Table of contents

Reading Time: 3 minutes

While building any application (small or big) Security is one of the most concerned issue, that should be handled properly by the developer. Moreover quality of any application is directly proportional to the level of security provided by the application to its users.

In information technology world term Security is made up of two terminologies called authentication and authorization where Authentication is the process of establishing a known identity for the user, whereby ‘identity’ is defined in the context of the application and Authorization is the process of determining, whether a given user is allowed access to a given resource or not.

Akka-Http provides effective ways to achieve both authentication and authorization while developing rest end points as akka-http implements the “‘Basic’ HTTP Authentication Scheme” that provides a general framework for access control and authentication, via an extensible set of challenge-response authentication schemes, which can be used by a server to challenge a client request and by a client to provide authentication information.

Security Directives

Akka-http provides various security directives to achieve authentication as well as authorization, some of them are :-

authenticateBasic

Wraps the inner route with Http Basic authentication support using a given Authenticator[T].Provides support for handling HTTP Basic Authentication.

Given a function returning Some[T] upon successful authentication and None otherwise, respectively applies the inner route or rejects the request with a AuthenticationFailedRejection rejection, which by default is mapped to an 401 Unauthorized response.

Standard HTTP-based authentication which uses the WWW-Authenticate header containing challenge data and Authorization header for receiving credentials is implemented in subclasses of HttpAuthenticator.

Signature

type Authenticator[T] = Credentials ⇒ Option[T]

def authenticateBasic[T](realm: String, authenticator: Authenticator[T]): AuthenticationDirective[T]

Note : Make sure to use basic authentication only over SSL/TLS because credentials are transferred in plaintext.

authenticateBasicAsync

Longer-running authentication tasks (like looking up credentials in a database) should use the authenticateBasicAsync variant of this directive which allows it to run without blocking routing layer of Akka HTTP, freeing it for other requests.

Wraps the inner route with Http Basic authentication support using a given AsyncAuthenticator[T].

This variant of the authenticateBasic directive returns a Future[Option[T]] which allows freeing up the routing layer of Akka HTTP, freeing it for other requests. It should be used whenever an authentication is expected to take a longer amount of time (e.g. looking up the user in a database).

In case the returned option is None the request is rejected with a AuthenticationFailedRejection, which by default is mapped to an 401 Unauthorizedresponse.

Signature

type AsyncAuthenticator[T] = Credentials ⇒ Future[Option[T]]

def authenticateBasicAsync[T](realm: String, authenticator: AsyncAuthenticator[T]): AuthenticationDirective[T]

Note : Make sure to use basic authentication only over SSL/TLS because credentials are transferred in plaintext.

authenticateOAuth2

Wraps the inner route with OAuth Bearer Token authentication support using a given AuthenticatorPF[T]

Provides support for extracting the so-called “Bearer Token” from the Authorization HTTP Header, which is used to initiate an OAuth2 authorization.

Signature

type Authenticator[T] = Credentials ⇒ Option[T]

def authenticateOAuth2[T](realm: String, authenticator: Authenticator[T]): AuthenticationDirective[T]

Note :- This directive does not implement the complete OAuth2 protocol, but instead enables implementing it, by extracting the needed token from the HTTP headers.

authorize

Applies the given authorization check to the request.

The user-defined authorization check can either be supplied as a => Boolean value which is calculated just from information out of the lexical scope, or as a function RequestContext => Boolean which can also take information from the request itself into account.

If the check returns true the request is passed on to the inner route unchanged, otherwise an AuthorizationFailedRejection is created, triggering a 403 Forbidden response by default (the same as in the case of an AuthenticationFailedRejection).

In a common use-case you would check if a user (e.g. supplied by any of the authenticate* family of directives, e.g. authenticateBasic) is allowed to access the inner routes, e.g. by checking if the user has the needed permissions.

Signature

def authorize(check: ⇒ Boolean): Directive0
def authorize(check: RequestContext ⇒ Boolean): Directive0

References:
Official Documentation: here Thanks for reading, keep sharing.

High performance systems

Data Engineering, Strategy and Analytics

Intelligence Driven Decisioning - AI/ML

Cloud Engineering

Architecture Strategy, Audit & Academy

Platforms

KDP

KDSP

Products

Premon

Studio9

Tech Hub

Akka

Scala

Rust

Spark

Functional Java

Kafka

Flink

ML/AI

DevOps

Data Warehouse

Travel

Retail

Finance

Healthcare

Media and Publishing

Consumer Internet

Hi-tech & IoT

Case Studies

Blogs

Books

Community

Resources

OS contributions

Webinars

Knolx

Check out our open positions

Services

Go to Overview

Accelerators

Go to Overview

Platforms

Products

TechHub

Industries

Go to Overview

Travel

Insights

Go to Overview

Providing Security Using “Akka-Http”

Security Directives

authenticateBasic

Signature

authenticateBasicAsync

Signature

authenticateOAuth2

Signature

authorize

Signature

Share the Knol:

Related

Written by Nitin Aggarwal

COMPANY

Sign up to our newsletter

Certificates

Partners

© 2023 Knoldus, Inc. All Rights Reserved.

Part of NashTech

Privacy Policy | Sitemap

Discover more from Knoldus Blogs

Check out our
open positions