SecureSocial - Authentication for Play Framework
Upcoming SlideShare
Loading in...5

SecureSocial - Authentication for Play Framework



Slides for the SecureSocial presentation at the Scala BASE meetup in Palo Alto on Dec 12th 2012

Slides for the SecureSocial presentation at the Scala BASE meetup in Palo Alto on Dec 12th 2012



Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

SecureSocial - Authentication for Play Framework SecureSocial - Authentication for Play Framework Presentation Transcript

  • SecureSocialAuthentication Module for Play! Jorge Aliss @jaliss Sponsored by
  • AgendaOverviewMain concepts: Identity Providers, Identity, UserServiceInstallationConfigurationProtecting ActionsUsernamePassword providerPassword rules and hashing algorithmsViews customizationInternationalizationExtending SecureSocial
  • OverviewWhat does it do?Why did I do it?11/11/2011: First release (Play 1)06/05/2012: Play 2 version
  • Demo
  • Identity ProvidersA provider implements the logic required to support an authentication scheme. OAuth 1: Twitter, LinkedIn OAuth 2: Facebook, Google, GitHub OpenID (coming soon) Username and Password Your own provider
  • IdentityRepresents a user in a ProviderProviders return an instance of this trait upon successfulauthenticationModeled with a trait in Scala and an interface on the Java API tatIett { ri dniy dfi:UeI e d srd dffrtae Srn e isNm: tig dflsNm:Srn e atae tig dfflNm:Srn e ulae tig dfeal Oto[tig e mi: pinSrn] dfaaaUl Oto[tig e vtrr: pinSrn] dfatMto:AtetctoMto e uhehd uhniainehd dfouhIf:Oto[At1no e At1no pinOuhIf] dfouhIf:Oto[At2no e At2no pinOuhIf] dfpswrIf:Oto[asodno e asodno pinPswrIf] }
  • UserServiceProvides a way to persist/find Identities from a backing storeNo imposed persistence mechanism. Developer is free touse anythingAny class implementing Identity can be returned: this allowsyou to return your own model class tatUeSrie{ ri srevc dffn(d UeI)Oto[dniy e idi: srd:pinIett] dffnBEalnPoie(mi:Srn,poieI:Srn)Oto[dni e idymiAdrvdreal tig rvdrd tig:pinIett y] dfsv(sr Iett) e aeue: dniy / temtosta hnl tkn aeue / h ehd ht ade oes r sd / i sg u adrstpswr rqet / n in p n ee asod euss dfsv(oe:Tkn e aetkn oe) dffnTkntkn Srn) Oto[oe] e idoe(oe: tig: pinTkn dfdltTknui:Srn) e eeeoe(ud tig dfdltEprdoes) e eeexieTkn( }
  • Installation Available as a downloadable dependency Stable versions and master snapshotsojc Apiainul etnsBid{ bet plctoBid xed ul vlapae a pNm ="yp" MAp vlapeso a pVrin ="." 10 vlapeednis=Sq a pDpnece e( "eueoil %"eueoil291 %".." scrsca" scrsca_.." 207 ) vlmi =PaPoetapae apeso,apeednis miLn =S a an lyrjc(pNm, pVrin pDpnece, anag CAA.etns L)stig( rsles+ Rsle.r(ScrSca Rpstr" ul"tp/scrs eovr = eovrul"eueoil eoioy, r(ht:/eueoilw/eoioyrlae/)(eovriytlPten) ca.srpstr/eess")Rsle.vSyeatrs )}
  • ConfigurationSettings go in a securesocial section of your conf fileGlobal settings: onLoginGoto, onLogoutoTo, ssl scrsca { eueoil oLgnoo/ noiGT= oLguGT=lgn nootoo/oi slfle s=as }
  • ConfigurationUsername Password Providerueps { sras wtUeNmSpotfle ihsraeupr=as snWloemi=re edecmEaltu ealGaaaSpottu nbervtrupr=re tknuain6 oeDrto=0 tkneeenevl5 oeDltItra= ealTkno=re nbeoeJbtu hse=cyt ahrbrp mnmmasodegh8 iiuPswrLnt=}
  • Configuration OAuth 1 and OAuth 2 based providerstitr{ wte rqetoeUl"tp:/wte.o/at/eus_oe" eusTknr=hts/titrcmouhrqettkn acsTknr=hts/titrcmouhacs_oe" cesoeUl"tp:/wte.o/at/cestkn atoiainr=hts/titrcmouhatetct" uhrztoUl"tp:/wte.o/at/uhniae cnueKyyu_osmrky osmre=orcnue_e cnueSce=orcnue_ert osmrertyu_osmrsce}fcbo { aeok atoiainr=hts/gahfcbo.o/at/uhrz" uhrztoUl"tp:/rp.aeokcmouhatoie acsTknr=hts/gahfcbo.o/at/cestkn cesoeUl"tp:/rp.aeokcmouhacs_oe" cinI=orcin_d letdyu_leti cinSce=orcin_ert letertyu_letsce soeeal cp=mi}
