An Authorizer is responsible for determining if a given user is able to perform
the requested action (in this case process the requested URL).
An Authorizer is responsible for determining if a given user is able to perform
the requested action (in this case process the requested URL).
The Authorizer is passed the current request. The authorizer can inspect the Principal object
if an AuthenciationStrategy was invoked prior. Alternatively, it may determine authorization based on some
request-level criteria, such as ip address.
If the request is authorized then the Authorizer should continue the request pipeline.
If the request is not authorized then the Authorizer would normally return an appropriate response,
although it can choose to do anything it wishes.
How the Authorizer determines access is dependent on the implementation.
For example, the AccessListAuthorizer authorizes requests based on a given list of Principals. If the principals
list does not contain the given Principal then a 403 is returned.
An AllAccessAuthorizer authorizes all requests. This is useful when you have site wide authorization
but wish to enable public access to a certain endpoint.
Usually you will want to implement a custom Authorizer, which may check a user for a role, or some similar
mechanism. To implement a custom Authorizer, extend from Authorizer implementing the authorization check.
case classRole(name: String) extends Product with Serializable
An Authorizer is responsible for determining if a given user is able to perform the requested action (in this case process the requested URL).
The Authorizer is passed the current request. The authorizer can inspect the Principal object if an AuthenciationStrategy was invoked prior. Alternatively, it may determine authorization based on some request-level criteria, such as ip address.
If the request is authorized then the Authorizer should continue the request pipeline. If the request is not authorized then the Authorizer would normally return an appropriate response, although it can choose to do anything it wishes.
How the Authorizer determines access is dependent on the implementation.
For example, the AccessListAuthorizer authorizes requests based on a given list of Principals. If the principals list does not contain the given Principal then a 403 is returned.
An AllAccessAuthorizer authorizes all requests. This is useful when you have site wide authorization but wish to enable public access to a certain endpoint.
Usually you will want to implement a custom Authorizer, which may check a user for a role, or some similar mechanism. To implement a custom Authorizer, extend from Authorizer implementing the authorization check.