GuidesDiscussionsJava API
Get the book!

Authorized routes

Suggest Edits

If you don't want to add authorization constraints directly into your controllers, you can instead apply them to the routes of the application.

To get started, you will need to enable DeadboltRoutePathFilterModule in your application.conf. Note that you also need DeadboltModule.

play {
  modules {
    enabled += be.objectify.deadbolt.scala.DeadboltModule
    enabled += be.objectify.deadbolt.scala.filters.DeadboltRoutePathFilterModule
  }
}

This module provides two of the three components required for route filtering; DeadboltFilter and FilterConstraints. The third component will be a class you write, extending be.objectify.deadbolt.scala.filters.AuthorizedRoutes. This extended class defines the route constraints, and needs to be bound into the dependency injection context.

Take a simple routes file, which has two routes; one is a static route, the other is dynamic. A static route is simply one that does not contain variables.

GET     /profile                    controllers.Application.profile
GET     /view/:foo/:bar             controllers.Application.view(foo: String, bar: String)

Authorization for these routes could be defined as follows - the static route (/profile) only requires that a subject be present, while the dynamic route requires that a subject be present and have a role giving membership of a certain group.

import javax.inject.Inject

import be.objectify.deadbolt.scala.allOfGroup
import be.objectify.deadbolt.scala.filters.{AuthorizedRoute, AuthorizedRoutes, FilterConstraints}
import be.objectify.deadbolt.scala.filters._

class MyAuthorizedRoutes @Inject() (filterConstraints: FilterConstraints) extends AuthorizedRoutes {

  override val routes: Seq[AuthorizedRoute] =
    Seq(AuthorizedRoute(Get, "/profile", filterConstraints.subjectPresent, handler=None),
        AuthorizedRoute(Any, "/view/$foo<[^/]+>/$bar<[^/]+>", filterConstraints.restrict(allOfGroup("someRole"))), handler=None)
}

One of the first things that becomes apparent on reading this code is /view/:foo/:bar is suddenly /view/$foo<[^/]+>/$bar<[^/]+>. This is because Play compiles the routes file - however, don't worry! These compiled routes will be displayed if you visit any invalid URL in development mode (I tend to use something like http://localhost:9000/@foo) - this means you can copy and paste the exact route definition straight out of the browser. Note that /profile remains unchanged - this is because it is a static route.

Taking a closer look at a single route authorization, you can see it has four parameters. There are

  • the method. All common methods are defined in be.objectify.deadbolt.scala.filters._. The method is simply the HTTP method name as an Option. There is also Any, which means any method for that path pattern will cause a match.
  • the path pattern.
  • the constraint. All Deadbolt constraints, including composite constraints, can be used. Use the filterConstraints instance to create these constraints.
  • the handler to use for this constraint. This has a default value of None, meaning the handler provided by HandlerCache.apply() will be used.

be.objectify.deadbolt.scala.filters.FilterConstraints defines all existing Deadbolt constraint types, but if you need to use something else, you need to implement the be.objectify.deadbolt.scala.filters.FilterFunction trait.

You now need to provide a binding for AuthorizedRoutes. If you already have a custom module for your other Deadbolt integrations, you can put it in there, otherwise create a new module.

import be.objectify.deadbolt.scala.filters.AuthorizedRoutes
import play.api.inject.{Binding, Module}
import play.api.{Configuration, Environment}

class CustomDeadboltFilterHook extends Module {
  override def bindings(environment: Environment, configuration: Configuration): Seq[Binding[_]] = Seq(
    bind[AuthorizedRoutes].to[MyAuthorizedRoutes]
  )
}

You will also need to enable this module in application.conf.

Finally, you need to add DeadboltRoutePathFilter in your filter definitions. You can read more about how to use filters in Play at https://playframework.com/documentation/2.5.x/ScalaHttpFilters.

import javax.inject.Inject
import play.api.http.HttpFilters
import be.objectify.deadbolt.scala.filters.DeadboltRoutePathFilter

class Filters @Inject() (
  deadbolt: DeadboltRoutePathFilter
) extends HttpFilters {

  val filters = Seq(deadbolt)
}

Compile-time dependency injection

The instructions above focused on run-time dependency injection. If you prefer to use compile-time dependency injection, you can skip enabling DeadboltRoutePathFilterModule. Instead, use theDeadboltFilterComponents trait to provide the necessary components; again, you will need to provide an instance of a class extending AuthorizedRoutes yourself.

Updated less than a minute ago