安全模块
h1. Secure module
这个简单的secure模块帮助你为你的应用建立一个简单的认证和认证管理系统。它提供了一个简单的controllers.Secure控制器,它定义了一系列的拦截器,你可以很容易的
使用@with注解将它们添加到你的控制器里。
The simple **Secure** module help you to set up basic authentication and authorization management to your application. It provides a simple **controllers.Secure** controller that defines a set of interceptors that you can easily add to your own controllers using the **@With** annotation.
为应用打开Secure模块
h2. <a>Enable the Secure module for the application</a>
在/conf/application.conf文件中,添加一行打开Secure模块。
In the **/conf/application.conf** file, enable the Secure module by adding this line:
bc. # The secure module
module.secure=${play.path}/modules/secure
导入默认的Secure路由。
h2. <a>Import default Secure routes</a>
在conf/routes文件中,增加一行导入默认的模块路由。
In the **conf/routes** file, import the default module routes by adding this line:
bc. # Import Secure routes
* / module:secure
不建议使用默认的路由,你可以定义自己的路由,或者将来两者混合使用。
p(note). **Note** that it’s not required to use the default routes file. You can also define your own routes, or mix the two.
保护一个控制器
h2. <a>Protecting a controller</a>
要保护一个控制器,你只需要使用@with声明一个注解。例如:
To protect a controller you just have to annotate it using **@With**. For example:
bc. @With(Secure.class)
public class Application extends Controller {
public static void index() {
render();
}
}
那么这个控制器就会被自动的被默认的认证页面保护起来了。
This controller will be automatically protected with the default authentication page.
自定义认证原理
h2. <a>Customize the authentication mechanism</a>
默认地,login页面接受任何用户名和密码。如果需要自定义的话,你的应用需要提供一个Security。只需要在controllers中创建一个继承与controllers.Secure.Security类。然后你就可以覆盖默认的authenticate(String username, String password)方法了。
By default, the login page will accept any login/password. To customize it your application has to provide a **Security** provider. Just create a class in the **controllers** package that extends the **controllers.Secure.Security** class. Then you can override the **authenticate(String username, String password)** method.
bc. package controllers;
public class Security extends Secure.Security {
static boolean authenticate(String username, String password) {
User user = User.find("byEmail", username).first();
return user != null && user.password.equals(password);
}
}
你也可以覆盖其他方法去自定义应用对其他认证事件(认证通过,认证失败等)做出的反应。
p(note). **Note** that you can override other methods as well to customize how the application should react to authentication events (onAuthenticated, onDisconnected).
得到连接在系统上的用户
h2. <a>Retrieving the connected user</a>
在你的应用的代码中,你可以使用Security的辅助方法,重新得到连接在系统上的用户。
From your application code, your can reuse the Security helper that you’ve just created to retrieve the connected user.
bc. @With(Secure.class)
public class Application extends Controller {
public static void index() {
String user = Security.connected();
render(user);
}
}
增加认证检查
h2. <a>Adding authorization check</a>
你可以只用@Check注解在一个控制器类或一个action方法中,告诉Secure模块去检查连接在系统上的用户是否有权限去调用这个action。
You can use the **@Check** annotation either on controller classes or action methods to tell the Secure module to check that the connected user has required authorization to call this action.
For example:
bc. @With(Secure.class)
public class Application extends Controller {
...
@Check("isAdmin")
public static void delete(Long id) {
...
}
}
默认Secure模块会一直检查所有认证,你可以在你自己的Security类中通过覆盖一个或多个方法去自定义它们。
By default the secure module will always authorize all checks. You have to customize by overriding one more method in your **Security** class.
bc. package controllers;
public class Security extends Secure.Security {
...
static boolean check(String profile) {
User user = User.find("byEmail", connected()).first();
return user.admin;
}
}