<dependency>
<groupId>de.whitefrog</groupId>
<artifactId>frogr-auth</artifactId>
<version>0.2.2</version>
</dependency>
The User model has to extend BaseUser
and defines our user, which can be passed in Service <services>
methods using the @Auth
annotation.
../../../examples/oauth/src/main/java/de/whitefrog/frogr/example/oauth/model/User.kt
As you can see the annotation @JsonView(Views.Secure::class)
is used on the friends
field. These views can be used on Service
methods too, and describe what can be seen by the user. The default is Views.Public::class
, so any field annotated with that @JsonView
is visible to everyone. Fields without @JsonView
annotation are always visible.
BaseUser
provides some commonly used fields describing a user in an authentication environment:
../../../auth/src/main/java/de/whitefrog/frogr/auth/model/BaseUser.kt
You can write your own User class, but then you'll have to create your own oAuth implementation.
Warning: Be cautious with Views.Secure
on Service
methods, as it could reveal sensitive data. So it's best to have custom methods like findFriendsOfFriends
for example to get all friends of the users friends instead of the common search function.
Next, we'll have to define a repository for our users, extending BaseUserRepository
:
../../../examples/oauth/src/main/java/de/whitefrog/frogr/example/oauth/repository/UserRepository.java
The extended class BaseUserRepository
provides some basic functionality and security.
register(user)
Registration of a new user, passwords will be encrypted by default.
login(login, password)
Login method, encrypts the password automatically for you.
validateModel(context)
Overridden to ensure a password and a role is set on new users.
In our applications run
method, we need to set up some authentication configurations:
../../../examples/oauth/src/main/java/de/whitefrog/frogr/example/oauth/MyApplication.java
Inside the run
method, we set up RolesAllowedDynamicFeature
, which activates the previously used @RolesAllowed
annotation. We also set up AuthValueFactoryProvider.Binder
which activates the later described @Auth
injection annotation and AuthDynamicFeature
which activates the actual oAuth authentication.
Here's a simple service, that can only be called when the user is authenticated. The user will be passed as argument to the method:
../../../examples/oauth/src/main/java/de/whitefrog/frogr/example/oauth/rest/Persons.java
See how the @RolesAllowed(Role.User)
annotation is used, to only allow this method to registered users. You can always extend the Role class and use your own roles. Predefined roles are Admin
, User
and Public
.
The first (and only) parameter on findMorty
is annotated with @Auth
and has the type of our User
class created before. This will inject the currently authenticated user and also tells the application that this method is only allowed for authenticated users.
The extended class AuthCRUDService
provides some convenient methods for authentication and sets some default @RolesAllowed
annotations on the basic CRUD methods. All predefined methods are only allowed for registered and authenticated users.
authorize
Override to implement your access rules for specific models. Is used by default in create and update methods.
authorizeDelete
Override to implement your rules to who can delete specific models. Is used by default in delete method.