- Notifications
You must be signed in to change notification settings - Fork137
Play2.x Authentication and Authorization module
License
t2v/play2-auth
Folders and files
Name | Name | Last commit message | Last commit date | |
---|---|---|---|---|
Repository files navigation

This module offers Authentication and Authorization features to Play2.x applications
This module targets theScala version ofPlay2.x.
The existingSecurity
trait in Play2.x API does not define an identifier that identifies a user.
If you use an Email or a userID as an identifier,users can not invalidate their session if the session cookie is intercepted.
This module creates a unique SessionID using a secure random number generator.Even if the sessionId cookie is intercepted, users can invalidate the session by logging in again.Your application can expire sessions after a set time limit.
Since theSecurity
trait in Play2.x API returnsAction
,complicated action methods wind up deeply nested.
Play2x-Auth provides a way of composition.
for Play2.3.x, Please seeprevious version 0.13.5 README
for Play2.2.x, Please seeprevious version 0.11.1 README
Since Play2.3'sSimpleResult
is renamed toResult
, The play2.auth trait signatures are changed at version 0.12.0
Since Play2.2'sResult
is deprecated, The play2.auth trait signatures are changed at version 0.11.0
Add dependency declarations into yourBuild.scala
orbuild.sbt
file:
for Play2.4.x
"jp.t2v" %% "play2-auth" % "0.14.2", "jp.t2v" %% "play2-auth-social" % "0.14.2", // for social login "jp.t2v" %% "play2-auth-test" % "0.14.2" % "test", play.sbt.Play.autoImport.cache // only when you use default IdContainer
For example yourBuild.scala
might look like this:
valappDependencies=Seq("jp.t2v"%%"play2-auth"%"0.14.2","jp.t2v"%%"play2-auth-social"%"0.14.2","jp.t2v"%%"play2-auth-test"%"0.14.2"%"test", play.sbt.Play.autoImport.cache )
First create a trait that extends
jp.t2v.lab.play2.auth.AuthConfig
inapp/controllers
.// Exampleimportjp.t2v.lab.play2.auth._traitAuthConfigImplextendsAuthConfig {/** * A type that is used to identify a user. * `String`, `Int`, `Long` and so on.*/typeId=String/** * A type that represents a user in your application. * `User`, `Account` and so on.*/typeUser=Account/** * A type that is defined by every action for authorization. * This sample uses the following trait: * * sealed trait Role * case object Administrator extends Role * case object NormalUser extends Role*/typeAuthority=Role/** * A `ClassTag` is used to retrieve an id from the Cache API. * Use something like this:*/validTag:ClassTag[Id]= classTag[Id]/** * The session timeout in seconds*/valsessionTimeoutInSeconds:Int=3600/** * A function that returns a `User` object from an `Id`. * You can alter the procedure to suit your application.*/defresolveUser(id:Id)(implicitctx:ExecutionContext):Future[Option[User]]=Account.findById(id)/** * Where to redirect the user after a successful login.*/defloginSucceeded(request:RequestHeader)(implicitctx:ExecutionContext):Future[Result]=Future.successful(Redirect(routes.Message.main))/** * Where to redirect the user after logging out*/deflogoutSucceeded(request:RequestHeader)(implicitctx:ExecutionContext):Future[Result]=Future.successful(Redirect(routes.Application.login))/** * If the user is not logged in and tries to access a protected resource then redirect them as follows:*/defauthenticationFailed(request:RequestHeader)(implicitctx:ExecutionContext):Future[Result]=Future.successful(Redirect(routes.Application.login))/** * If authorization failed (usually incorrect password) redirect the user as follows:*/overridedefauthorizationFailed(request:RequestHeader,user:User,authority:Option[Authority])(implicitcontext:ExecutionContext):Future[Result]= {Future.successful(Forbidden("no permission")) }/** * A function that determines what `Authority` a user has. * You should alter this procedure to suit your application.*/defauthorize(user:User,authority:Authority)(implicitctx:ExecutionContext):Future[Boolean]=Future.successful { (user.role, authority)match {case (Administrator, _)=>truecase (NormalUser,NormalUser)=>truecase _=>false } }/** * (Optional) * You can custom SessionID Token handler. * Default implementation use Cookie.*/overridelazyvaltokenAccessor=newCookieTokenAccessor(/* * Whether use the secure option or not use it in the cookie. * Following code is default.*/ cookieSecureOption= play.api.Play.isProd(play.api.Play.current), cookieMaxAge=Some(sessionTimeoutInSeconds) )}
