Providing Security Using “Akka-Http”


While building any application (small or big) Security is one of the most concerned issue, that should be handled properly by the developer. Moreover quality of any application is directly proportional to the level of security provided by the application to its users.

In information technology world term Security is made up of two terminologies called authentication and authorization where Authentication is the process of establishing a known identity for the user, whereby ‘identity’ is defined in the context of the application and Authorization is the process of determining, whether a given user is allowed access to a given resource or not.

Akka-Http provides effective ways to achieve both authentication and authorization while developing rest end points as akka-http implements the “‘Basic’ HTTP Authentication Scheme” that provides a general framework for access control and authentication, via an extensible set of challenge-response authentication schemes, which can be used by a server to challenge a client request and by a client to provide authentication information.

Security Directives

Akka-http provides various security directives to achieve authentication as well as authorization, some of them are :-

authenticateBasic

Wraps the inner route with Http Basic authentication support using a given Authenticator[T].Provides support for handling HTTP Basic Authentication.

Given a function returning Some[T] upon successful authentication and None otherwise, respectively applies the inner route or rejects the request with a AuthenticationFailedRejection rejection, which by default is mapped to an 401 Unauthorized response.

Standard HTTP-based authentication which uses the WWW-Authenticate header containing challenge data and Authorization header for receiving credentials is implemented in subclasses of HttpAuthenticator.

Standard HTTP-based authentication which uses the WWW-Authenticate header containing challenge data and Authorization header for receiving credentials is implemented in subclasses of HttpAuthenticator.

Signature

type Authenticator[T] = CredentialsOption[T]
def authenticateBasic[T](realm: String, authenticator: Authenticator[T]): AuthenticationDirective[T]

Note : Make sure to use basic authentication only over SSL/TLS because credentials are transferred in plaintext.

authenticateBasicAsync

Longer-running authentication tasks (like looking up credentials in a database) should use the authenticateBasicAsync variant of this directive which allows it to run without blocking routing layer of Akka HTTP, freeing it for other requests.

Wraps the inner route with Http Basic authentication support using a given AsyncAuthenticator[T].

This variant of the authenticateBasic directive returns a Future[Option[T]] which allows freeing up the routing layer of Akka HTTP, freeing it for other requests. It should be used whenever an authentication is expected to take a longer amount of time (e.g. looking up the user in a database).

In case the returned option is None the request is rejected with a AuthenticationFailedRejection, which by default is mapped to an 401 Unauthorizedresponse.

Standard HTTP-based authentication which uses the WWW-Authenticate header containing challenge data and Authorization header for receiving credentials is implemented in subclasses of HttpAuthenticator.

Signature

type AsyncAuthenticator[T] = CredentialsFuture[Option[T]]
def authenticateBasicAsync[T](realm: String, authenticator: AsyncAuthenticator[T]): AuthenticationDirective[T]

Note : Make sure to use basic authentication only over SSL/TLS because credentials are transferred in plaintext.

authenticateOAuth2

Wraps the inner route with OAuth Bearer Token authentication support using a given AuthenticatorPF[T]

Provides support for extracting the so-called “Bearer Token” from the Authorization HTTP Header, which is used to initiate an OAuth2 authorization.

 Given a function returning Some[T] upon successful authentication and None otherwise, respectively applies the inner route or rejects the request with a AuthenticationFailedRejection rejection, which by default is mapped to an 401 Unauthorized response.

Signature

type Authenticator[T] = CredentialsOption[T]
def authenticateOAuth2[T](realm: String, authenticator: Authenticator[T]): AuthenticationDirective[T]

Note :- This directive does not implement the complete OAuth2 protocol, but instead enables implementing it, by extracting the needed token from the HTTP headers.

authorize

Applies the given authorization check to the request.

The user-defined authorization check can either be supplied as a => Boolean value which is calculated just from information out of the lexical scope, or as a function RequestContext => Boolean which can also take information from the request itself into account.

If the check returns true the request is passed on to the inner route unchanged, otherwise an AuthorizationFailedRejection is created, triggering a 403 Forbidden response by default (the same as in the case of an AuthenticationFailedRejection).

In a common use-case you would check if a user (e.g. supplied by any of the authenticate* family of directives, e.g. authenticateBasic) is allowed to access the inner routes, e.g. by checking if the user has the needed permissions.

Signature

def authorize(check:Boolean): Directive0
def authorize(check: RequestContextBoolean): Directive0
References:
Official  Documentation: here Thanks for reading, keep sharing.

knoldus-advt-sticker


Advertisements
This entry was posted in Scala. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s