Security in Play 2?

[Pradeep Singh]

I've just started looking at Play 2 but out of curiosity I tried to explore what options were available for authentication and authorization in the framework. I don't see anything yet in the documentation. There does seem to be some documentation for Play 1 at http://www.playframework.org/documentation/1.2.3/guide8. Is this thing available in Play 2 as well? How does it compare with Spring Security? Because anything less than Spring Security won't be acceptable, unless there's a way to use Spring Security itself. Like I said, I am still exploring the framework. Lots of good stuff so far but security is something that'll be critical in my app.

[Sean B]

You say that "anything less than Spring Security won't be acceptable".  Can you enumerate the specific features of Spring Security that you require?

[Scott Phillips]

I would assume that you could use Spring security in the general application without problem with Play 2.0. The only thing that might trip things up is the securityContextHolder which maintains the security context on the local thread. So you'd probably want to build a global intercepter that always sets the context for the current thread. However, what you can't use is anything in from the "Web Application Security" portion of the library because that all assumes a regular servlet-based deployment which isn't present with Play. It relays filters and chains and all that stuff.

http://static.springsource.org/spring-security/site/docs/3.0.x/reference/springsecurity.html
vs
http://static.springsource.org/spring-security/site/docs/3.0.x/reference/web-app-security.html

I think the closet project that I know in the play world to deliver this type annotation style security checking is the Deadbolt module. With that you can specify who's able to access what resources at the controller & view level with annotation based expressions.

https://github.com/schaloner/deadbolt-2

Scott--

On Fri, Apr 13, 2012 at 9:48 PM, Pradeep Singh <prdpk...@gmail.com> wrote:

I've just started looking at Play 2 but out of curiosity I tried to explore what options were available for authentication and authorization in the framework. I don't see anything yet in the documentation. There does seem to be some documentation for Play 1 at http://www.playframework.org/documentation/1.2.3/guide8. Is this thing available in Play 2 as well? How does it compare with Spring Security? Because anything less than Spring Security won't be acceptable, unless there's a way to use Spring Security itself. Like I said, I am still exploring the framework. Lots of good stuff so far but security is something that'll be critical in my app.

--
You received this message because you are subscribed to the Google Groups "play-framework" group.
To view this discussion on the web visit https://groups.google.com/d/msg/play-framework/-/g-Tk7LFndAMJ.
To post to this group, send email to play-fr...@googlegroups.com.
To unsubscribe from this group, send email to play-framewor...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/play-framework?hl=en.

[Pradeep Singh]

Protecting URLs through configuration file (authentication and authorization)

Protecting methods through annotations  (authentication and authorization)

Remember me authentication (this is cookie based, so this can easily be brought over)

[Pradeep Singh]

Thanks. That was the reason I posted this question. Deadbolt seems to be able to handle the authorization part. Now all I need to think about is authentication. I wonder why in the entire documentation there's no mention of security. At least for Play 2. I was able to find some documentation for Play 1 but not sure how relevant it is.

To post to this group, send email to play-framework@googlegroups.com.
To unsubscribe from this group, send email to play-framework+unsubscribe@googlegroups.com.

[Wes Freeman]

I agree, the documentation is pretty limited (so far) on security features. I did manage to find what looks to be a basic Security class in the code on github, though I haven't actually gotten it working yet:

https://github.com/playframework/Play20/blob/master/framework/src/play/src/main/scala/play/api/mvc/Security.scala

If anyone knows how it's supposed to work, and would be willing to share, that would be great. :)

Wes

To view this discussion on the web visit https://groups.google.com/d/msg/play-framework/-/9XyJ5kODpE4J.

To post to this group, send email to play-fr...@googlegroups.com.
To unsubscribe from this group, send email to play-framewor...@googlegroups.com.

[Scott Phillips]

Yes, I agree that there is a dearth of documentation or modules for authentication. It's so simple in the basic case of local authentication against a database of users that it's not really needed. But I expect at some point someone will come out with an module to handle it. The examples you're finding in 1.x are not relevant for the new version. Almost all the previous ones centered around the class invoker stuff that's gone in 2.0.

