Git Product home page Git Product logo

deadbolt-2's Introduction

Deadbolt 2 – An authorisation system for Play 2

Deadbolt is an authorisation mechanism for defining access rights to certain controller methods or parts of a view using a simple AND/OR/NOT syntax.

Note that Deadbolt doesn’t provide authentication! You can use the existing authentication features of Play 2, or third-party modules such as SecureSocial alongside Deadbolt to provide authentication, and in cases where authentication is handled outside your app you can just hook up the authorisation mechanism to whatever auth system is used.

Configuration

Implement DeadboltHandler. Update your application.conf to have

deadbolt.handler=fully-qualified name of your implementation

Deadbolt doesn’t cache the role holder within the same request by default. You can enable this (typically with performance benefits) by add this to application.conf

deadbolt.cache-user=true

A note on contexts

This issue was reported in github by jblipphaus:
When getting a result through my DeadboltHandler I recognized, that the current Http.Context seems to “get lost”, for example the @Messages(“foo”) call does not work any longer. So I had to add the following to the DeadboltHandler in my project:

public Result onAccessFailure(Http.Context context, String s) {
    Http.Context.current.set(context); // <-- this is needed to have a current Http.Context
    return ok(views.html.index.render());
}

The same with the ‘beforeRoleCheck’ method.

Installing Deadbolt

At the moment, there is no open repository for Play 2 modules, so Deadbolt 2 is hosted on github. You will
need to update the Build.scala of your application to add a repository resolver for this.

The dependency declaration is

"be.objectify" %% "deadbolt-2" % "1.1.2"

The Build.scala then looks like

object ApplicationBuild extends Build {
val appName = “deadbolt-usage” val appVersion = “1.1.2” val appDependencies = Seq( “deadbolt-2” %% “deadbolt-2” % “1.1.2” ) val main = PlayProject(appName, appVersion, appDependencies, mainLang = JAVA).settings( resolvers += Resolver.url(“Objectify Play Repository”, url(“http://schaloner.github.com/releases/”))(Resolver.ivyStylePatterns) ) }

The Deadbolt plugin

Deadbolt requires its plugin to be declared in the conf/play.plugins file. If this file doesn’t exist (it’s not created by default when you create a new project),
just create it in the conf directory first, and then add

10000:be.objectify.deadbolt.DeadboltPlugin

Controller restrictions

NB Method-level annotations override controller-level annotations. All controller restrictions can be applied at the
controller level or method level.

Name Dynamic
Used for arbitrary security. Requires an implementation of a DynamicResourceHandler, accessible through the DeadboltHandler
Parameters

  • value – the resource name
  • meta – additional info passed into the DynamicResourceHandler at runtime
  • content – indicates the response format in case of access failure
  • handler – a specific DeadboltHandler to use for this restriction, which overrides the application-standard handler

Examples

@Dynamic("foo", "hurdy:gurdy")
@Dynamic(name="foo", meta="hurdy:gurdy", content="json", handler=my.special.FunkyDeadboltHandler)

Name Restrict
Used for static security. Requires an implementation of a RoleHolder, accessible through the DeadboltHandler. Role names are ANDed together.
Parameters

  • value – the ANDed role names
  • content – indicates the response format in case of access failure
  • handler – a specific DeadboltHandler to use for this restriction, which overrides the application-standard handler

Examples

@Restrict("foo") // restricts access to RoleHolders with the foo role
@Restrict({"foo", "bar"}) // restricts access to RoleHolders with both the foo and bar roles

Name Restrictions
Used for static security. Requires an implementation of a RoleHolder, accessible through the DeadboltHandler. Role names are ANDed together within And annotations, and ORed together between And annotations.
Parameters

  • value – the restriction combinations
  • content – indicates the response format in case of access failure
  • handler – a specific DeadboltHandler to use for this restriction, which overrides the application-standard handler

Examples

@Restrictions({@And("foo"), @And("bar")}) // restricts access to RoleHolders with either the foo or bar roles

Name Unrestricted
Used for Marks the resource as unrestricted – no role checking, or presence of a role holder, is required
Parameters

  • content – indicates the response format in case of access failure
  • handler – a specific DeadboltHandler to use for this restriction, which overrides the application-standard handler

Examples

@Unrestricted

Name RoleHolderPresent
Used for Marks the resource as restricted, but only to logged-in users
Parameters

  • content – indicates the response format in case of access failure
  • handler – a specific DeadboltHandler to use for this restriction, which overrides the application-standard handler

Examples

@RoleHolderPresent

Name RoleHolderNotPresent
Used for Marks the resource as restricted, but only to not-logged-in users
Parameters

  • content – indicates the response format in case of access failure
  • handler – a specific DeadboltHandler to use for this restriction, which overrides the application-standard handler

Examples

@RoleHolderNotPresent

Name DeadboltPattern
Used for Evaluating exact matches, regular expressions or custom values against user permissions
Parameters

  • value – the pattern
  • patternType – indicates the type of pattern, either EQUALITY, REGEX or CUSTOM. EQUALITY is the default value.
  • content – indicates the response format in case of access failure
  • handler – a specific DeadboltHandler to use for this restriction, which overrides the application-standard handler

Examples
bc. @DeadboltPattern(“(.)*\\.edit”)

Notes:

  • Regular expressions are cached for efficiency

View restrictions

If you don’t want to use the full namespace of the tags, you can import some or all of them in your template.

@import be.objectify.deadbolt.views.html._

Name restrict
Used for static security. This is the view equivalent of @Restrictions.
Parameters

  • roles – a List of String arrays. Roles within an array are ANDed together; Each array represents an OR.

Examples

@restrict(la(as("foo"))) {
   foo
 }

Notes:
As a convenience to create the lists and arrays, you can import the methods of TemplateUtils and use the following methods
– la – create a list of arrays
– as – create an array of strings
You can see this used in the example above. A more detailed example is

@deadbolt.restrict(la(as("foo"),as("bar"))) {
  foo
 }

You can import these methods into your templates with @import be.objectify.deadbolt.utils.TemplateUtils._

Name dynamic
Used for arbitrary security. This is the view equivalent of @Dynamic
Parameters

  • name – the resource name
  • meta – additional info passed into the DynamicResourceHandler at runtime

Examples

@dynamic("foo") {
  foo
 }
@dynamic("bar", "hurdy:gurdy") {
  bar
 }

Name roleHolderPresent
Used for ensuring the viewer is logged in. This is the view equivalent of @RoleHolderPresent
Parameters

  • name – the resource name
  • meta – additional info passed into the DynamicResourceHandler at runtime

Examples

@roleHolderPresent() {
  foo
 }

Name roleHolderNotPresent
Used for ensuring the viewer is not logged in. This is the view equivalent of @RoleHolderNotPresent
Parameters

  • name – the resource name
  • meta – additional info passed into the DynamicResourceHandler at runtime

Examples

@roleHolderNotPresent() {
  foo
 }

Name deadboltPattern
Used for checking exact matches, regexs or custom values against user permissions. This is the view equivalent of @DeadboltPattern
Parameters

  • value – the pattern value
  • patternType – the pattern type, e.g. EQUALITY, REGEX, CUSTOM

Examples

@deadboltPattern("(.)*\\.edit") {
  foo
 }
@deadboltPattern("(.)*\\.edit", PatternType.REGEX) {
  foo
 }

Note There is no tag equivalent of @Unrestricted

deadbolt-2's People

Contributors

madmatah avatar schaloner avatar

Stargazers

avatar

Watchers

avatar avatar avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.