserRole userRole : roles) {
// example of role creation
Role role = new Role(userRole.getName(), "");
clientInfo.getRoles().add(role);
}
}
}
}
}
Hope it helps you. Thierry