-
Notifications
You must be signed in to change notification settings - Fork 4
Security
Hot framework supports security out of the box. You can easily securing your entire app or just some of your REST endpoints.
Hot allows you to add authentication and authorisations based on multiple backend technologies like:
- Database
- LDAP
- OAuth (Twitter)
- OAuth2 (Facebook, Google)
The nice think is that you secure your app the same way independently of the underlying login backend.
In order to secure your app, simply use the hot CLI.
The Database backend use a set of tables previously created in one of the datasources defined in your project.
The following command will be used to add the DB based security layer to your app:
$> hot auth-db -n <datasource_name> [-u <username>] [-p <password>] [-roles <coma seperated list of roles>]-n,--name <arg> Name of the datasource
-p,--password <arg> Default password (associated to username) to insert
in the DB (optional)
-roles <arg> List of roles associatted to username (optional)
-u,--username <arg> Default username to insert in the DB (optional)
The datasource must be previously defined in your project. You can optionally create a default user via the username, password and roles parameters.
The users and authorities tables must be created before adding the authentication backend. They will contain users infos and associated roles.
CREATE TABLE users(
username varchar_ignorecase(50) NOT NULL PRIMARY KEY,
password varchar_ignorecase(50) NOT NULL,
enabled boolean not null);
CREATE TABLE authorities (
username varchar_ignorecase(50) NOT NULL,
authority varchar_ignorecase(50) NOT NULL,
CONSTRAINT fk_authorities_users foreign key(username) references users(username));
CREATE UNIQUE INDEX ix_auth_username on authorities (username,authority);CREATE TABLE IF NOT EXISTS users(
username varchar(50) NOT NULL PRIMARY KEY,
password varchar(50) NOT NULL,
enabled boolean not null) engine = InnoDb;
CREATE TABLE IF NOT EXISTS authorities (
username varchar(50) NOT NULL,
authority varchar(50) NOT NULL,
foreign key (username) references users(username)) engine = InnoDb;
CREATE UNIQUE INDEX ix_auth_username on authorities (username,authority);create table users(
username varchar2(50) not null primary key,
password varchar2(50) not null,
enabled number(1) not null
);
create table authorities (
username varchar2(50) not null,
authority varchar2(50) not null,
constraint fk_authorities_users foreign key(username) references users(username)
);Le LDAP backend use a LDAP server to handle authentication and autorisations.
The following command will be used to add the LDAP based security layer to your app:
$> hot auth-ldap -url <ldap url> [ -udp <user-dn-patterns> | -usb <user-search-base> -usf <user-search-filter> ] [ -gsb <group-search-base> -gsf <group-search-filter> ]
-gsb,--group-search-base <arg> search base for group searches
(optional)
-gsf,--group-search-filter <arg> the LDAP filter to search for groups
(optional)
-udp,--user-dn-patterns <arg> the LDAP patterns for finding the
usernames (optional)
-url <arg> ldap url in the form of
'ldap://example.com:389/dc=example,dc=
com'
-usb,--user-search-base <arg> search base for user searches
(optional)
-usf,--user-search-filter <arg> the LDAP filter used to search for
users (optional)
You can add a OAuth2 based Facebook login authentication backend. Your app must be registered on Facebook and you must have received a App Id/App Secret pair.
The following command will be used to add the Facebook login based security layer to your app:
$> hot auth-facebook -id <App id> -sec <App secret>
-id,--app-id <arg> Facebook provided application id
-sec,--app-secret <arg> Facebook provided application secret
You can add a OAuth based Twitter authentication backend. Your app must be registered on Twitter and you must have received a consumer key/password pair.
The following command will be used to add the Twitter login based security layer to your app:
$> hot auth-twitter -ck <consumer key> -cp <consumer password>
-ck,--consumer-key <arg> Twitter provided OAuth consumer key
-cp,--consumer-password <arg> Twitter provided OAuth consumer password
You can add a OAuth2 based Google authentication backend. Your app must be registered on Google and you must have received a client id/secret pair.
The following command will be used to add the Google login based security layer to your app:
$> hot auth-google -id <client ID> -sec <client secret>
-id,--client-id <arg> The client ID you obtained from the Google
Developers Console
-sec,--client-secret <arg> The client secret you obtained from the
Developers Console
$> hot auth-db -r
$> hot auth-ldap -r
$> hot auth-facebook -r
$> hot auth-twitter -r
$> hot auth-google -r
In order to secure access to static resources located in the www folder, simply put a .secure empty file in each directory you wish to secure.
Access to these resources through a web browser will redirect the user to either a login.html page located in www if it exists or to a generated login form.
In order to secure your REST endpoints, simply call the auth() method from the get/post/put/delete methods. Without argument, the endpoint will need the user to be authenticated (either using Form, Basic or OAuth authentication methods).
You can optionally pass a list of roles a user need to have in order to access a endpoint. Hot automatically retrieves roles from the database or from the LDAP depending of the configured backend. In OAuth scenario, no role are associated to the user.
rest.post("/rem/modifications").auth('EDITOR', 'PLANNER', 'SYSTEM').then { req -> ... }