I am currently working on updating my shibboleth authentication module from 1.x to 2.0. But the only reason to use shibboleth is for a federated identities.

https://github.com/TAMULib/Shibboleth-play/tree/play2.0

Scott--

To view this discussion on the web visit https://groups.google.com/d/msg/play-framework/-/9XyJ5kODpE4J.

To post to this group, send email to play-fr...@googlegroups.com.
To unsubscribe from this group, send email to play-framewor...@googlegroups.com.

[Sean Brady]

The sample apps have a few examples of using the Security class. That's how I got started. 

Sent from my mobile device

[Leon Radley]

I wrote a chapter this morning on the subject
https://github.com/playframework/Play20/wiki/ScalaSecurity

Hope it helps !

[Wes Freeman]

I'm finally getting back into my play2 app--went to look for this page, but it seems to be gone. :(

Wes

--
You received this message because you are subscribed to the Google Groups "play-framework" group.

To view this discussion on the web visit https://groups.google.com/d/msg/play-framework/-/jIE6XpqRTpoJ.

[Jorge Aliss]

For authorization you can use Deadbolt: https://github.com/schaloner/deadbolt-2.  And for authentication I just released the version of SecureSocial for Play 2 yesterday. There's still things missing compared to version 1 but it's a start: https://github.com/jaliss/securesocial

Cheers,

Jorge

On Tue, Jun 5, 2012 at 7:30 PM, Niklas Saers <nikla...@gmail.com> wrote:

Hi Leon,

I would love to read an intro on how to use play.api.mvc.Security.Authenticated, but the page seems not to be there. Do you have an updated URL for your chapter? I cannot seem to find any tutorials, documentation or sample code on how to use it when I search for it. :-I

Cheers

   Nik

--

You received this message because you are subscribed to the Google Groups "play-framework" group.

To view this discussion on the web visit https://groups.google.com/d/msg/play-framework/-/NSF7nN5fgRMJ.

[Joscha Feth]

On Saturday, June 9, 2012 4:38:11 PM UTC+2, Andreas Kwiatkowski wrote:

Hi everybody, 

while building our recent product we've had high expectations for SecureSocial. However, as Jorge says, it's only a start. Customization of views is IMHO pretty tough, any styles and strings are hardcoded in its views so far.

I provided a pull for this issue (custom views) just now: https://github.com/jaliss/securesocial/pull/58
I hope I can work with Jorge to get this integrated, then SecureSocial is one step further to being as versatile as in v1 again.

Cheers,
Joscha

[Henry Story]

Of course security - especially privacy - also requires TLS. That is why Facebook, Google and Twitter have moved their services to be TLS enabled.

(Ie behind https:// urls ). Without that password sniffing is all too easy, especially with tools such as Firesheep easily available.

http://www.schneier.com/blog/archives/2010/10/firesheep.html

That is why I have submitted patch 339, which I just updated a few days ago:

   https://github.com/playframework/Play20/pull/339

Please vote for that patch, so that it can be integrated into the main branch.

[Henry Story]

Of course security - especially privacy - also requires TLS. That is why Facebook, Google and Twitter have moved their services to be TLS enabled.

(Ie behind https:// urls ). Without that password sniffing is all too easy, especially with tools such as Firesheep easily available.

http://www.schneier.com/blog/archives/2010/10/firesheep.html

That is why I have submitted patch 339, which I just updated a few days ago:

   https://github.com/playframework/Play20/pull/339

Please vote for that patch, so that it can be integrated into the main branch.

On Saturday, 14 April 2012 04:48:08 UTC+2, Pradeep Singh wrote:

[Andy Czerwonka]

Any chance for ambient NTLM v2?

[jm....@gmail.com]

I've done an initial aproach to integrate spring security framework with play framework you can check it if you wish.

https://github.com/JuanManuelCarballo/play-spring-security

[Nicolas Forney]

That's great, thank you for sharing. I will have a look shortly.

[Jun Yamog]

Andy,

We used apache's kerberos module.  This does the kerberos sso, it seems to work.

jm,

Great thanks for sharing.  Might be useful for us.  So how did you handle the session/state in spring security?

--

You received this message because you are subscribed to the Google Groups "play-framework" group.

To unsubscribe from this group and stop receiving emails from it, send an email to play-framewor...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.