Restful (and Stateless) Auth with Play Framework and Scala

Asked 30/4, 2013 at 16:29 Answered 12/6, 2013 at 13:41

authentication playframework-2.0 stateless

I have recently been thinking about how to get my webframework/application-stack right. I'm slowly moving over to scala and functional programming (coming from Python with CherryPy). So it was natural to look into Play as it is the most widely supported framework (now that even Typesafe adopted it). Feel free to correct me if I'm missing something here.

So play is really embracing the idea of stateless webapps and I have a hard time wrapping my head around it in terms of authentication and authorization. Now after some online digging (The definitive guide to form-based website authentication) I came to conclusion that authentication and authorizing must be done on each and every call to my backend (JSON-RPC or whatever), getting away from the old session-cookie idea.

Now whats the best approach to achieve this with todays technology?

And what about:

I thought about "simple" DigestAuth as it is proven and widespread but then it has this similar feel to the old and rusty basic auth.

Thank you!

Conceptacle answered 30/4, 2013 at 16:29 Comment(0)

You can easely get a work solution. But, not a good one. It seems that the advantage of stateless to stateful is no needs of sharing sessions. Easy to scale up. But, do authentication for each call is costly. Sometimes even add some extra database reads ops. This will slow down the response. If you want to cache the authentication result, then there will be no difference with a stateful session solution. As my opinion. You can not implements a Role Based Access Control in a stateless way!

Solve answered 12/6, 2013 at 13:41 Comment(2)

Means Role-based login is a no-no in so called modern "web-dev"? – Conceptacle 12/6, 2013 at 15:51

You can put the state in a fast replicable Memory Engine like REDIS. then each single play process is stateless, which eases horizontal scale. – Beatific 17/11, 2016 at 13:44

As for me I use this in my current project https://github.com/t2v/play20-auth, works fine.

Mcalpine answered 30/4, 2013 at 18:59 Comment(3)

It doesnt really do restful does it? It looks like its merely a fix for play's not so safe own authentication cookie. – Conceptacle 3/5, 2013 at 12:24

@AlessandroMeyer I can say that it's almost restful but not purely restful, as we known restful means stateless and we can't mixed it in the same time because "authenticated" is a state, but in the other hand it can be realised in different layers. – Mcalpine 3/5, 2013 at 20:4

you're right, but having to authenticate each time (digest or basic auth) would be truly stateless and I was wondering if this is a reasonable approach. – Conceptacle 4/5, 2013 at 18:30

Recommended topics

Hot tags