Integrating Deadbolt

Implementations of the be.objectify.deadbolt.java.DeadboltHandler interface are used to provide Deadbolt with what it needs to satisfy your project's authorization constraints. This interface has 4 functions.

getSubject gets the current user from, for example, the cache or database
beforeAuthCheck run a pre-authorization task that can block further execution
onAuthFailure defines behaviour for when authorization requirements are not met
getDynamicResourceHandler provides a hook into the dynamic constraint types

package security;

import be.objectify.deadbolt.core.models.Subject;
import be.objectify.deadbolt.java.AbstractDeadboltHandler;
import be.objectify.deadbolt.java.DynamicResourceHandler;
import models.User;
import play.libs.F;
import play.mvc.Http;
import play.mvc.Result;
import views.html.accessFailed;

public class MyDeadboltHandler extends AbstractDeadboltHandler
{
    private final DynamicResourceHandler drh = new DynamicResourceHandler();

    public F.Promise<Result> beforeAuthCheck(Http.Context context)
    {
        // returning null means that everything is OK.  Return a non-null 
        // result if you want a redirect to a login page or somewhere else
        return F.Promise.pure(null);
    }

    public F.Promise<Subject> getSubject(Http.Context context)
    {
        // in a real application, the user name would probably be in the session following a login process
        return F.Promise.promise(new F.Function0<Subject>()
        {
            @Override
            public Subject apply() throws Throwable {
                return User.findByUserName(/*Get the user name from the session or authentication framework*/);
            }
        });
    }

    public DynamicResourceHandler getDynamicResourceHandler(Http.Context context)
    {
        // if you don't use dynamic or custom pattern constraints, 
        // you can return null here
        return drh;
    }

    @Override
    public F.Promise<SimpleResult> onAuthFailure(Http.Context context,
                                                 String content)
    {
        // you can return any result from here - forbidden, etc
        return F.Promise.promise(new F.Function0<SimpleResult>()
        {
            @Override
            public SimpleResult apply() throws Throwable {
                return ok(accessFailed.render());
            }
        });
    }
}

You only need to implement be.objectify.deadbolt.java.DynamicResourceHandler if you're planning to use Dynamic or Pattern.CUSTOM constraints. Dynamic constraints are tests implemented entirely by your code. This interface has two functions:

isAllowed is used by the Dynamic constraint
checkPermission is used by the Pattern constraint when the pattern type is CUSTOM

In order to expose your handler (or handlers - you can have more than one) to Deadbolt, you will need to declare them in conf/application.conf. Handlers can be declared in two ways.

If you only have one handler, you can use the deadbolt.java.handler key.

deadbolt {
  java {
    handler=security.MyDeadboltHandler
  }
}

If you have multiple handlers, you can use the deadbolt.java.handlers key.

deadbolt {
  java {
    handlers {
      defaultHandler=security.MyDeadboltHandler,
      someCustomName=security.MyOtherDeadboltHandler
    }
  }
}

Note that deadbolt.java.handler and deadbolt.java.handlers.defaultHandler are synonyms; you can mix the two, with deadbolt.java.handler taking precedence over deadbolt.java.handlers.defaultHandler. Take into account the following configuration.

deadbolt {
  java {
    handler=security.MyDeadboltHandler,
    handlers {
      defaultHandler=security.MySecondDeadboltHandler,
      someCustomName=security.MyThirdDeadboltHandler
    }
  }
}

The result of this will be the following active configuration, with MySecondDeadboltHandler nowhere to be found.

defaultHandler=security.MyDeadboltHandler
someCustomName=security.MyThirdDeadboltHandler