Authentication / authorization support in play

costa · January 4, 2021, 8:09am

Hi,

Authentication/authorization are two crucial components of web apps. I find it very surprising that Play doesn’t have out-of-the-box support for handling them, i.e. ready to use components that you can plug into your app, depending on your requirements. If you look at vertx - https://vertx.io/docs/#authentication-and-authorization - they provide various components for different needs. Spring is the same.

Granted, there are libraries written by third-party developers that support Play (they can be found here: https://www.playframework.com/documentation/2.8.x/ModuleDirectory), but it’s hard to choose. In some cases you can hear the crickets - those components are not developed anymore, or the respective devs don’t have time/funding to continue and those components support older versions of Play.

Can someone from Lightbend please comment? Do you provide such components for subscribers only? Just curious. What do people use for authentication and authorization these days?

Thanks

pmokkapati · January 6, 2021, 12:42am

In our case some routes - Actions need to be secure and some not - example sign up may not and some other actions may - so gives us better control of the Actions. So just replaced Action.async with authenticate.authAsync so this route authenticates the call.

Overwrote the default - invoke block to use authenticate the action or not. https://www.playframework.com/documentation/2.8.x/ScalaActionsComposition#Action-composition. So this gives better way of different action we need to secure or not…

We are using JWT - default in session file - https://www.playframework.com/documentation/2.8.x/SettingsSession and overwrote some of settings for JWT session. We are also adding other information in the session

You can use different models for generating the session cookies.

petahathub · January 6, 2021, 7:24am

Hi there,

Sometimes i feel the same, in Play open source ecosystem there are some “gaps in completeness”. Propably they have philosophy “do it yourself, it is simple with Play”.

I use pac4j with deadbolt 2, both projects are third party-community driven-one man show library and i hope the libs will be still alive in next years…

Cheers

mkurz · January 6, 2021, 9:22am

@petahathub I took over the deadbolt 2 project from the original maintainer. I know the documentation isn’t up to date because of lack of time, however I definitely will release new versions in the future.

petahathub · January 6, 2021, 12:10pm

Thank you very much, Mr. Kurz.

rbueker · January 7, 2021, 10:56pm

I’ve had success for many years with: GitHub - pac4j/play-pac4j: Security library for Play framework 2 in Java and Scala: OAuth, CAS, SAML, OpenID Connect, LDAP, JWT...

There is an example project that shows you all the basics: GitHub - pac4j/play-pac4j-scala-demo: Play Scala demo to test the play-pac4j security library

The docs are here: pac4j: security for Java

It supports a wide variety of implementations, authentication, and authorization schemes.

There is a google group where you can ask questions: https://groups.google.com/g/pac4j-users

It has been in constant development/release for years and the lead developer is still delivering new features, bug fixes, and keeping all the pieces current.

Good luck!

michbarsinai · January 17, 2021, 11:25pm

I also use Deadbolt2 in various projects. Works very well, thanks @mkurz for maintaining it!