Restful (and Stateless) Auth with Play Framework and Scala

Question

I have recently been thinking about how to get my webframework/application-stack right. I'm slowly moving over to scala and functional programming (coming from Python with CherryPy). So it was natural to look into Play as it is the most widely supported framework (now that even Typesafe adopted it). Feel free to correct me if I'm missing something here.

So play is really embracing the idea of stateless webapps and I have a hard time wrapping my head around it in terms of authentication and authorization. Now after some online digging (The definitive guide to form-based website authentication) I came to conclusion that authentication and authorizing must be done on each and every call to my backend (JSON-RPC or whatever), getting away from the old session-cookie idea.

Now whats the best approach to achieve this with todays technology?

And what about:

I thought about "simple" DigestAuth as it is proven and widespread but then it has this similar feel to the old and rusty basic auth.

Thank you!

score 2 · Answer 1 · answered Jun 12 '13 at 13:41

2

You can easely get a work solution. But, not a good one. It seems that the advantage of stateless to stateful is no needs of sharing sessions. Easy to scale up. But, do authentication for each call is costly. Sometimes even add some extra database reads ops. This will slow down the response. If you want to cache the authentication result, then there will be no difference with a stateful session solution. As my opinion. You can not implements a Role Based Access Control in a stateless way!

answered Jun 12 '13 at 13:41

wpc

21
2

Means Role-based login is a no-no in so called modern "web-dev"? – AlessandroEmm Jun 12 '13 at 15:51
You can put the state in a fast replicable Memory Engine like REDIS. then each single play process is stateless, which eases horizontal scale. – Simon Fakir Nov 17 '16 at 13:44

score 0 · Answer 2 · answered Apr 30 '13 at 18:59

0

As for me I use this in my current project https://github.com/t2v/play20-auth, works fine.

answered Apr 30 '13 at 18:59

arussinov

1,217
10
16

1

It doesnt really do restful does it? It looks like its merely a fix for play's not so safe own authentication cookie. – AlessandroEmm May 03 '13 at 12:24
@AlessandroMeyer I can say that it's almost restful but not purely restful, as we known restful means stateless and we can't mixed it in the same time because "authenticated" is a state, but in the other hand it can be realised in different layers. – arussinov May 03 '13 at 20:04
you're right, but having to authenticate each time (digest or basic auth) would be truly stateless and I was wondering if this is a reasonable approach. – AlessandroEmm May 04 '13 at 18:30

Restful (and Stateless) Auth with Play Framework and Scala

2 Answers2