Reputation: 1486
Proper use of @Security.Authenticated(Secured.class) statement in Play FrameWork
Hi I am having trouble understanding how to properly use @Security.Authenticated(Secured.class) statement within the PlayFrameWork.
I am trying to make sure that only authenticated users can access their accounts. Following from the example provided in the Play docs , it appears that their authentication allows a single user to access every users' account once logged in - rather than just their own.
Normally I would have assumed that you simply get the session value within the action say,
public static Result viewAccount(String account) {
//get session value and check against account name
}
However the Docs use another route: They define a class
public class Secured extends Security.Authenticator {
@Override
public String getUsername(Context ctx) {
return ctx.session().get("username");
}
@Override
public Result onUnauthorized(Context ctx) {
return redirect(routes.Application.login());
}
}
Apparently now simply using the statement: @Security.Authenticated(Secured.class) before an action insures that it is authenticated. But by my understanding and testing this does not block users from logging in to anyones account as it passes simply if the a session value exists - and not if it matches. How to fix this?
Should I just directly compare the session value? What is the purpose then of @Security.Authenticated(Secured.class)?
Thanks
(Edit)
to clarify:
I want to allow users to be authorised only to see their own accounts and not others.
So when the statement
@Security.Authenticated(Secured.class)
is used, I would like it to not only check for the presence of a session id but check that it matches an account
Upvotes: 3
Views: 5585
Answers (1)
Reputation: 30320
Maybe I don't understand your question, but in the documentation you see how to create a login form and actually perform the authentication. Only after that happens does the email session value exist. If that value is in the session, then the user must have logged in with the proper credentials and must have been authenticated.
Of course, if User A knows the credentials of User B, nothing can help that.
If instead you are concerned about authorization, deciding who can see what upon authentication, then you can do a lot of things including leverage OAuth support in Play proper or a plugin like this one.
Upvotes: 2
Related Questions
- Restricting Access to method in Play Framework with Authorization - Java
- Authentication in Play 2.3.x
- Authentication with Play! 2.4
- Play Framework 2.4 authorization
- Implementing secure native Play Framework 2.3.x (Java style) authentication
- Play! framework: using session for authentication
- Java Play! 2 - Authentication does not make sense
- Trouble with Play Framework Security
- Play framework Secure module
- Incorrect behaviour of the authenticate controller in the Secure controller