1

i have the following customized security controller using the secure module for play:

public class Security extends Secure.Security {

    static boolean authenticate(String username, String password) {

        validation.required(username);
        validation.required(password);

        if (!validation.hasErrors()) {
            BetaUser user = BetaUser.find("username", username).first();

            if (user != null && user.password.equals(password)) {
                Session.current().put("userid", user.id);
                return true;
            }

            return false;
        }
        else {
            return false;
        }
    }

    static void onAuthenticated() {
        Series.userSeries();
    }

    static void onDisconnected() {
        Application.index();
    }

    static boolean check(String profile) {
        if ("admin".equals(profile)) {
            return Security.connected().equals("admin");
        }
        return false;
    }
}

In this case the validation mechanism in the authenticate methode works. When i use annotations the password parameter doesn`t get validatet anymore:

static boolean authenticate(@Required String username, @Required String password) {

    if (!validation.hasErrors()) {
        BetaUser user = BetaUser.find("username", username).first();

        if (user != null && user.password.equals(password)) {
            Session.current().put("userid", user.id);
            return true;
        }

        return false;
    }
    else {
        return false;
    }
}

The strange thing is, that the username validation actually does work (error when username is empty). When only the password is left empty the validation has no errors...

I hope that you can help me.

Chris Ortiz
  • 1,203
  • 1
  • 10
  • 15

1 Answers1

1

After I dig around,

Validating HTTP data with play

Validations ensure that the data has certain values or meet specific requirements. You can use validation to verify that your models are correct before saving them to the database, or use them directly on HTTP parameters to validate a simple form.

Ref : http://www.playframework.org/documentation/1.2.4/validation

Before call your implement method, it call authenticate method in Secure class first. So, this it why annotation it not works in your implement method.

public static void authenticate(@Required String username, String password, boolean remember) throws Throwable {
        // Check tokens
        Boolean allowed = false;
        try {
            // This is the deprecated method name
            allowed = (Boolean)Security.invoke("authentify", username, password);
        } catch (UnsupportedOperationException e ) {
            // This is the official method name
            allowed = (Boolean)Security.invoke("authenticate", username, password);
        }
        if(validation.hasErrors() || !allowed) {
            flash.keep("url");
            flash.error("secure.error");
            params.flash();
            login();
        }
        // Mark user as connected
        session.put("username", username);
        // Remember if needed
        if(remember) {
            response.setCookie("rememberme", Crypto.sign(username) + "-" + username, "30d");
        }
        // Redirect to the original URL (or /)
        redirectToOriginalURL();
    }

Your can see this thread for deep reason why it not works -> parameter validation with net.sf.oval (in play framework)

Community
  • 1
  • 1
korrawit
  • 1,000
  • 2
  • 18
  • 30