Forcing Authentication not working
The documentation says that if I have a rule that responds with Empty, it means that authentication is performed, but not an authorization check. This is what I need. So, I have a rule something like:
Alas, I can clearly see that my authentication is NOT being performed for just any page. I think I found the source code that is the culprit. From LiftServlet.scala:
This logic seems to be inconsistent with the documentation found in LiftRules.scala:
Shouldn't there be something like:
?
See thread for more details.
LiftRules.httpAuthProtectedResource.append {
case req : Req => req.path match {
case ParsePath("restricted" :: _, _, _, _) => restrictedRole
case _ => Empty
}
}
Alas, I can clearly see that my authentication is NOT being performed for just any page. I think I found the source code that is the culprit. From LiftServlet.scala:
private def authPassed_?(req: Req): Boolean = {
val checkRoles: (Role, List[Role]) => Boolean = {
case (resRole, roles) => (false /: roles)((l, r) => l || resRole.isChildOf(r.name))
}
val role = NamedPF.applyBox(req, LiftRules.httpAuthProtectedResource.toList)
role.map(_ match {
case Full(r) =>
LiftRules.authentication.verified_?(req) match {
case true => checkRoles(r, userRoles.get)
case _ => false
}
case _ => true
}) openOr true
}
This logic seems to be inconsistent with the documentation found in LiftRules.scala:
/**
* Defines the resources that are protected by authentication and authorization. If this function
* is notdefined for the input data, the resource is considered unprotected ergo no authentication
* is performed. If this function is defined and returns a Full can, it means that this resource
* is protected by authentication,and authenticated subjed must be assigned to the role returned by
* this function or to a role that is child-of this role. If this function returns Empty it means that
* this resource is protected by authentication but no authorization is performed meaning that roles are
* not verified.
*/
val httpAuthProtectedResource = RulesSeq[HttpAuthProtectedResourcePF]
Shouldn't there be something like:
case Empty =>
LiftRules.authentication.verified_?(req)
?
See thread for more details.
Leave a comment
This is on review board
Fixed