how to secure Spray application ?

[Chelios]

Hi Guys,

I'm so confused about how should I go about securing my spray application. The reason I'm using Spray over Play is because I've got a Single page application and thought Spray would be easier to work with.  

I need 

- User and Password authentication - Encrypt the username and password while communicating it with the server or whatever to make the whole thing secure. 

- Session management - Only logout user if inactive for certain time.

- Oauth2 authentication for some routes

- Social network authentication - I can easily implement this if I can figure out a way to send the access_token provided by social networks securely over to the server. 

Where should I start? What should I do ? Please direct me as I'm very confused. I'm used to using Spring security and I'm very much lost in the Spray world. 

I know there are these libraries 

Spray session - https://github.com/gnieh/spray-session - But does not have any security implemented. 

OAuth2 server implementation - https://github.com/nulab/scala-oauth2-provider - But does not have support for Spray. I will have to fiddling around with it to get it working with Spray.

 

Please tell me where should I start ? 

Thanks

Chel

[chelios....@gmail.com]

Hi Guys,

Any help with this ? 

[Age Mooij]

Hi Chel

The very brief answer is: Spray doesn't have much support for that level since it is more an HTTP toolkit than an application framework like Play. There are some basic building blocks for authentication but most of the things on your list are too high-level for Spray.

AFAIK akka-http is also not going to build that kind of framework since the long-term goal is to slowly but surely migrate Play to be built on top of akka-http so you can use all the power of "Spray" while choosing from a number of higher-level framework add-ons as needed.

That said, over time many people have of course built things like this on top of Spray, including me. Some of that work has been open-sourced as libraries or at least online examples. A quick Github search shows quite a number of starting points that might help you:

https://github.com/search?utf8=%E2%9C%93&q=spray-auth

This one might be interesting

https://github.com/ferrlin/spray-auth

Hope this helps

Age

-- 
You received this message because you are subscribed to the Google Groups "spray.io User List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to spray-user+...@googlegroups.com.
Visit this group at https://groups.google.com/group/spray-user.
To view this discussion on the web visit https://groups.google.com/d/msgid/spray-user/bbe181ed-2c50-411a-a98d-89586cf96088%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Chelios Bandaras]

Hi Age,

I did look at these libraries before but I wasn't sure if they solved all the security issues. Do you think if I used the libraries you mentioned and also got an HTTPS/SSL connection, my spray web application will be as secure as Play with silhouette ?

Chel

--
You received this message because you are subscribed to a topic in the Google Groups "spray.io User List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/spray-user/gC5AZaNB7qo/unsubscribe.
To unsubscribe from this group and all its topics, send an email to spray-user+...@googlegroups.com.

Visit this group at https://groups.google.com/group/spray-user.

To view this discussion on the web visit https://groups.google.com/d/msgid/spray-user/6A185C58-898B-424F-9B2B-A8CA8FC8C52A%40gmail.com.

[Age Mooij]

I think it can be as secure, but you'll now have to understand more about web security to make that risk assessment yourself so you can gather the correct components and libraries.

Spray was explicitly designed to be a toolkit instead of a kitchen sink framework like Play, hence the missing bits. The eventual combination of the two worlds, i.e. akka-http and the next major version of Play, will get you the best of both worlds but that time is not quite here yet unfortunately.

Age

To view this discussion on the web visit https://groups.google.com/d/msgid/spray-user/CAHOQycEQtm5H3sTeLYyQfby3c907NhX-g3XY7ehm3s8ogkefBA%40mail.gmail.com.