![Identity
Represents a user in a Provider
Providers return an instance of this trait upon successful
authentication
Modeled with a trait in Scala and an interface on the Java API
tatIett {
ri dniy
dfi:UeI
e d srd
dffrtae Srn
e isNm: tig
dflsNm:Srn
e atae tig
dfflNm:Srn
e ulae tig
dfeal Oto[tig
e mi: pinSrn]
dfaaaUl Oto[tig
e vtrr: pinSrn]
dfatMto:AtetctoMto
e uhehd uhniainehd
dfouhIf:Oto[At1no
e At1no pinOuhIf]
dfouhIf:Oto[At2no
e At2no pinOuhIf]
dfpswrIf:Oto[asodno
e asodno pinPswrIf]
}](https://image.slidesharecdn.com/securesocialpresentation-121214135047-phpapp02/85/SecureSocial-Authentication-for-Play-Framework-6-320.jpg)
![UserService
Provides a way to persist/find Identities from a backing store
No imposed persistence mechanism. Developer is free to
use anything
Any class implementing Identity can be returned: this allows
you to return your own model class
tatUeSrie{
ri srevc
dffn(d UeI)Oto[dniy
e idi: srd:pinIett]
dffnBEalnPoie(mi:Srn,poieI:Srn)Oto[dni
e idymiAdrvdreal tig rvdrd tig:pinIett
y]
dfsv(sr Iett)
e aeue: dniy
/ temtosta hnl tkn aeue
/ h ehd ht ade oes r sd
/ i sg u adrstpswr rqet
/ n in p n ee asod euss
dfsv(oe:Tkn
e aetkn oe)
dffnTkntkn Srn) Oto[oe]
e idoe(oe: tig: pinTkn
dfdltTknui:Srn)
e eeeoe(ud tig
dfdltEprdoes)
e eeexieTkn(
}](https://image.slidesharecdn.com/securesocialpresentation-121214135047-phpapp02/85/SecureSocial-Authentication-for-Play-Framework-7-320.jpg)
![Views Customization
Built in templates use Twitter Bootstrap
TemplatesPlugin: used to render views/emails
To customize: change css or implement and register it
instead of the default one
dfgtoiPg[]ipii rqet RqetA,
e eLgnaeA(mlct eus: eus[]
fr:Fr[Srn,Srn),
om om(tig tig]
mg Oto[tig =Nn) Hm
s: pinSrn] oe: tl
dfgtinpmi(oe:Srn)ipii rqet Rqetedr:Srn
e eSgUEaltkn tig(mlct eus: eusHae) tig
dfgtoiPg[]ipii rqet RqetA,
e eLgnaeA(mlct eus: eus[]
fr:Fr[Srn,Srn),
om om(tig tig]
mg Oto[tig =Nn) Hm =
s: pinSrn] oe: tl
{
scrsca.iw.tllgnfr,mg
eueoilveshm.oi(om s)
}
dfgtinpmi(oe:Srn)ipii rqet Rqetedr:Srn ={
e eSgUEaltkn tig(mlct eus: eusHae) tig
scrsca.iw.tlmissgUEaltkn.oy
eueoilveshm.al.inpmi(oe)bd
}](https://image.slidesharecdn.com/securesocialpresentation-121214135047-phpapp02/85/SecureSocial-Authentication-for-Play-Framework-18-320.jpg)
![Creating an Identity
Provider
asrc casIettPoie(plcto:Apiain
btat ls dniyrvdrapiain plcto)
etnsPui wt Rgsrbe
xed lgn ih eital
{
.
.
dfdAt[])ipii rqet RqetA)Ete[eut ScaUe]
e ouhA((mlct eus: eus[]:ihrRsl, oilsr
dfflPoieue:ScaUe)ScaUe
e ilrfl(sr oilsr:oilsr
.
.
