Responsibilities of AuthService and AuthProvider

[mathias]

The interface AuthService currently has methods for login and logout but AuthProvider has only a method for login.
Does it makes sense to use one interface or the other (XOR), or are they supposed to be used at the same time?

I am using the RedirectAuthHandler which requires the AuthProvider directly now. Before that I have implemented my own logout handler which required an AuthService. So I am a bit confused if I really need both interfaces in parallel and if it breaks the single responsibility principle somehow.

[mathias]

What I mean is should the following code work, although it uses both AuthService and AuthProvider?

AuthProvider authProvider = ShiroAuthProvider.create(vertx, ShiroAuthRealmType.PROPERTIES, authConfig);
AuthService authService = ShiroAuthService.create(vertx, ShiroAuthRealmType.PROPERTIES, authConfig);
authService.start();

AuthHandler authHandler =
RedirectAuthHandler.create(authProvider, Constants.LOGIN_PAGE_URL);
authHandler.addPermission("access_app");

// Handle logout
LogoutHandler logoutHandler = new LogoutHandler(authService, vertx);
router.route("/logout").handler(logoutHandler);

// Handle the actual login by handling the form post action
router.route("/login/*").handler(BodyHandler.create());
LoginHandler loginHandler =
    new LoginHandler(authProvider, FormLoginHandler.DEFAULT_RETURN_URL_PARAM, vertx);
router.route("/login/:returnUrlPath").handler(loginHandler);

[mathias]

It seems to me that the AuthProvider is required to do authentication stuff and AuthService is kind optional but has more features.

[Tim Fox]

On 16/04/15 10:32, mathias wrote:

The interface AuthService currently has methods for login and logout but AuthProvider has only a method for login.
Does it makes sense to use one interface or the other (XOR), or are they supposed to be used at the same time?

They are for different purposes.

AuthProvider is a low level auth interface and doesn't have any concept of login session, therefore logout makes no sense.

AuthService provides a concept of a login session and is designed to be used, say, if you have different verticles and you want to auth when messages arrive.

I am using the RedirectAuthHandler which requires the AuthProvider directly now. Before that I have implemented my own logout handler which required an AuthService. So I am a bit confused if I really need both interfaces in parallel and if it breaks the single responsibility principle somehow.

Apex only needs AuthProvider

--
You received this message because you are subscribed to the Google Groups "vert.x" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vertx+un...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Tim Fox]

If you're using Apex you just need AuthProvider - take a look at the examples in the examples repo or the docs to see how :)

[mathias]

Ok, thx!

I'll try to omit the AuthService and stay with a SessionHandler together with the AuthProvider.

I suggest to rename the method login() to authenticate() within the AuthProvider because the actual login is not handled by the AuthProvider but by the FormLoginHandler, any other LoginHandler or even before by an AuthHandler. Authorisation may be handled by the AuthHandler as well.

[mathias]

LocalSessionStoreImpl and AuthServiceImpl seem to be very similar. My current hope is that I will not need the AuthService when I am handling sessions with the LocalSessionStore.

[Tim Fox]

Apex doesn't use AuthService at all any more.

There are some examples in the examples repo that should help you out :)

On 17/04/15 11:35, mathias wrote:

LocalSessionStoreImpl and AuthServiceImpl seem to be very similar. My current hope is that I will not need the AuthService when I am handling sessions with the LocalSessionStore.