Trying to to run deadbolt 2 with play 2.4 (using "be.objectify" %% "deadbolt-java" % "2.4.0")

application.conf:

play {
  modules {
    enabled += "be.objectify.deadbolt.java.DeadboltModule"
  }
}

deadbolt {
  java {
    handler= auth.MyAuthorizationHandler
    cache-user=true
  }
}

Any ideas?

Here: https://deadbolt-java.readme.io/docs/template-constraints
you have:

Scala
@subjectPresentOr {
  this is protected
} {
  this will be shown if the constraint blocks the other content
}

and should be:

Scala
@subjectPresentOr() {
  this is protected
} {
  this will be shown if the constraint blocks the other content
}

I'd also add example of MyDeadboltHandler which can extend AbstractDeadboltHandler for clarity (because I needed to look for example implementation in the source code)

First of all thanks for the awesome module and the examples.

In your Quickstart for Java you state that:

@import be.objectify.deadbolt.core.utils.TemplateUtils.{la, as}

is required but I found from your example that both lines below are required. Can you please update the Quickstart?

@import be.objectify.deadbolt.java.views.html.{restrict, restrictOr}
@import be.objectify.deadbolt.core.utils.TemplateUtils.{la, as}

In case it is an authorized action and

    configuration.forceBeforeAuthCheck()

is false, the variable result is null which results in a NullPointerException in line 56.

Following the 2.4.4 docs give me a compilation warning that TemplateUtils.la and TemplateUtils.as are deprecated

I have a Play Framework Java app that has been growing in users and now I am starting to see some errors that I am having trouble resolving. I am using SmartMeter.io (uses jMeter) to load test and what I find is that these errors occur when I increase my users (simulated users during load testing) from 10 to 50.

The errors all seem to point to where and when I use Deadbolt's template convenience functions, such as restrict, restrictOr, subjectPresentOr, pattern, among others. When I remove these view function helpers or when I only run with 1-10 users, I no longer see the issues, however, once I have 25+ simultaneous users, I start to get these Java errors reported below. The errors hang my app and I need to reboot, which is undesirable. What I am seeing seems to be an infinite loop that makes the server unresponsive.

My test scenario that reports these issues is simple: login, access my home page which makes MySQL calls to get data, then log out. If all I do is remove all these Deadlbolt functions from my view, I no longer get these issues. I have tried increasing my deadbolt.java settings, but nothing seems to help.

Can anyone offer any suggestions on how to troubleshoot this? What other information can I provide to help support my situation? Thank you for any help.

I am using:
Play Framework 2.5
Deadbolt Jave 2.5.0
Deadbolt Core 2.4.3
Play Authenticate 0.8.3
Jooq 3.7.3
MySQL 5.7.19

I have not upgraded to the latest Play 2.6 because I am waiting on Play Authenticate to update.

# ------- Deadbolt -------
deadbolt {
  java {
    handler=security.MyDeadboltHandler,
    cache-user=true,
    view-timeout=10000, # Default 1000
    blocking-timeout=10000 # Default 1000
  }
}

Below are some sample errors at different timeout settings (10s in this case).

[error] b.o.d.j.ViewSupport - Timeout when attempting to complete future within [10000]ms.  Denying access to resource.
java.util.concurrent.TimeoutException: null
    at java.util.concurrent.CompletableFuture.timedGet(CompletableFuture.java:1771)
    at java.util.concurrent.CompletableFuture.get(CompletableFuture.java:1915)
    at be.objectify.deadbolt.java.ViewSupport.viewRestrict(ViewSupport.java:104)
    at be.objectify.deadbolt.java.views.html.restrict_Scope0$restrict_Scope1$restrict.apply(restrict.template.scala:41)
    at views.html.main_Scope0$main_Scope1$main.apply(main.template.scala:97)
    at views.html.player.list.players_Scope0$players_Scope1$players.apply(players.template.scala:43)
    at views.html.player.list.players_Scope0$players_Scope1$players.render(players.template.scala:60)
    at views.html.player.list.players.render(players.template.scala)
    at controllers.player.ListController.list(ListController.java:86)
    at router.Routes$$anonfun$routes$1$$anonfun$applyOrElse$29$$anonfun$apply$29.apply(Routes.scala:1800)