}](https://image.slidesharecdn.com/securesocialpresentation-121214135047-phpapp02/85/SecureSocial-Authentication-for-Play-Framework-20-320.jpg)
SecureSocial - Authentication for Play Framework
- 1. SecureSocial Authentication Module for Play! Jorge Aliss @jaliss Sponsored by
- 2. Agenda Overview Main concepts: Identity Providers, Identity, UserService Installation Configuration Protecting Actions UsernamePassword provider Password rules and hashing algorithms Views customization Internationalization Extending SecureSocial
- 3. Overview What does it do? Why did I do it? 11/11/2011: First release (Play 1) 06/05/2012: Play 2 version
- 4. Demo
- 5. Identity Providers A provider implements the logic required to support an authentication scheme. OAuth 1: Twitter, LinkedIn OAuth 2: Facebook, Google, GitHub OpenID (coming soon) Username and Password Your own provider
- 6. Identity Represents a user in a Provider Providers return an instance of this trait upon successful authentication Modeled with a trait in Scala and an interface on the Java API tatIett { ri dniy dfi:UeI e d srd dffrtae Srn e isNm: tig dflsNm:Srn e atae tig dfflNm:Srn e ulae tig dfeal Oto[tig e mi: pinSrn] dfaaaUl Oto[tig e vtrr: pinSrn] dfatMto:AtetctoMto e uhehd uhniainehd dfouhIf:Oto[At1no e At1no pinOuhIf] dfouhIf:Oto[At2no e At2no pinOuhIf] dfpswrIf:Oto[asodno e asodno pinPswrIf] }
- 7. UserService Provides a way to persist/find Identities from a backing store No imposed persistence mechanism. Developer is free to use anything Any class implementing Identity can be returned: this allows you to return your own model class tatUeSrie{ ri srevc dffn(d UeI)Oto[dniy e idi: srd:pinIett] dffnBEalnPoie(mi:Srn,poieI:Srn)Oto[dni e idymiAdrvdreal tig rvdrd tig:pinIett y] dfsv(sr Iett) e aeue: dniy / temtosta hnl tkn aeue / h ehd ht ade oes r sd / i sg u adrstpswr rqet / n in p n ee asod euss dfsv(oe:Tkn e aetkn oe) dffnTkntkn Srn) Oto[oe] e idoe(oe: tig: pinTkn dfdltTknui:Srn) e eeeoe(ud tig dfdltEprdoes) e eeexieTkn( }
- 8. Installation Available as a downloadable dependency Stable versions and master snapshots ojc Apiainul etnsBid{ bet plctoBid xed ul vlapae a pNm ="yp" MAp vlapeso a pVrin ="." 10 vlapeednis=Sq a pDpnece e( "eueoil %"eueoil291 %".." scrsca" scrsca_.." 207 ) vlmi =PaPoetapae apeso,apeednis miLn =S a an lyrjc(pNm, pVrin pDpnece, anag C AA.etns L)stig( rsles+ Rsle.r(ScrSca Rpstr" ul"tp/scrs eovr = eovrul"eueoil eoioy, r(ht:/eue oilw/eoioyrlae/)(eovriytlPten) ca.srpstr/eess")Rsle.vSyeatrs ) }
- 9. Configuration Settings go in a securesocial section of your conf file Global settings: onLoginGoto, onLogoutoTo, ssl scrsca { eueoil oLgnoo/ noiGT= oLguGT=lgn nootoo/oi slfle s=as }
- 10. Configuration Username Password Provider ueps { sras wtUeNmSpotfle ihsraeupr=as snWloemi=re edecmEaltu ealGaaaSpottu nbervtrupr=re tknuain6 oeDrto=0 tkneeenevl5 oeDltItra= ealTkno=re nbeoeJbtu hse=cyt ahrbrp mnmmasodegh8 iiuPswrLnt= }
- 11. Configuration OAuth 1 and OAuth 2 based providers titr{ wte rqetoeUl"tp:/wte.o/at/eus_oe" eusTknr=hts/titrcmouhrqettkn acsTknr=hts/titrcmouhacs_oe" cesoeUl"tp:/wte.o/at/cestkn atoiainr=hts/titrcmouhatetct" uhrztoUl"tp:/wte.o/at/uhniae cnueKyyu_osmrky osmre=orcnue_e cnueSce=orcnue_ert osmrertyu_osmrsce } fcbo { aeok atoiainr=hts/gahfcbo.o/at/uhrz" uhrztoUl"tp:/rp.aeokcmouhatoie acsTknr=hts/gahfcbo.o/at/cestkn cesoeUl"tp:/rp.aeokcmouhacs_oe" cinI=orcin_d letdyu_leti cinSce=orcin_ert letertyu_letsce soeeal cp=mi }