Next create a
Controller
that defines both login and logout actions.ThisController
mixes in thejp.t2v.lab.play2.auth.LoginLogout
trait andthe trait that you created in first step.objectApplicationextendsControllerwithLoginLogoutwithAuthConfigImpl {/** Your application's login form. Alter it to fit your application*/valloginForm=Form { mapping("email"-> email,"password"-> text)(Account.authenticate)(_.map(u=> (u.email,""))) .verifying("Invalid email or password", result=> result.isDefined) }/** Alter the login page action to suit your application.*/deflogin=Action {implicit request=>Ok(html.login(loginForm)) }/** * Return the `gotoLogoutSucceeded` method's result in the logout action. * * Since the `gotoLogoutSucceeded` returns `Future[Result]`, * you can add a procedure like the following. * * gotoLogoutSucceeded.map(_.flashing( * "success" -> "You've been logged out" * ))*/deflogout=Action.async {implicit request=>// do something... gotoLogoutSucceeded }/** * Return the `gotoLoginSucceeded` method's result in the login action. * * Since the `gotoLoginSucceeded` returns `Future[Result]`, * you can add a procedure like the `gotoLogoutSucceeded`.*/defauthenticate=Action.async {implicit request=> loginForm.bindFromRequest.fold( formWithErrors=>Future.successful(BadRequest(html.login(formWithErrors))), user=> gotoLoginSucceeded(user.get.id) ) }}
Lastly, mix
jp.t2v.lab.play2.auth.AuthElement
trait and the trait that was created in the first stepinto your Controllers:objectMessageextendsControllerwithAuthElementwithAuthConfigImpl {// The `StackAction` method// takes `(AuthorityKey, Authority)` as the first argument and// a function signature `RequestWithAttributes[AnyContent] => Result` as the second argument and// returns an `Action`// The `loggedIn` method// returns current logged in userdefmain=StackAction(AuthorityKey->NormalUser) {implicit request=>valuser= loggedInvaltitle="message main"Ok(html.message.main(title)) }deflist=StackAction(AuthorityKey->NormalUser) {implicit request=>valuser= loggedInvaltitle="all messages"Ok(html.message.list(title)) }defdetail(id:Int)=StackAction(AuthorityKey->NormalUser) {implicit request=>valuser= loggedInvaltitle="messages detail"Ok(html.message.detail(title+ id)) }// Only Administrator can execute this action.defwrite=StackAction(AuthorityKey->Administrator) {implicit request=>valuser= loggedInvaltitle="write message"Ok(html.message.write(title)) }}
play2.auth provides test module at version 0.8
You can useFakeRequest
with logged-in status.
packagetestimportorg.specs2.mutable._importplay.api.test._importplay.api.test.Helpers._importcontrollers.{AuthConfigImpl,Messages}importjp.t2v.lab.play2.auth.test.Helpers._classApplicationSpecextendsSpecification {objectconfigextendsAuthConfigImpl"Messages" should {"return list when user is authorized" innewWithApplication {valresult=Messages.list(FakeRequest().withLoggedIn(config)(1)) contentType(result) must equalTo("text/html") } }}
Import
jp.t2v.lab.play2.auth.test.Helpers._
Define instance what is mixed-in
AuthConfigImpl
object config extends AuthConfigImpl
Call
withLoggedIn
method onFakeRequest
- first argument:
AuthConfigImpl
instance. - second argument: user ID of the user who is logged-in at this request
- first argument:
It makes enable to test controllers with play2.auth
For example, a Social networking application has a function to edit messages.
A user must be able to edit their own messages but not other people's messages.
To achieve this you could defineAuthority
as aFunction
:
traitAuthConfigImplextendsAuthConfig {// Other setup is omitted.typeAuthority=User=>Future[Boolean]defauthorize(user:User,authority:Authority)(implicitctx:ExecutionContext):Future[Boolean]= authority(user)}
objectApplicationextendsControllerwithAuthElementwithAuthConfigImpl {privatedefsameAuthor(messageId:Int)(account:Account):Future[Boolean]=Message.getAutherAsync(messageId).map(_== account)defedit(messageId:Int)=StackAction(AuthorityKey-> sameAuthor(messageId)) {implicit request=>valuser= loggedInvaltarget=Message.findById(messageId)Ok(html.message.edit(messageForm.fill(target))) }}
When an unauthenticated user requests access to page requiring authentication,you first redirect the user to the login page, then, after the user successfully logs in, you redirect the user to the page they originally requested.