  • Protecting ActionsSecuredAction: intercepts requests and redirects them to alogin page if the user is not authenticated (returnsunauthorized error for ajax calls)Authorization: SecuredActions can receive an Authorizationinstance that checks if an authenticated user is authorized toexecute it. Renders an error page (returns forbidden for ajaxcalls)
  • SecuredAction Add the SecureSocial trait to your controllersdfmAto =Scrdcin{ipii rqet= e ycin eueAto mlct eus > O(iw.tlidxrqetue)}dfmAaCl =Scrdcintu){ipii rqet= e yjxal eueAto(re mlct eus > O(sntJo(a(msae - "el").sJO) kJo.osnMp"esg" > hlo))a(SN}
  • AuthorizationTo add authorization logic to an action you need to implement the Authorization trait. cs casWtRl(oe Rl)etnsAtoiain{ ae ls ihoerl: oe xed uhrzto dfiAtoie(dniy Iett) Boen={ e suhrzdiett: dniy: ola iett mth{ dniy ac cs ue:Ue = ue.aRl(oe ae sr sr > srhsoerl) cs _= ae >" ogrerr"i o e esoUe bet) fle as } } } dfmAto =Scrdcin WtRl(di)){ipii rqet= e ycin eueAto( ihoeAmn mlct eus > O(iw.tlidxrqetue) }
  • UsernamePassword ProviderEnforces flows that prevent leaking information in theSignup, Login and Password recovery flowsPassword change functionalityEnforces password strength and hashing
  • Password ValidatorUsed to enforce password strengthDefaultPasswordValidator: checks length specified in settingsfileTo customize, implement the PasswordValidator and registerit in the play.plugins file tatPswrVldtretnsPui { ri asodaiao xed lgn dfiVldpswr:Srn) Boen e sai(asod tig: ola dferresg:Srn e roMsae tig }
  • Password HasherBuilt in (and recommended) is based on BcryptSeveral can be configured, allowing easy migration to newalgorithms as neededPasswordInfo: stores the hashed password, an optional saltand the hasher idPasswords are hashed with the default hasher tatPswrHse etnsPui wt Rgsrbe{ ri asodahr xed lgn ih eital dfhs(liPswr:Srn) PswrIf e ahpanasod tig: asodno dfmthspswrIf:PswrIf,splePswr:Srn) Boen e ace(asodno asodno upidasod tig: ola }
  • Views CustomizationBuilt in templates use Twitter BootstrapTemplatesPlugin: used to render views/emailsTo customize: change css or implement and register itinstead of the default one dfgtoiPg[]ipii rqet RqetA, e eLgnaeA(mlct eus: eus[] fr:Fr[Srn,Srn), om om(tig tig] mg Oto[tig =Nn) Hm s: pinSrn] oe: tl dfgtinpmi(oe:Srn)ipii rqet Rqetedr:Srn e eSgUEaltkn tig(mlct eus: eusHae) tig dfgtoiPg[]ipii rqet RqetA, e eLgnaeA(mlct eus: eus[] fr:Fr[Srn,Srn), om om(tig tig] mg Oto[tig =Nn) Hm = s: pinSrn] oe: tl { scrsca.iw.tllgnfr,mg eueoilveshm.oi(om s) } dfgtinpmi(oe:Srn)ipii rqet Rqetedr:Srn ={ e eSgUEaltkn tig(mlct eus: eusHae) tig scrsca.iw.tlmissgUEaltkn.oy }
  • InternationalizationBuilt in messages are extractedTo customize: copy the messages from the sources into yourmessages file and change as needed eueoillgntteLgn scrsca.oi.eehr eueoillgnhr=ee scrsca.oi.naiCeetasIvldCeetas eueoillgnivldrdnil=nai rdnil scrsca.oi.ogtasodDdyufre yu pswr? eueoillgnfroPswr=i o ogt or asod
  • Creating an Identity Providerasrc casIettPoie(plcto:Apiain btat ls dniyrvdrapiain plcto) etnsPui wt Rgsrbe xed lgn ih eital{ . . dfdAt[])ipii rqet RqetA)Ete[eut ScaUe] e ouhA((mlct eus: eus[]:ihrRsl, oilsr dfflPoieue:ScaUe)ScaUe e ilrfl(sr oilsr:oilsr . .}
  • Whats nextOpenID supportMore providers (eg:Foursquare, Wordpress, Yahoo).Account linking support
  • Main Sponsor Previous sponsor
  • Q&A
  • LinksProject site: http://www.securesocial.wsGitHub:
  • Thank you Scala BASE