- 12. Protecting Actions SecuredAction: intercepts requests and redirects them to a login page if the user is not authenticated (returns unauthorized error for ajax calls) Authorization: SecuredActions can receive an Authorization instance that checks if an authenticated user is authorized to execute it. Renders an error page (returns forbidden for ajax calls)
- 13. SecuredAction Add the SecureSocial trait to your controllers dfmAto =Scrdcin{ipii rqet= e ycin eueAto mlct eus > O(iw.tlidxrqetue) kveshm.ne(eus.sr) } dfmAaCl =Scrdcintu){ipii rqet= e yjxal eueAto(re mlct eus > O(sntJo(a(msae - "el").sJO) kJo.osnMp"esg" > hlo))a(SN }
- 14. Authorization To add authorization logic to an action you need to implement the Authorization trait. cs casWtRl(oe Rl)etnsAtoiain{ ae ls ihoerl: oe xed uhrzto dfiAtoie(dniy Iett) Boen={ e suhrzdiett: dniy: ola iett mth{ dniy ac cs ue:Ue = ue.aRl(oe ae sr sr > srhsoerl) cs _= ae > Lge.ro(DdntgtaSsinsrojc" ogrerr"i o e esoUe bet) fle as } } } dfmAto =Scrdcin WtRl(di)){ipii rqet= e ycin eueAto( ihoeAmn mlct eus > O(iw.tlidxrqetue) kveshm.ne(eus.sr) }
- 15. UsernamePassword Provider Enforces flows that prevent leaking information in the Signup, Login and Password recovery flows Password change functionality Enforces password strength and hashing
- 16. Password Validator Used to enforce password strength DefaultPasswordValidator: checks length specified in settings file To customize, implement the PasswordValidator and register it in the play.plugins file tatPswrVldtretnsPui { ri asodaiao xed lgn dfiVldpswr:Srn) Boen e sai(asod tig: ola dferresg:Srn e roMsae tig }
- 17. Password Hasher Built in (and recommended) is based on Bcrypt Several can be configured, allowing easy migration to new algorithms as needed PasswordInfo: stores the hashed password, an optional salt and the hasher id Passwords are hashed with the 'default' hasher tatPswrHse etnsPui wt Rgsrbe{ ri asodahr xed lgn ih eital dfhs(liPswr:Srn) PswrIf e ahpanasod tig: asodno dfmthspswrIf:PswrIf,splePswr:Srn) Boen e ace(asodno asodno upidasod tig: ola }
- 18. Views Customization Built in templates use Twitter Bootstrap TemplatesPlugin: used to render views/emails To customize: change css or implement and register it instead of the default one dfgtoiPg[]ipii rqet RqetA, e eLgnaeA(mlct eus: eus[] fr:Fr[Srn,Srn), om om(tig tig] mg Oto[tig =Nn) Hm s: pinSrn] oe: tl dfgtinpmi(oe:Srn)ipii rqet Rqetedr:Srn e eSgUEaltkn tig(mlct eus: eusHae) tig dfgtoiPg[]ipii rqet RqetA, e eLgnaeA(mlct eus: eus[] fr:Fr[Srn,Srn), om om(tig tig] mg Oto[tig =Nn) Hm = s: pinSrn] oe: tl { scrsca.iw.tllgnfr,mg eueoilveshm.oi(om s) } dfgtinpmi(oe:Srn)ipii rqet Rqetedr:Srn ={ e eSgUEaltkn tig(mlct eus: eusHae) tig scrsca.iw.tlmissgUEaltkn.oy eueoilveshm.al.inpmi(oe)bd }
- 19. Internationalization Built in messages are extracted To customize: copy the messages from the sources into your messages file and change as needed scrsca.oi.il=oi eueoillgntteLgn scrsca.oi.eehr eueoillgnhr=ee scrsca.oi.naiCeetasIvldCeetas eueoillgnivldrdnil=nai rdnil scrsca.oi.ogtasodDdyufre yu pswr? eueoillgnfroPswr=i o ogt or asod
- 20. Creating an Identity Provider asrc casIettPoie(plcto:Apiain btat ls dniyrvdrapiain plcto) etnsPui wt Rgsrbe xed lgn ih eital { . . dfdAt[])ipii rqet RqetA)Ete[eut ScaUe] e ouhA((mlct eus: eus[]:ihrRsl, oilsr dfflPoieue:ScaUe)ScaUe e ilrfl(sr oilsr:oilsr . . }
- 21. What's next OpenID support More providers (eg:Foursquare, Wordpress, Yahoo). Account linking support
- 22. Main Sponsor Previous sponsor
- 23. Q&A
- 24. Links Project site: http://www.securesocial.ws GitHub: https://github.com/jaliss/securesocial