开发者

Object ACL and Channel Security

I'm interested in building a web app using the play framework. I like what I see. However, upon reading the security documentation there only appears to be controller/action authentication using the security module.

Can I ask if there is add authentication onto a model object? Similar to Spring Security ACLs开发者_运维知识库?

Also there is no mention of channel security in the module documentation, as I'd like to serve the web app over HTTPS when a user is authenticated and HTTP if there aren't.


Thanks for the info folks. The secure and dead bolt modules are for basic controller security, I'm looking for something with a little more power that rivals the likes of Spring Security.

I took a look at Apache Shiro and although it provides a much better security than the play framework modules it doesn't provide functionality to secure model objects similar to Spring Security's Domain Object ACL.

It just a pity there is no serious contenders in the java security space to rival Spring Security. If only Spring Security didn't depend on the Servlet API, I'd look to hook it into my Play Application.


  • Check the secure module which is used to secure the controller methods.

  • Although I have not used it there is also a module called deadbolt for authorisation.

  • The documentation/tutorial and examples are quite exhaustive. The tutorial takes you though adding authentication with secure.

  • Have a look at the security guide to give you an idea of how play approaches security.

  • Https is not a problem. In my experience better served by a reverse proxy like apache that serves your Play! app.


If you need a more granular security I would recommend using the security-permissions module. It allows you to define instance level access control (rather than a class level or group level) and it is based on drools.

A rule would look like this but you can customize the last line to match a specific user and the actions are custom as well so you can define your own.

/* Admins can only edit postcards and letters */
rule CanUserEditLetter
when
  $cs: Item(name == "letter")
  $c: PermissionCheck(target == $cs, action in ("delete", "update", "insert"))
  Role(name == "admin")
then
  $c.grant();
end
0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