Play Framework handle Authorization not authentication

Question

I am developing an application with Play Framework 2.2 and Java I have implemented the authentication module just like the following tutorial http://www.playframework.com/documentation/2.1.0/JavaGuide4

In a nutshell implemented a class Secured as

    public class Secured extends Security.Authenticator{

            @Override
            public String getUsername(Context ctx) {
               return ctx.session().get("email");
           }

           @Override
            public Result onUnauthorized(Context ctx) {
               return redirect(routes.Users.login());
           }
     }

and then in controllers I added this line to the methods of controllers

     @Security.Authenticated(Secured.class)
     public static Result methodOfController(){

          //some codes here

    return ok( someView.render());
}

As you can see it's just authentication not authorization, for example it checks if user is logged in but never checks if this is email of admin

My question is this: How should I add access rights to these class, or namely how can I add authorization to this authentication

please provide me with a descriptive answer that shows what modifications should I make to this class, controllers and even some other parts of project ( maybe models ) to have a proper authorization

please don't provide links to websites or weblogs unless they are focused on a very similar issue

Answer 1

You can look at a solution like Deadbolt that provides a solution for this, or you can roll your own. The main idea in Java is to use Action composition to create custom action annotations. Thus you could check for if a user is authenticated and then if the user is authorized for the requested resource.

Answer 2

I have written a simple authorization action composition for our project.

Before your actions or controllers you can add a line like the following:

@Auth({"GeneralManager","Manager"})

With the line above only the the people with the role "GeneralManager" or "Manager" can access the action or controller. The implementation of "AuthAction" can be like this:

public class AuthAction extends Action<Auth> {

public F.Promise<SimpleResult> call(Http.Context context) throws Throwable
{
    String[] params = configuration.value();
    int c = params.length;

    boolean found = false;
    if(params.length == 0) {
        found = true;
    }

   // Loop the given parameters(role names) to check that the user belongs to one of them
    for (String code: params) {
        // validate types
        int roleCount = Role.find.where().eq("code",code).findRowCount();
        if(roleCount == 0) {
            throw new Exception("Auth code is not found.");
        }

        if(user.role.code.equals(code)) {
            found = true;
        }
    }

    // if the role is not found for the user, it means the user is not authorised
    if(!found) {
        // no access, redirect to home
        return F.Promise.pure(redirect("/"));
    }

    // execute the action
    return delegate.call(context);
}
}