Slides for the SecureSocial presentation at the Scala BASE meetup in Palo Alto on Dec 12th 2012

1. SecureSocial
Authentication Module for Play!
Jorge Aliss
@jaliss
Sponsored by

2. Agenda
Overview
Main concepts: Identity Providers, Identity, UserService
Installation
Configuration
Protecting Actions
UsernamePassword provider
Password rules and hashing algorithms
Views customization
Internationalization
Extending SecureSocial

3. Overview
What does it do?
Why did I do it?
11/11/2011: First release (Play 1)
06/05/2012: Play 2 version

4. Demo

5. Identity Providers
A provider implements the logic required to support an
authentication scheme.
OAuth 1: Twitter, LinkedIn
OAuth 2: Facebook, Google, GitHub
OpenID (coming soon)
Username and Password
Your own provider

6. Identity
Represents a user in a Provider
Providers return an instance of this trait upon successful
authentication
Modeled with a trait in Scala and an interface on the Java API
tatIett {
ri dniy
dfi:UeI
e d srd
dffrtae Srn
e isNm: tig
dflsNm:Srn
e atae tig
dfflNm:Srn
e ulae tig
dfeal Oto[tig
e mi: pinSrn]
dfaaaUl Oto[tig
e vtrr: pinSrn]
dfatMto:AtetctoMto
e uhehd uhniainehd
dfouhIf:Oto[At1no
e At1no pinOuhIf]
dfouhIf:Oto[At2no
e At2no pinOuhIf]
dfpswrIf:Oto[asodno
e asodno pinPswrIf]
}

7. UserService
Provides a way to persist/find Identities from a backing store
No imposed persistence mechanism. Developer is free to
use anything
Any class implementing Identity can be returned: this allows
you to return your own model class
tatUeSrie{
ri srevc
dffn(d UeI)Oto[dniy
e idi: srd:pinIett]
dffnBEalnPoie(mi:Srn,poieI:Srn)Oto[dni
e idymiAdrvdreal tig rvdrd tig:pinIett
y]
dfsv(sr Iett)
e aeue: dniy
/ temtosta hnl tkn aeue
/ h ehd ht ade oes r sd
/ i sg u adrstpswr rqet
/ n in p n ee asod euss
dfsv(oe:Tkn
e aetkn oe)
dffnTkntkn Srn) Oto[oe]
e idoe(oe: tig: pinTkn
dfdltTknui:Srn)
e eeeoe(ud tig
dfdltEprdoes)
e eeexieTkn(
}

8. Installation
Available as a downloadable dependency
Stable versions and master snapshots
ojc Apiainul etnsBid{
bet plctoBid xed ul
vlapae
a pNm ="yp"
MAp
vlapeso
a pVrin ="."
10
vlapeednis=Sq
a pDpnece e(
"eueoil %"eueoil291 %".."
scrsca" scrsca_.." 207
)
vlmi =PaPoetapae apeso,apeednis miLn =S
a an lyrjc(pNm, pVrin pDpnece, anag C
AA.etns
L)stig(
rsles+ Rsle.r(ScrSca Rpstr" ul"tp/scrs
eovr = eovrul"eueoil eoioy, r(ht:/eue
oilw/eoioyrlae/)(eovriytlPten)
ca.srpstr/eess")Rsle.vSyeatrs
)
}

9. Configuration
Settings go in a securesocial section of your conf file
Global settings: onLoginGoto, onLogoutoTo, ssl
scrsca {
eueoil
oLgnoo/
noiGT=
oLguGT=lgn
nootoo/oi
slfle
s=as
}

10. Configuration
Username Password Provider
ueps {
sras
wtUeNmSpotfle
ihsraeupr=as
snWloemi=re
edecmEaltu
ealGaaaSpottu
nbervtrupr=re
tknuain6
oeDrto=0
tkneeenevl5
oeDltItra=
ealTkno=re
nbeoeJbtu
hse=cyt
ahrbrp
mnmmasodegh8
iiuPswrLnt=
}

11. Configuration
OAuth 1 and OAuth 2 based providers
titr{
wte
rqetoeUl"tp:/wte.o/at/eus_oe"
eusTknr=hts/titrcmouhrqettkn
acsTknr=hts/titrcmouhacs_oe"
cesoeUl"tp:/wte.o/at/cestkn
atoiainr=hts/titrcmouhatetct"
uhrztoUl"tp:/wte.o/at/uhniae
cnueKyyu_osmrky
osmre=orcnue_e
cnueSce=orcnue_ert
osmrertyu_osmrsce
}
fcbo {
aeok
atoiainr=hts/gahfcbo.o/at/uhrz"
uhrztoUl"tp:/rp.aeokcmouhatoie
acsTknr=hts/gahfcbo.o/at/cestkn
cesoeUl"tp:/rp.aeokcmouhacs_oe"
cinI=orcin_d
letdyu_leti
cinSce=orcin_ert
letertyu_letsce
soeeal
cp=mi
}

