Restlet客户端使用身份验证密钥

Question

Using restlet JEE 2.3.2.

I have a client id and secret to interact with the server restful API. Submitting that info gets me back an authorization key that must be used for subsequent request. In curl, I can make queries using that key and can get data back:

curl -XGET "Authorization c79cec57-a52f-4e04-f3ca-55ea2a202114" "https://some/restful/endpoint"

How do I set my client resource to submit that authorization key? The online docs doesn't seem to cover this scenario.

Answer 1

if the scheme is not important, you can use a "Custom" scheme, (as it is mandatory in HTTP specification"). In order to avoid the warning "scheme is not supported by restlet engine", just register one, as follow:

You can achieve what you need using a "custom" scheme, as follow.

    // Declare a custom Authenticator helper, if it is not standard
    Engine.getInstance().getRegisteredAuthenticators().add(new AuthenticatorHelper(ChallengeScheme.CUSTOM, true, false) {});

    // set up the reusable challenge response
    ChallengeResponse cred = new ChallengeResponse(ChallengeScheme.CUSTOM);
    cred.setRawValue("12344");

    ClientResource cr = new ClientResource("http://localhost:8183/");
    cr.setChallengeResponse(cred);
    cr.get();

If you want an empty scheme, you can do as follow:

    ChallengeResponse cred = new ChallengeResponse(new ChallengeScheme("",""));
    cred.setRawValue("12345");

Answer 2

In this case, I think that you can use challenge response as described since such feature builds the Authorization header using format Authorization: Scheme ChallengeResponseContent :

ClientResource resource = new ClientResource(resouceURL);
String token = "myToken";
ChallengeResponse cr = new ChallengeResponse(
             ChallengeScheme.HTTP_OAUTH_BEARER);
cr.setRawValue(token);
resource.setChallengeResponse(cr);
(...)

As a matter of fact, Restlet requires a challenge scheme that will be added before the token (or something else) within the value of the header Authorization . See extract from class AuthenticatorUtils#formatRequest :

public static String formatRequest(ChallengeRequest challenge,
        Response response, Series<Header> httpHeaders) {
    String result = null;

    if (challenge == null) {
        Context.getCurrentLogger().warning(
                "No challenge response to format.");
    } else if (challenge.getScheme() == null) {
        Context.getCurrentLogger().warning(
                "A challenge response must have a scheme defined.");
    } else if (challenge.getScheme().getTechnicalName() == null) {
        Context.getCurrentLogger().warning(
                "A challenge scheme must have a technical name defined.");
    } else {
        ChallengeWriter cw = new ChallengeWriter();
        cw.append(challenge.getScheme().getTechnicalName()).appendSpace();
        int cwInitialLength = cw.getBuffer().length();

        if (challenge.getRawValue() != null) {
            cw.append(challenge.getRawValue());
        } else {
    (...)

In your case, I think that you need to build the header Authorization by yourself as described below:

ClientResource resource = new ClientResource(resouceURL);
String token = "myToken";
resource.getRequest().getHeaders().add("Authorization", token);
resource.get();

You can also implement a custom client resource for your needs in order to automatically apply the token:

public class ProtectedClientResource extends ClientResource {
    private String token;

    public ProtectedClientResource(String uri) {
        super(uri);
    }

    @Override
    public Response handleOutbound(Request request) {
        if (token!=null) {
            request.getHeaders().add("Authorization", token);
        }
        return super.handleOutbound(request);
    }

    public String getToken() {
        return token;
    }

    public void setToken(String token) {
        this.token = token;
    }
}

Hope it helps you, Thierry