letting only admin user to enter playframework admin crud area

2018-06-07 01:03:04

I am trying out authentication using playframework's secure module.I have two users -one an admin,the other with normal previleges.They are defined as

User(adminuser):
    email:   siteadmin@mysite.com
    password: secret
    isAdmin:  true
User(normaluser):
    email:   normaluser@gmail.com
    password: normalpass

I want only admin user to be able to login to the admin area and create entities using the crud interface.How should I go about this?

*       /admin          module:crud

brings up a login screen which adfter login from above two users ,take them to the admin area.How can I restrict entry to the admin area to only the admin user, and tell the normal user that he doesn't have enough rights to access the admin area?

Using CRUD, you can declare one controller per entity. Then you can add the annotations needed for security.

For example, for User entity you will have this controller:

@Check("admin")
@With(Security.class)
@For(models.User.class)
public class Users extends controllers.CRUD {
}

In @With you have to point to the class extending Secure.Security. For example:

public class Security extends Secure.Security {

    static boolean authenticate(String username, String password) {
        return User.connect(email, password) != null;
    }

    static boolean check(String profile) {
        if("admin".equals(profile)) {
            return User.all().filter("email", connected()).get().isAdmin;
        }
        return false;
    }

    static void onDisconnected() {
        Application.index();
    }

    static void onAuthenticated() {
        Admin.index();
    }
}

I'm not yet familiar with the CRUD module, but in your controller you could use the annotation @Check("admin") . This will ensure that before every call on the annotated method the security module will call the static boolean check(String) method in your own Security implementation class. There you can simply check if the current user is admin and allow access or not. See example below.

public class MySecurity extends Secure.Security
{

.... other methods you should/could override ....

static boolean check(String profile)
{
   boolean result = false;
   if("admin".equalsIgnoreCase(profile))
   {
      User currentUser = User.find("byUsername", Security.connected()).first();
      result = currentUser.isAdmin;
   }

   return result;

}

Hope this helps. /Richard

链接地址: http://www.djcxy.com/p/21670.html

上一篇: 单个管理网站的安全性？

下一篇: 只让管理员用户进入playframework admin crud区域