12. Protecting Actions
SecuredAction: intercepts requests and redirects them to a
login page if the user is not authenticated (returns
unauthorized error for ajax calls)
Authorization: SecuredActions can receive an Authorization
instance that checks if an authenticated user is authorized to
execute it. Renders an error page (returns forbidden for ajax
calls)

13. SecuredAction
Add the SecureSocial trait to your controllers
dfmAto =Scrdcin{ipii rqet=
e ycin eueAto mlct eus >
O(iw.tlidxrqetue)
kveshm.ne(eus.sr)
}
dfmAaCl =Scrdcintu){ipii rqet=
e yjxal eueAto(re mlct eus >
O(sntJo(a(msae - "el").sJO)
kJo.osnMp"esg" > hlo))a(SN
}

14. Authorization
To add authorization logic to an action you need to implement
the Authorization trait.
cs casWtRl(oe Rl)etnsAtoiain{
ae ls ihoerl: oe xed uhrzto
dfiAtoie(dniy Iett) Boen={
e suhrzdiett: dniy: ola
iett mth{
dniy ac
cs ue:Ue = ue.aRl(oe
ae sr sr > srhsoerl)
cs _=
ae >
Lge.ro(DdntgtaSsinsrojc"
ogrerr"i o e esoUe bet)
fle
as
}
}
}
dfmAto =Scrdcin WtRl(di)){ipii rqet=
e ycin eueAto( ihoeAmn mlct eus >
O(iw.tlidxrqetue)
kveshm.ne(eus.sr)
}

15. UsernamePassword
Provider
Enforces flows that prevent leaking information in the
Signup, Login and Password recovery flows
Password change functionality
Enforces password strength and hashing

16. Password Validator
Used to enforce password strength
DefaultPasswordValidator: checks length specified in settings
file
To customize, implement the PasswordValidator and register
it in the play.plugins file
tatPswrVldtretnsPui {
ri asodaiao xed lgn
dfiVldpswr:Srn) Boen
e sai(asod tig: ola
dferresg:Srn
e roMsae tig
}

17. Password Hasher
Built in (and recommended) is based on Bcrypt
Several can be configured, allowing easy migration to new
algorithms as needed
PasswordInfo: stores the hashed password, an optional salt
and the hasher id
Passwords are hashed with the 'default' hasher
tatPswrHse etnsPui wt Rgsrbe{
ri asodahr xed lgn ih eital
dfhs(liPswr:Srn) PswrIf
e ahpanasod tig: asodno
dfmthspswrIf:PswrIf,splePswr:Srn) Boen
e ace(asodno asodno upidasod tig: ola
}

18. Views Customization
Built in templates use Twitter Bootstrap
TemplatesPlugin: used to render views/emails
To customize: change css or implement and register it
instead of the default one
dfgtoiPg[]ipii rqet RqetA,
e eLgnaeA(mlct eus: eus[]
fr:Fr[Srn,Srn),
om om(tig tig]
mg Oto[tig =Nn) Hm
s: pinSrn] oe: tl
dfgtinpmi(oe:Srn)ipii rqet Rqetedr:Srn
e eSgUEaltkn tig(mlct eus: eusHae) tig
dfgtoiPg[]ipii rqet RqetA,
e eLgnaeA(mlct eus: eus[]
fr:Fr[Srn,Srn),
om om(tig tig]
mg Oto[tig =Nn) Hm =
s: pinSrn] oe: tl
{
scrsca.iw.tllgnfr,mg
eueoilveshm.oi(om s)
}
dfgtinpmi(oe:Srn)ipii rqet Rqetedr:Srn ={
e eSgUEaltkn tig(mlct eus: eusHae) tig
scrsca.iw.tlmissgUEaltkn.oy
eueoilveshm.al.inpmi(oe)bd
}

19. Internationalization
Built in messages are extracted
To customize: copy the messages from the sources into your
messages file and change as needed
scrsca.oi.il=oi
eueoillgntteLgn
scrsca.oi.eehr
eueoillgnhr=ee
scrsca.oi.naiCeetasIvldCeetas
eueoillgnivldrdnil=nai rdnil
scrsca.oi.ogtasodDdyufre yu pswr?
eueoillgnfroPswr=i o ogt or asod

20. Creating an Identity
Provider
asrc casIettPoie(plcto:Apiain
btat ls dniyrvdrapiain plcto)
etnsPui wt Rgsrbe
xed lgn ih eital
{
.
.
dfdAt[])ipii rqet RqetA)Ete[eut ScaUe]
e ouhA((mlct eus: eus[]:ihrRsl, oilsr
dfflPoieue:ScaUe)ScaUe
e ilrfl(sr oilsr:oilsr
.
.
}

21. What's next
OpenID support
More providers (eg:Foursquare, Wordpress, Yahoo).
Account linking support

22. Main Sponsor
Previous sponsor

23. Q&A

24. Links
Project site: http://www.securesocial.ws
GitHub: https://github.com/jaliss/securesocial

25. Thank you
Scala BASE