Hey All,
We’ve been working on using Coldbox to create rest style handlers.
Now everything is straight forward enough to get up and running but securing calls is not so easy.
I need to find a way to get a hold of the information being posted before it gets injected into the rc or some way of knowing where the rc got the values.
This way we can do something similar to oauth without needing oauth. Similar to what is posted here http://www.thebuzzmedia.com/designing-a-secure-rest-api-without-oauth-authentication/ we intend on expecting a hash which we can verify.
The problem stands that within an interceptor there is no way to know what within the RC must be used as part of the hash construction.
Given a simple route:
addRoute(pattern = “/user/:userid/:username”,
handler = “UserHandler”,
action = {PUT = “update”},
ssl = false);
The only way for an interceptor of “preProcess” to know that userid and username are parameters is by either having access to the invoked route config or by some other form of meta data.
Now while the validation could also lie in the handler and do secure checks before calling a service, we would like to avoid the boilerplate.
Considering all the possible ways that the parameters are able to be passed in; Is there any way to get the routes at runtime or intercept at the point where the RC is populated?
Thanks in advance,
Gerhard Davids
