Akka HTTP

Version 10.0.7

authorize

Applies the given authorization check to the request.

Description

The user-defined authorization check can either be supplied as a -> Boolean value which is calculated just from information out of the lexical scope, or as a function RequestContext -> Boolean which can also take information from the request itself into account.

If the check returns true the request is passed on to the inner route unchanged, otherwise an AuthorizationFailedRejection is created, triggering a 403 Forbidden response by default (the same as in the case of an AuthenticationFailedRejection).

In a common use-case you would check if a user (e.g. supplied by any of the authenticate* family of directives, e.g. authenticateBasic) is allowed to access the inner routes, e.g. by checking if the user has the needed permissions.

See also authorize-java for the asynchronous version of this directive.

Note

See also Authentication vs. Authorization to understand the differences between those.

Example

class User {
  private final String name;
  public User(String name) {
    this.name = name;
  }
  public String getName() {
    return name;
  }
}

// authenticate the user:
final Function<Optional<ProvidedCredentials>, Optional<User>> myUserPassAuthenticator =
  opt -> {
    if (opt.isPresent()) {
      return Optional.of(new User(opt.get().identifier()));
    } else {
      return Optional.empty();
    }
  };

// check if user is authorized to perform admin actions:
final Set<String> admins = new HashSet<>();
admins.add("Peter");
final Function<User, Boolean> hasAdminPermissions = user -> admins.contains(user.getName());

final Route route = authenticateBasic("secure site", myUserPassAuthenticator, user ->
  path("peters-lair", () ->
    authorize(() -> hasAdminPermissions.apply(user), () ->
      complete("'" + user.getName() +"' visited Peter's lair")
    )
  )
).seal(system(), materializer());

// tests:
final HttpCredentials johnsCred =
  BasicHttpCredentials.createBasicHttpCredentials("John", "p4ssw0rd");
testRoute(route).run(HttpRequest.GET("/peters-lair").addCredentials(johnsCred))
  .assertStatusCode(StatusCodes.FORBIDDEN)
  .assertEntity("The supplied authentication is not authorized to access this resource");

final HttpCredentials petersCred =
  BasicHttpCredentials.createBasicHttpCredentials("Peter", "pan");
testRoute(route).run(HttpRequest.GET("/peters-lair").addCredentials(petersCred))
  .assertEntity("'Peter' visited Peter's lair");
authenticateOAuth2PFAsync
authorizeAsync
The source code for this page can be found here.