[error] b.o.d.j.ViewSupport - Timeout when attempting to complete future within [10000]ms.  Denying access to resource.
java.util.concurrent.TimeoutException: null
    at java.util.concurrent.CompletableFuture.timedGet(CompletableFuture.java:1771)
    at java.util.concurrent.CompletableFuture.get(CompletableFuture.java:1915)
    at be.objectify.deadbolt.java.ViewSupport.viewRestrict(ViewSupport.java:104)
    at be.objectify.deadbolt.java.views.html.restrict_Scope0$restrict_Scope1$restrict.apply(restrict.template.scala:41)
    at views.html.main_Scope0$main_Scope1$main.apply(main.template.scala:97)
    at views.html.player.list.players_Scope0$players_Scope1$players.apply(players.template.scala:43)
    at views.html.player.list.players_Scope0$players_Scope1$players.render(players.template.scala:60)
    at views.html.player.list.players.render(players.template.scala)
    at controllers.player.ListController.list(ListController.java:86)
    at router.Routes$$anonfun$routes$1$$anonfun$applyOrElse$29$$anonfun$apply$29.apply(Routes.scala:1800)

[error] b.o.d.j.ViewSupport - Timeout when attempting to complete future within [10000]ms.  Denying access to resource.
java.util.concurrent.TimeoutException: null
    at java.util.concurrent.CompletableFuture.timedGet(CompletableFuture.java:1771)
    at java.util.concurrent.CompletableFuture.get(CompletableFuture.java:1915)
    at be.objectify.deadbolt.java.ViewSupport.viewRestrict(ViewSupport.java:104)
    at be.objectify.deadbolt.java.views.html.restrict_Scope0$restrict_Scope1$restrict.apply(restrict.template.scala:41)
    at views.html.player.list.players_Scope0$players_Scope1$players$$anonfun$apply$2.apply(players.template.scala:548)
    at views.html.player.list.players_Scope0$players_Scope1$players$$anonfun$apply$2.apply(players.template.scala:542)
    at views.html.helper.form_Scope0$form.apply(form.template.scala:35)
    at views.html.player.list.players_Scope0$players_Scope1$players.apply(players.template.scala:542)
    at views.html.player.list.players_Scope0$players_Scope1$players.render(players.template.scala:616)
    at views.html.player.list.players.render(players.template.scala)

[error] b.o.d.j.ViewSupport - Timeout when attempting to complete future within [10000]ms.  Denying access to resource.
java.util.concurrent.TimeoutException: null
    at java.util.concurrent.CompletableFuture.timedGet(CompletableFuture.java:1771)
    at java.util.concurrent.CompletableFuture.get(CompletableFuture.java:1915)
    at be.objectify.deadbolt.java.ViewSupport.viewPattern(ViewSupport.java:231)
    at be.objectify.deadbolt.java.views.html.pattern_Scope0$pattern_Scope1$pattern.apply(pattern.template.scala:40)
    at views.html.player.list._table_Scope0$_table_Scope1$_table$$anonfun$apply$9$$anonfun$apply$22$$anonfun$apply$23.apply(_table.template.scala:534)
    at views.html.player.list._table_Scope0$_table_Scope1$_table$$anonfun$apply$9$$anonfun$apply$22$$anonfun$apply$23.apply(_table.template.scala:530)
    at play.twirl.api.TemplateMagic$.defining(TemplateMagic.scala:13)
    at views.html.player.list._table_Scope0$_table_Scope1$_table$$anonfun$apply$9$$anonfun$apply$22.apply(_table.template.scala:530)
    at views.html.player.list._table_Scope0$_table_Scope1$_table$$anonfun$apply$9$$anonfun$apply$22.apply(_table.template.scala:529)
    at play.twirl.api.TemplateMagic$.defining(TemplateMagic.scala:13)

----- Update One Day Later -----
I took a different approach and tried to determine what information each Deadbolt convenience function was trying to access for restrict, subjectNotPresent, and pattern, as these were the three I was using liberally in my one view. This one view consisted of a main.scala.html, plus three more views. I may have had 20-30 usages of restrict, restricOr, pattern, and subject. I then created a view model object that I pass down into my view from my controller. I am able to run with 50 concurrent users without any timeout issues.

