REST authentication guard that returns HTTP 403

136 views
Skip to first unread message

rjregenold

unread,
Oct 2, 2011, 10:01:27 AM10/2/11
to Lift
Hi,

I'm trying to secure a set of REST services I've written using Lift. I
came across a very cool snippet that David shared (and that is blogged
in detail here: http://blog.getintheloop.eu/2011/02/23/http-dispatch-guards-using-partial-function/
). Basically, you can use a partial function to ensure an
authenticated user like this:

LiftRules.dispatch.append(withAuthentication guard MyService)

I really like this method, except that when I try to access a resource
in my service while not authenticated, I get a 404 instead of a 403. I
believe this is because the partial function fails and so MyService is
never added to the dispatch table.

I have services that require auth and others that do not. What is a
good pattern for protecting the ones that require auth?

The only thing I've really come up with is to put the protected
services behind a URL that is easily pattern matched (ie: /api/secure/
resource1). That is easy to do, but I was hoping for something with
the readability of the first approach.

Any suggestions?

Thanks!

Timothy Perrett

unread,
Oct 3, 2011, 4:47:50 AM10/3/11
to lif...@googlegroups.com
Afraid not, look at the definition of the guard pimp:

final class PartialFunctionWrapper[A](around: PartialFunction[A, _]) {
  def guard[B](other: PartialFunction[A, B]): PartialFunction[A,B] =
    new PartialFunction[A, B] {
      def isDefinedAt(a: A) = around.isDefinedAt(a) && other.isDefinedAt(a)
      def apply(a: A): B = other.apply(a)
    }
}

The around B is never used. Also, even with a guard in place the dispatch is still added to the dispatch table, but access is just determined at runtime (like all match guards). The 404 is just the fallback behaviour. You've got several options as I see it:

1) Just bang together an OAuth 2 server
2) Use basic auth over SSL
3) Use digest auth

The latter two are supported out of the box, the former would need some work and also depends on what types of calling clients you're dealing with, but would probably be the better solution.

HTH

Tim


Timothy Perrett

unread,
Oct 3, 2011, 4:50:37 AM10/3/11
to lif...@googlegroups.com

rjregenold

unread,
Oct 3, 2011, 12:24:30 PM10/3/11
to Lift
Awesome, thanks for the info. I'll keep an eye on the ticket created
from that thread.

For what I'm doing, basic auth over SSL should work just fine.

Thanks again!
Reply all
Reply to author
Forward
0 new messages