Play framework: How to require login for some actions, but not all
https://stackoverflow.com/questions/4328455
-
29-09-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
Adding @With(Secure.class) to a controller blocks all unauthenticated access. Is there a way to enabled it only for certain actions, or to except certain actions after it's enabled on a controller?
Solution
You can't do that with the secure module. As Niels said the secure module is more an example than a solution. You can build your own security system with the @Before annotation. Here is an example:
public class Admin extends Controller {
@Before(unless={"login", "authenticate", "logout", "otherMethod"})
void checkAccess() {
// check the cookie
}
public void login() {
render();
}
public void authenticate(String email, String password) {
// check the params and set a value in the cookie
}
public void logout() {
// delete cookie
}
I recommend you to read the source code of the secure module.
OTHER TIPS
I've since found my earlier @Public solution somewhat limiting since it can't address inherited actions. I've instead gone to a class-level annotation:
@Retention(RetentionPolicy.RUNTIME)
@Target(ElementType.TYPE)
public @interface AllowGuest {
String[] value();
}
and added this code to the beginning of the Secure.checkAccess() method:
AllowGuest guest = getControllerInheritedAnnotation(AllowGuest.class);
if (guest != null) {
for (String action : guest.value()) {
if (action.equals(request.actionMethod))
return;
}
}
which can be used like this: @AllowGuest({"list","view"})
This makes it easy to allow access to local and inherited actions, and to see which actions in a controller are unsecured.
Remove @With(Secure.class) annotation to the controller and add this piece of code inside the controller.
@Before(unless={"show"})
static void checkAccess() throws Throwable {
Secure.checkAccess();
}
where show is the action you need to make publicly available.
In order to get what I was looking for, I copied the Check annotation and created a Public annotation.
package controllers;
import java.lang.annotation.ElementType;
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
import java.lang.annotation.Target;
@Retention(RetentionPolicy.RUNTIME)
@Target({ElementType.METHOD})
public @interface Public {
}
then I added these two lines to the beginning of the Secure.checkAccess:
if (getActionAnnotation(Public.class) != null)
return;
Now actions in controllers using With(Secure.class) can be made accessible without logging in by adding a @Public annotation to them.
You can set at the @Before-Tag of the Secure Controller the value unless or only. The Secure-Module is more an example than a solution.