Perhaps this is better use of data retrieval in general and perhaps I was abusing Deadbolt by using it too much. I would think each time a restrict or pattern is executed, it takes some time to run, and each instance runs that same amount of time, and when you have more concurrent users, timeouts happen? With my view model approach, I access the information I need and each request to it gets the already calculated data.

@restrict(roles = anyOf(allOf("admin"))) { } now becomes @if(globalViewModel.isAdmin) { }.

Just because this is working for me, doesn't mean it is a better approach. Any suggestions are welcome. Thank you.

Typically in an RBAC system you can assign someone a role and that assigns some set of permissions to them. You shouldn't generally do checks that require a given role to take an action. E.g. if you want the application administrator to have the ability to create a new role and assign it some set of permissions you can't do that with Deadbolt

I'm testing template constraints as shown in the documentation, but when I try to compile, I get the error:

not found: value restrict
not found: value roles

I'm using:

playVersion = "2.6.23"
scalaVersion = "2.12"
be.objectify:deadbolt-java_2.12:2.6.2

template code:

@import be.objectify.deadbolt.java.views.html.di.{restrict, restrictOr}
@import be.objectify.deadbolt.java.utils.TemplateUtils.{allOf, anyOf}

@restrict(roles = anyOf(allOf("foo", "bar"))) {
    Subject requires the foo role for this to be visible
}

If I use annotations like @SubjectPresent on my controller method, then the getSubject() method of my DeadboltHandler implementation is invoked automatically. Dependning on whether a subject was returned or not, the controller method is either allowed to run or not. If the controller method is allowed to run: How to get the subject within the controller method?

public class MyController extends Controller
{
    @SubjectPresent
    public CompletionStage<Result> search()
    {
        final Subject subject = DeadboltUtils.getCurrentSubject(); /* <-- I need something like this !!! */
    }
}

I found the recommendation that the getSubject() method should store the Subject in HttpContext.args, but this is no longer possible in Play Framework 2.7 and newer, because HttpContext.args has been remvoed by now 😞

(Also HttpRequest.attrs is not an alternative, because it is immutable)

Best regards.

Normally I'm using @Restrict(@Group("MY_ROLE")) but when I replaced it to @RoleBasedPermissions("MY_ROLE") it always enters to onAuthFailure

Hi there,

We've recently switched our Playframework app Log level to INFO for development. In case we encounter serious bugs, we switch to DEBUG mode.

With the Log level at INFO, about 1/3 of our log is filled with Deadbolt messages like this one:

    [info] b.o.d.j.a.AbstractDeadboltAction - Getting Deadbolt handler with key [defaultHandler]

It's generated by the AbstractDeadBoltAction, line 77:

    LOGGER.info("Getting Deadbolt handler with key [{}]", handlerKey);

You're probably guessing where this is going... I'm wondering if we can either:

• expose a Deadbolt LOG LEVEL config variable
• move log statements like the one above to the DEBUG level

Hi Steve,

if you set play.allowGlobalApplication = false in your application.conf apps using deadbolt helpers will break.
You probably already know that.

That's because all your helpers import the current play application:
https://github.com/schaloner/deadbolt-2-java/blob/v2.5.5/code/app/be/objectify/deadbolt/java/views/restrict.scala.html#L5
which unfortunately is needed for the implicit import one line above - which then boils down to this here:
https://github.com/schaloner/deadbolt-2-java/blob/v2.5.5/code/app/be/objectify/deadbolt/java/ViewAccessPoint.scala#L31-L33

How can we get rid of the global app dependency in deadbolt?

Hi, can you help me with documentation for 2.8 version?

Hello,

Im using play 2.6.5 and deadbolt 2.6.1 java.

Im trying to add @subjectPresentOr() {}{} but dont work.

im add the import

@import be.objectify.deadbolt.java.views.html.di.{subjectPresent, subjectPresentOr}

but all time say me

Compilation error
not found: value subjectPresentOr

https://deadbolt-java.readme.io/docs/template-constraints

What are doing wrong?

Thanks.