To achieve this changeauthenticationFailed
andloginSucceeded
:
traitAuthConfigImplextendsAuthConfig {// Other settings are omitted.defauthenticationFailed(request:RequestHeader)(implicitctx:ExecutionContext):Future[Result]=Future.successful(Redirect(routes.Application.login).withSession("access_uri"-> request.uri))defloginSucceeded(request:RequestHeader)(implicitctx:ExecutionContext):Future[Result]= {valuri= request.session.get("access_uri").getOrElse(routes.Message.main.url.toString)Future.successful(Redirect(uri).withSession(request.session-"access_uri")) }}
If you want to display the application's index differently to non-logged-in usersand logged-in users, you can useOptionalAuthElement
instead ofAuthElement
:
objectApplicationextendsControllerwithOptionalAuthElementwithAuthConfigImpl {// maybeUser is an instance of `Option[User]`.// `OptionalAuthElement` dont need `AuthorityKey`defindex=StackAction {implicit request=>valmaybeUser:Option[User]= loggedInvaluser:User= maybeUser.getOrElse(GuestUser)Ok(html.index(user)) }}
you canAuthenticationElement
instead ofAuthElement
for authentication without authorization.
objectApplicationextendsControllerwithAuthenticationElementwithAuthConfigImpl {defindex=StackAction {implicit request=>valuser:User= loggedInOk(html.index(user)) }}
Normally, you want to return a login page redirection at a authentication failed.Although, when the request is sent by Ajax you want to instead return 401, Unauthorized.
You can do it as follows.
defauthenticationFailed(request:RequestHeader)(implicitctx:ExecutionContext)=Future.successful { request.headers.get("X-Requested-With")match {caseSome("XMLHttpRequest")=>Unauthorized("Authentication failed")case _=>Redirect(routes.Application.login) }}
play2.auth usestackable-controller
Suppose you want to validate a token at every action in order to defeat aCross Site Request Forgery attack.
Since it is impractical to perform the validation in all actions, you would define a trait like this:
importjp.t2v.lab.play2.stackc.{RequestWithAttributes,StackableController}importscala.concurrent.Futureimportplay.api.mvc.{Result,Request,Controller}importplay.api.data._importplay.api.data.Forms._traitTokenValidateElementextendsStackableController {self:Controller=>privatevaltokenForm=Form("token"-> text)privatedefvalidateToken(request:Request[_]):Boolean= (for { tokenInForm<- tokenForm.bindFromRequest()(request).value tokenInSession<- request.session.get("token") }yield tokenInForm== tokenInSession).getOrElse(false)overridedefproceed[A](request:RequestWithAttributes[A])(f:RequestWithAttributes[A]=>Future[Result]):Future[Result]= {if (validateToken(request))super.proceed(request)(f)elseFuture.successful(BadRequest) }}
You can useTokenValidateElement
trait withAuthElement
trait.
objectApplicationextendsControllerwithTokenValidateElementwithAuthElementwithAuthConfigImpl {defpage1=StackAction(AuthorityKey->NormalUser) {implicit request=>// do somethingOk(html.page1("result")) }defpage2=StackAction(AuthorityKey->NormalUser) {implicit request=>// do somethingOk(html.page2("result")) }}
There are asynchronous libraries ( for example:ReactiveMongo,ScalikeJDBC-Async, and so on ).
You should useFuture[Result]
instead ofAsyncResult
from Play2.2.
You can useAsyncStack
instead ofStackAction
for Future[Result]
traitHogeControllerextendsAuthElementwithAuthConfigImpl {defhoge=AsyncStack {implicit req=>valmessages:Future[Seq[Message]]=AsyncDB.withPool {implicit s=>Message.findAll } messages.map(Ok(html.view.messages(_))) }}
Play2x-Auth follows the Play framework's stateless policy.However, Play2x-Auth's default implementation is stateful,because the stateless implementation has the following security risk:
If user logs-in to your application in a internet-cafe, then returns home neglecting to logout.If the user logs in again at home they willnot invalidate the session.
Nevertheless, you want to use a fully stateless implementation then just override theidContainer
method ofAuthConfig
like this:
traitAuthConfigImplextendsAuthConfig {// Other settings omitted.overridelazyvalidContainer:AsyncIdContainer[Id]=AsyncIdContainer(newCookieIdContainer[Id])}
You could also store the session data in a Relational Database by overriding the id container.
Note:CookieIdContainer
doesn't support session timeout.
git clone https://github.com/t2v/play2-auth.git
cd play2-auth
sbt "project sample" run
- access to
http://localhost:9000/
on your browser.click
Apply this script now!
login
defined accounts
Email | Password | Role alice@example.com | secret | Administrator bob@example.com | secret | NormalUser chris@example.com | secret | NormalUser
Ehcache, the default cache implementation used by Play2.x, does not work on distributed application servers.
If you have distributed servers, use theMemcached Plugin or something similar.
This library is released under the Apache Software License, version 2,which should be included with the source in a file namedLICENSE
.
About
Play2.x Authentication and Authorization module