Play 2.4.x - 2.5 latest authentication

[Alex Mueller]

I am trying to sell my team on the Play Framework, but it is difficult without built-in authentication support and having to use a third party library. Why does Play not have authentication built in?

This is what I have found so far, but some of them do not look like they are updated for the latest versions of play.

Silhouette: http://silhouette.mohiva.com/

Play authenticate: https://github.com/joscha/play-authenticate

Secure Social: http://securesocial.ws/

Deadbolt: http://deadbolt.ws/

What is the easiest to implement in Java? 

I am looking for database password authentication, and maybe down the road some oauth. 

Thanks for any help.

[raunak]

Silhouette is available for play-scala only. play-pac4j is another authentication module which you missed on your list - https://github.com/pac4j/play-pac4j

Deadbolt is an authorization module. 

[Alex Mueller]

Thanks for the play-pac4j suggestion. I will check it out.

Deadbolt does athentication as well, no?

Why does play not have something built in?

Thanks again.

[Steve Chaloner]

Deadbolt is only for authorization, but you can use it to drive the authentication library.  Take a look at https://leanpub.com/deadbolt-2/read#leanpub-auto-integrating-with-authentication-providers for documentation on the Java version - the same is true of the Scala version but I'm still writing that chapter.

[Alex Mueller]

Thanks Steve. 

I started with a Deadbolt example I found online and I had this working with simple MySQL user/password authentication. The example uses ebean, which I am swapping out for jpa because I believe I read that Play is moving away from eban back to jpa?

If all I need right now is database username/password authentication, is Deadbolt overkill for me? When I look at the examples here, https://github.com/schaloner/deadbolt-2-java-examples/tree/master/app/security, I see so many handlers that I am not sure how many of them I need in my case. I need to figure out the bare minimum.

Any suggestions?

Thanks, 

Alex

[Steve Chaloner]

There are a lot of handlers to simulate various situations;  a typical application will have one, maybe two.  A good example to look at is https://github.com/schaloner/deadbolt-2-guide-examples/tree/master/auth0-integration - the handler for this is pretty small, and the authentication behaviour is driven by the onAuthFailure method.  If a user is present and authorization fails, deny access; if a user is not present and authorization fails, go to the login page.

public F.Promise<Result> onAuthFailure(final Http.Context context,

                                       final String s) {

    return getSubject(context)

            .map(maybeSubject ->

                         maybeSubject.map(subject -> Optional.of((User)subject))

                                     .map(user -> new F.Tuple<>(true,

                                                                denied.render(user)))

                                     .orElseGet(() -> new F.Tuple<>(false,

                                                                    login.render(clientId,

                                                                                 domain,

                                                                                 redirectUri))))

            .map(subjectPresentAndContent -> subjectPresentAndContent._1

                                             ? Results.forbidden(subjectPresentAndContent._2)

                                             : Results.unauthorized(subjectPresentAndContent._2));

}

One of the benefits of Deadbolt is that when you use it to drive the authentication behaviour, you can swap authentication solutions in and out in a central place.  I wouldn't say it's overkill, but I'm biased :-)

With regards to JPA vs Ebean, I use neither - I've found jOOQ to be an excellent solution.

Regards,

Steve

[Julien L.]

Why does play not have something built in?

There is 100 different ways to handle authentication in a server application (by cookies, by sessions, by jwt tokens, with oauth1, with social oauth2, with home-made oauth2 - from a single-app page, from a native application, from another server, from a CLI...). Play is unopiniated and cannot provided a magic solution that will works for everyone. 

So there are libs specialized in providing authentication mechanism for one or many of these mechanisms.

[William Billingsley]

It's not everso hard to do it yourself, if libraries-not-keeping-up is being a pain

Tutorial solution for my undergraduate web class last year where I had the students doing Play, and in this case using MongoDB for the db:

https://github.com/UNEadvancedweb/tutorial-2015mongodb/tree/solution

(somewhat hastily written, apologies for any bugs / poor style you find) 

[Will Sargent]

Easiest to implement in Java is Play-Authenticate: https://joscha.github.io/play-authenticate/

Play 2.5.x just came out, so it doesn't have support yet, but it does support 2.4.x.

Silhouette is for Scala, and Deadbolt is for authorization, not authentication.

--
You received this message because you are subscribed to the Google Groups "play-framework" group.
To unsubscribe from this group and stop receiving emails from it, send an email to play-framewor...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/play-framework/d4dfb6bf-4f25-4136-ae5f-1ae234812f41%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Alex Mueller]

Thanks for sharing this. I will investigate auth0, as it might be easier if I just  make my users login with an account they already have.

[Alex Mueller]

This was one of the first ones I was able to get working with little changes on my end. The only concerns I have with this library is the community support on issue fixes. Thanks for sharing this.