Hello,

I've noticied that Deadbolt was throwing an error every time one tries to access a restricted action with @restrict. Our application is 50% full of Deadbolt log because of that, is that the wished behavior ? How can I remove those logs without editing source files ?

Here is a typical error :

at be.objectify.deadbolt.java.actions.RestrictAction.applyRestriction(RestrictAction.java:55) [be.objectify.deadbolt-java_2.10-2.2-RC1.jar:2.2-RC1]
2015-08-11T10:16:53.053+02:00at be.objectify.deadbolt.java.utils.RequestUtils.getSubject(RequestUtils.java:62) ~[be.objectify.deadbolt-java_2.10-2.2-RC1.jar:2.2-RC1]
2015-08-11T10:16:53.053+02:00at security.AdministratorDeadboltHandler.getSubject(AdministratorDeadboltHandler.java:26) ~[universail.universail-1.0-SNAPSHOT.jar:1.0-SNAPSHOT]
2015-08-11T10:16:53.053+02:00[warn] application - Deadbolt: Access failure on [/admin/newsletter/listings]
2015-08-11T10:16:53.053+02:00at be.objectify.deadbolt.java.actions.AbstractDeadboltAction.getSubject(AbstractDeadboltAction.java:180) [be.objectify.deadbolt-java_2.10-2.2-RC1.jar:2.2-RC1]
2015-08-11T10:16:53.053+02:00java.lang.NullPointerException: null
2015-08-11T10:16:53.053+02:00[error] application - Error getting subject: null
2015-08-11T10:16:53.053+02:00at java.util.UUID.fromString(UUID.java:192) ~[na:1.7.0_71]
2015-08-11T10:16:53.053+02:00at be.objectify.deadbolt.java.actions.RestrictAction.isAllowed(RestrictAction.java:76) [be.objectify.deadbolt-java_2.10-2.2-RC1.jar:2.2-RC1]

Thanks by advance for your help !

I am integrating Deadbolt2 with a Play 2.2 Java application, and am running into behavior that seems different from what's documented.

I have the @SubjectPresent annotation on several actions, and when not logged in the onAuthFailure() method of the handler is called as expected to redirect to login. However, my the beforeAuthCheck() call in my security handler is never called.

Hello,

Im getting an error when a user is not logged and go to protected route like subjectPresent or subjectNotPresent.

If i access to logging:

#deadbolt:subjectNotPresent
GET    /login                        controllers.UsersController.loginForm
#deadbolt:subjectNotPresent
POST   /login                        controllers.UsersController.login

And Im not logged, application say me:

[ERROR] [10/30/2017 08:20:00.116] [play-dev-mode-akka.actor.default-dispatcher-38] [akka.actor.ActorSystemImpl(play-dev-mode)] Internal server error, sending 500 response
java.util.NoSuchElementException: key not found: HandlerDef
	at scala.collection.immutable.Map$Map4.apply(Map.scala:187)
	at play.api.libs.typedmap.DefaultTypedMap.apply(TypedMap.scala:87)
	at play.libs.typedmap.TypedMap.get(TypedMap.java:48)
	at be.objectify.deadbolt.java.filters.DeadboltRouteCommentFilter.apply(DeadboltRouteCommentFilter.java:147)
	at play.mvc.Filter$1.apply(Filter.java:39)
	at play.api.mvc.Filter$$anon$1.apply(Filters.scala:61)
	at play.api.mvc.Filter$$anon$1.apply(Filters.scala:48)
	at play.api.mvc.EssentialAction$$anon$1.apply(Action.scala:37)
	at play.api.mvc.EssentialAction$$anon$1.apply(Action.scala:32)
	at play.core.server.AkkaHttpServer.$anonfun$executeHandler$1(AkkaHttpServer.scala:250)
	at play.api.mvc.EssentialAction$$anon$3.apply(Action.scala:48)
	at play.api.mvc.EssentialAction$$anon$3.apply(Action.scala:47)
	at play.core.server.AkkaHttpServer.executeAction(AkkaHttpServer.scala:284)
	at play.core.server.AkkaHttpServer.executeHandler(AkkaHttpServer.scala:254)
	at play.core.server.AkkaHttpServer.handleRequest(AkkaHttpServer.scala:200)
	at play.core.server.AkkaHttpServer.$anonfun$createServerBinding$3(AkkaHttpServer.scala:106)
	at akka.stream.impl.fusing.MapAsync$$anon$23.onPush(Ops.scala:1172)
	at akka.stream.impl.fusing.GraphInterpreter.processPush(GraphInterpreter.scala:499)
	at akka.stream.impl.fusing.GraphInterpreter.processEvent(GraphInterpreter.scala:462)
	at akka.stream.impl.fusing.GraphInterpreter.execute(GraphInterpreter.scala:368)
	at akka.stream.impl.fusing.GraphInterpreterShell.runBatch(ActorGraphInterpreter.scala:571)
	at akka.stream.impl.fusing.GraphInterpreterShell$AsyncInput.execute(ActorGraphInterpreter.scala:457)
	at akka.stream.impl.fusing.GraphInterpreterShell.processEvent(ActorGraphInterpreter.scala:546)
	at akka.stream.impl.fusing.ActorGraphInterpreter.akka$stream$impl$fusing$ActorGraphInterpreter$$processEvent(ActorGraphInterpreter.scala:725)
	at akka.stream.impl.fusing.ActorGraphInterpreter$$anonfun$receive$1.applyOrElse(ActorGraphInterpreter.scala:740)
	at akka.actor.Actor.aroundReceive(Actor.scala:514)
	at akka.actor.Actor.aroundReceive$(Actor.scala:512)
	at akka.stream.impl.fusing.ActorGraphInterpreter.aroundReceive(ActorGraphInterpreter.scala:650)
	at akka.actor.ActorCell.receiveMessage(ActorCell.scala:527)
	at akka.actor.ActorCell.invoke(ActorCell.scala:496)
	at akka.dispatch.Mailbox.processMailbox(Mailbox.scala:257)
	at akka.dispatch.Mailbox.run(Mailbox.scala:224)
	at akka.dispatch.Mailbox.exec(Mailbox.scala:234)
	at akka.dispatch.forkjoin.ForkJoinTask.doExec(ForkJoinTask.java:260)
	at akka.dispatch.forkjoin.ForkJoinPool$WorkQueue.runTask(ForkJoinPool.java:1339)
	at akka.dispatch.forkjoin.ForkJoinPool.runWorker(ForkJoinPool.java:1979)
	at akka.dispatch.forkjoin.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:107)

but, I cant find the error in my class.... The filter are defined like your example:

/**
 * @author Steve Chaloner ([email protected])
 */
public class Filters implements HttpFilters {
    private final DeadboltRouteCommentFilter deadbolt;

    @Inject
    public Filters(final DeadboltRouteCommentFilter deadbolt) {
        this.deadbolt = deadbolt;
    }

    @Override
    public List<EssentialFilter> getFilters() {
        return Arrays.asList(deadbolt);
    }
}

What are doing wrong?

Thanks.

For commented routes use
https://www.playframework.com/documentation/2.6.x/Highlights26#Route-modifier-tags? So instead of the #deadbolt:... comment syntax we could use "play conform" tags like + deadbolt:... in the routes file now?
(I didn't look into the code to know if thats possible and how it works)

As @mkurz is about to release Play 2.9 with Scala 3 support and all, I am requesting @schaloner and @mkurz kindly consider this package upgradation.

Thanks.

The meta value specified at the controller on a Composite constraint

    @Composite(value = "isDevAndOwner", meta = "skip")
    public Result updateResource(String installationId) { /* ... */ }

is not available to the dynamic constraint (DynamicResourceHandler) which is sub constraint of the composite constraint:

// ...
    @Inject
    public CompositeConstraints(final CompositeCache compositeCache, final ConstraintBuilders builders) {
        final Constraint isDevAndOwner = new ConstraintTree(
                Operator.AND,
                builders.restrict(builders.anyOf(builders.allOf(ROLE_DEVELOPER))).build(),
                builders.dynamic("isResourceOwner").build()
        );
// ...

public class IsResourceOwner implements DynamicResourceHandler {

    @Override
    public CompletionStage<Boolean> isAllowed(String name, Optional<String> meta, DeadboltHandler deadboltHandler, Http.Context context) {
            return CompletableFuture.supplyAsync(() -> meta.isPresent()); // always false!
    }

// ...
}

Do let me know what other details you require or if I am doing something wrong.

