public class AuthSessionCookie
extends java.lang.Object
It checks Play's session cookie and does authorization. It has several layers of security:
1) First, it checks if a username is in Play's session cookie and if this username belongs to a user in the database.
2) Check if the session timed out. The time span is defined in the application.conf.
3) Check if the session timed out due to inactivity of the user. With each request by the user, the time of last activity gets refreshed in the session.
4) Check if the signed-in user has the proper Role needed to access this page. This Role is an optional parameter in
the AuthAction.Auth
annotation.
5) It checks if the user was deactivated by an admin.
The AuthAction.Auth
annotation does not check the user's password. This is
done once during signing in (class Signin
).
The User
object is put in the RequestScope
for later use during request processing.
Modifier and Type | Class and Description |
---|---|
static class |
auth.gui.AuthAction.AuthMethod.AuthResult
Result of an authentication attempt.
|
Modifier and Type | Method and Description |
---|---|
auth.gui.AuthAction.AuthMethod.AuthResult |
authenticate(play.mvc.Http.Request request,
User.Role role) |
public auth.gui.AuthAction.AuthMethod.AuthResult authenticate(play.mvc.Http.Request request, User.Role role)
request
- This action's Http.Request
objectrole
- Role the user must have to access the resourceAuthAction.AuthMethod.AuthResult
.