Providing Security Using "Akka-Http" - Knoldus Blogs
source link: https://blog.knoldus.com/providing-security-using-akka-http/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Providing Security Using "Akka-Http"
Reading Time: 3 minutes
While building any application (small or big) Security is one of the most concerned issue, that should be handled properly by the developer. Moreover quality of any application is directly proportional to the level of security provided by the application to its users.
In information technology world term Securityis made up of two terminologies called authentication and authorization where Authentication is the process of establishing a known identity for the user, whereby ‘identity’ is defined in the context of the application and Authorization is the process of determining, whether a given user is allowed access to a given resource or not.
Akka-Http provides effective ways to achieve both authentication and authorization while developing rest end points as akka-http implements the “‘Basic’ HTTP Authentication Scheme” that provides a general framework for access control and authentication, via an extensible set of challenge-response authentication schemes, which can be used by a server to challenge a client request and by a client to provide authentication information.
Security Directives
Akka-http provides various security directives to achieve authentication as well as authorization, some of them are :-
authenticateBasic
Wraps the inner route with Http Basic authentication support using a given Authenticator[T]
.Provides support for handling HTTP Basic Authentication.
Given a function returning Some[T]
upon successful authentication and None
otherwise, respectively applies the inner route or rejects the request with a AuthenticationFailedRejection
rejection, which by default is mapped to an 401 Unauthorized
response.
Standard HTTP-based authentication which uses the WWW-Authenticate
header containing challenge data and Authorization
header for receiving credentials is implemented in subclasses of HttpAuthenticator
.
Standard HTTP-based authentication which uses the WWW-Authenticate
header containing challenge data and Authorization
header for receiving credentials is implemented in subclasses of HttpAuthenticator
.
Signature
type Authenticator[T] = Credentials ⇒ Option[T]
def authenticateBasic[T](realm: String, authenticator: Authenticator[T]): AuthenticationDirective[T]
Note : Make sure to use basic authentication only over SSL/TLS because credentials are transferred in plaintext.
authenticateBasicAsync
Longer-running authentication tasks (like looking up credentials in a database) should use the authenticateBasicAsync variant of this directive which allows it to run without blocking routing layer of Akka HTTP, freeing it for other requests.
Wraps the inner route with Http Basic authentication support using a given AsyncAuthenticator[T]
.
This variant of the authenticateBasic directive returns a Future[Option[T]]
which allows freeing up the routing layer of Akka HTTP, freeing it for other requests. It should be used whenever an authentication is expected to take a longer amount of time (e.g. looking up the user in a database).
In case the returned option is None
the request is rejected with a AuthenticationFailedRejection
, which by default is mapped to an 401 Unauthorized
response.
Standard HTTP-based authentication which uses the WWW-Authenticate
header containing challenge data and Authorization
header for receiving credentials is implemented in subclasses of HttpAuthenticator
.
Signature
type AsyncAuthenticator[T] = Credentials ⇒ Future[Option[T]]
def authenticateBasicAsync[T](realm: String, authenticator: AsyncAuthenticator[T]): AuthenticationDirective[T]
Note : Make sure to use basic authentication only over SSL/TLS because credentials are transferred in plaintext.
authenticateOAuth2
Wraps the inner route with OAuth Bearer Token authentication support using a given AuthenticatorPF[T]
Provides support for extracting the so-called “Bearer Token” from the Authorization
HTTP Header, which is used to initiate an OAuth2 authorization.
Some[T]
upon successful authentication and None
otherwise, respectively applies the inner route or rejects the request with a AuthenticationFailedRejection
rejection, which by default is mapped to an 401 Unauthorized
response.Signature
type Authenticator[T] = Credentials ⇒ Option[T]
def authenticateOAuth2[T](realm: String, authenticator: Authenticator[T]): AuthenticationDirective[T]
Note :- This directive does not implement the complete OAuth2 protocol, but instead enables implementing it, by extracting the needed token from the HTTP headers.
authorize
Applies the given authorization check to the request.
The user-defined authorization check can either be supplied as a => Boolean
value which is calculated just from information out of the lexical scope, or as a function RequestContext => Boolean
which can also take information from the request itself into account.
If the check returns true
the request is passed on to the inner route unchanged, otherwise an AuthorizationFailedRejection
is created, triggering a 403 Forbidden
response by default (the same as in the case of an AuthenticationFailedRejection
).
In a common use-case you would check if a user (e.g. supplied by any of the authenticate*
family of directives, e.g. authenticateBasic) is allowed to access the inner routes, e.g. by checking if the user has the needed permissions.
Signature
def authorize(check: ⇒ Boolean): Directive0
def authorize(check: RequestContext ⇒ Boolean): Directive0
Official Documentation: here Thanks for reading, keep sharing.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK