-
Notifications
You must be signed in to change notification settings - Fork 0
Auth
Authentication is ensuring that the current user is logged in. Some parts of your application are limited to authenticated users. Mettle does not implement authentication, but it does provide a mechanism for integrating Secure-Social or other Play authentication add-ons.
The Command class has a member
public String indentityId;
If you are using integration then this field is used to indicate whether the user is logged in or not.
The Presenter provides two methods
boolean isLoggedIn(Command cmd);
void ensureLoggedIn(Command cmd);
The first method returns a boolean, so your presenter can support both logged-in and non-logged-in users. The second method throws a NotLoggedInException if the user is not logged in. This is caught by the base Presenter and converted into a Reply destination of Reply.FORWARD_NOT_AUTHENTICATED. Usually your controller will response to this destination by redirecting to an error page.
Authorization is controlling what a user is allowed to do. For example, in a blogging application, a user is allowed to edit or delete their own posts, but not other users' posts.
Mettle provides a full implementation of authorization. It re-uses your existing data relationships, to allow powerful grouping and scoping authorization rules.
Four database tables are created.
- AuthSubject represents users.
- AuthRole represents a list of roles that users can have.
- AuthTicket represents a scope for a role
- AuthRules represents the authorization rules in the form of subject-role-ticket
The schema is here:
AuthSubject
id
name
AuthRole
id
name
AuthTicket
id
AuthRule
userId
roleId
ticketId
The simplest form of authorization is to give users roles. For example, an "Admin" role could be used to give users the ability to access the admin pages. Users are assigned roles, and presenters can check whether the current user has the needed roles. Presenter has several methods:
boolean hasRole(Command cmd, String roleName);
void ensureHasRole(Command cmd, String roleName); //handy one-line way of checking for a role
Roles in Mettle are static. If you change the roles you must restart the app.
Note. This form of authorization sets the ticketId to null in the AuthRule table.
Mettle lets you use your existing data relationships for managing authorization. Mettle defines tickets: an abstraction of some other data object that you use to define authorization scopes of the form:
User X has role Y on ticket Z
Lets look at an example. For example, in a blogging app the author might have "Owner" role on the posts she wrote. We would add a field to the Post table to hold the ticket ID. Then in our Blog presenter, we would check
if (post.user != cmd.currentUser || ! isAuth(cmd, post.ticket)) {
//deny...