GuidesDiscussionsScala API
HomeGuidesAPI ReferenceChangelogDiscussions
GuidesDiscussionsScala APIGet the book!Log In
Guides
Get the book!
These docs are for v2.2. Click to read the latest docs for v2.6.3.

Integrating Deadbolt

Suggest Edits

Implementations of the be.objectify.deadbolt.java.DeadboltHandler interface are used to provide Deadbolt with what it needs to satisfy your project's authorization constraints. This interface has 4 functions.

  • getSubject gets the current user from, for example, the cache or database
  • beforeAuthCheck run a pre-authorization task that can block further execution
  • onAuthFailure defines behaviour for when authorization requirements are not met
  • getDynamicResourceHandler provides a hook into the dynamic constraint types
package security;

import be.objectify.deadbolt.core.models.Subject;
import be.objectify.deadbolt.java.AbstractDeadboltHandler;
import be.objectify.deadbolt.java.DynamicResourceHandler;
import models.User;
import play.libs.F;
import play.mvc.Http;
import play.mvc.SimpleResult;
import views.html.accessFailed;

public class MyDeadboltHandler extends AbstractDeadboltHandler
{
    private final DynamicResourceHandler drh = new DynamicResourceHandler();

    public F.Promise<SimpleResult> beforeAuthCheck(Http.Context context)
    {
        // returning null means that everything is OK.  Return a non-null 
        // result if you want a redirect to a login page or somewhere else
        return F.Promise.pure(null);
    }

    public Subject getSubject(Http.Context context)
    {
        return User.findByUserName(/*Get the user name from the session or authentication framework*/);
    }

    public DynamicResourceHandler getDynamicResourceHandler(Http.Context context)
    {
        // if you don't use dynamic or custom pattern constraints, 
        // you can return null here
        return drh;
    }

    @Override
    public F.Promise<SimpleResult> onAuthFailure(Http.Context context,
                                                 String content)
    {
        // you can return any result from here - forbidden, etc
        return F.Promise.promise(new F.Function0<SimpleResult>()
        {
            @Override
            public SimpleResult apply() throws Throwable {
                return ok(accessFailed.render());
            }
        });
    }
}

You only need to implement be.objectify.deadbolt.java.DynamicResourceHandler if you're planning to use Dynamic or Pattern.CUSTOM constraints. Dynamic constraints are tests implemented entirely by your code. This interface has two functions:

  • isAllowed is used by the Dynamic constraint
  • checkPermission is used by the Pattern constraint when the pattern type is CUSTOM

In order to expose your handler (or handlers - you can have more than one) to Deadbolt, you will need to declare them in conf/application.conf. Handlers can be declared in two ways.

  • If you only have one handler, you can use the deadbolt.java.handler key.
deadbolt {
  java {
    handler=security.MyDeadboltHandler
  }
}

If you have multiple handlers, you can use the deadbolt.java.handlers key.

deadbolt {
  java {
    handlers {
      defaultHandler=security.MyDeadboltHandler,
      someCustomName=security.MyOtherDeadboltHandler
    }
  }
}

Note that deadbolt.java.handler and deadbolt.java.handlers.defaultHandler are synonyms; you can mix the two, with deadbolt.java.handler taking precedence over deadbolt.java.handlers.defaultHandler. Take into account the following configuration.

deadbolt {
  java {
    handler=security.MyDeadboltHandler,
    handlers {
      defaultHandler=security.MySecondDeadboltHandler,
      someCustomName=security.MyThirdDeadboltHandler
    }
  }
}

The result of this will be the following active configuration, with MySecondDeadboltHandler nowhere to be found.

defaultHandler=security.MyDeadboltHandler
someCustomName=security.MyThirdDeadboltHandler

Updated less than a minute ago