1

It seems it is impossible to nest authorized directives in spray due to this line: https://github.com/spray/spray/blob/76ab89c25ce6d4ff2c4b286efcc92ee02ced6eff/spray-routing/src/main/scala/spray/routing/directives/SecurityDirectives.scala#L55

I'm referring to doing things like this:

val route = { 
  ...
  authorize(userIsAdmin) {
    path("generic" / "admin" / "stuff") { ... } ~
    path("users" / Segment) { u =>
      authorize(canModifyUser) {
        ...
      }
    } ~
    path("quotas") {
      authorize(canModifyQuotas) {
        ...
      }
    }
  }
}

One could of course refactor this to include userIsAdmin into the canModifyUser and canModifyQuota checks, but with orthogonal access rights, that could get out of hand fast.

What is the reason for that line? It doesn't seem logical to me why we are cancelling any further authorization failures.

Full disclosure: The route will actually get rejected if one of the nested checks fail, but it will give a 404 error (EmptyRejection) instead of the expected AuthorizationFailedRejection.

Ákos Vandra-Meyer
  • 1,890
  • 1
  • 23
  • 40
  • Maybe this helps: https://groups.google.com/forum/#!topic/spray-user/sB4R7164OZ0. What is the actual problem you are observing? Maybe this is related too (location of authorize directives): http://stackoverflow.com/questions/27713177/why-does-authorize-directive-execute-after-the-code-its-supposed-to-protect – devkat May 27 '16 at 14:56
  • Thanks, @AndreasJim-Hartmann, the first link explains why the cancelrejection is there (sibling authorize directives), unfortunately there is no solution to the problem there... – Ákos Vandra-Meyer May 28 '16 at 06:17

0 Answers0