One the lefthand sidebar "Integrating Deadbolt" it present twice:
https://deadbolt-java.readme.io/docs/integrating-deadbolt

Just a reminder to not forget that.
https://github.com/schaloner/deadbolt-2-java/blob/692a6ac2c6b17cf663ed8df4720078782446d916/code/build.sbt#L7-L8

Using Play 2.5.6, and updated to 2.5.9 to see if that would fix the problem. Deadbolt-2 2.5.2. Started with Auth0 integration example and updating for Play 2.5.

Authentication is working as is the callback. Redirecting to Application.index is causing a NullPointerException.

It appears in DefaultSubjectCache.apply() that deadboltHandler is null.

As part of the updating to Play 2.5, I've had to pass in an HttpExecutionContext into some of the CompletionStage method calls because of some cases where the HttpContext couldn't be found. I don't know why this was a problem in Play 2.5 and not 2.4. Maybe this is something similar.

Thanks

Play Framework 2.9.0 has been released - add support.

I'm not sure if this is a deadbolt-2 issue, but I have no idea why it's occurring. When I run my Play app (Play v2.4.3) on my laptop, everything is fine, but on a remote server, I get this cryptic message and the play-authenticate auth does not work. Is there a plausible reason why this error would occur on a cloud server and not on my laptop?

2015-09-15 15:18:59 +0000 [INFO] from play.api.Play in main - Application started (Prod)
2015-09-15 15:19:00 +0000 [INFO] from play.core.server.NettyServer in main - Listening for HTTP on /0:0:0:0:0:0:0:0:9000
2015-09-15 15:19:00 +0000 [INFO] from play.core.server.NettyServer in main - Listening for HTTP on /0:0:0:0:0:0:0:0:9000
2015-09-15 15:19:09 +0000 [INFO] from be.objectify.deadbolt.java.TemplateFailureListenerProvider in application-akka.actor.default-dispatcher-2 - No custom TemplateFailureListener found, falling back to no-op implementation
2015-09-15 15:19:09 +0000 [INFO] from be.objectify.deadbolt.java.ViewSupport in application-akka.actor.default-dispatcher-2 - Default timeout period for blocking views is [130000]ms

I tried changing my deadbolt.conf file to this, but it didn't make any difference:

deadbolt {
  java {
    blocking = true # JPA doesn't support non-blocking
    cache-user = true # For the rest of the request
    handler = auth.MyDeadboltHandler
    view-timeout=130000 # Default 1000
    blocking-timeout=2000
  }
}

My build.sbt file has these two lines:

 "be.objectify"  %% "deadbolt-java"     % "2.4.2.1",
  "com.feth" %%  "play-authenticate" % "0.7.0-SNAPSHOT",

Hi, there

I met a problem where SubjectPresent.deferred=true does not take effect when running Deadbolt 2.5 with Play 2.5.x

Through debugging I found that the problem is probably caused by AbstractDeadboltAction.java line 112:

          if (isDeferred(ctx))
            {
                result = getDeferredAction(ctx).call(ctx);
            }
            else if (!ctx.args.containsKey(IGNORE_DEFERRED_FLAG)
                    && annClass.isAnnotationPresent(Deferrable.class) // <- THIS LINE
                    && (Boolean)annClass.getMethod("deferred").invoke(configuration))
            {
                defer(ctx,
                      this);
                result = delegate.call(ctx);
            }
            else
            {
                result = execute(ctx);
            }

In runtime I found the annClass is a Java Proxy and annClass.isAnnotationPresent(Deferrable.class) always returns false.

When I use ConfigFactory.load(); from controller not annotated with @Dynamic - I obtain fully loaded config with variables from application.conf
When I annotate method with @Dynamic only windows environmental variables are loaded.
@Restrict works fine. Deadbolt version: 2.6.4, Play version: 2.6.15

To reproduce just do:

@Dynamic(value = DynamicHandler.MY_HANDLER_KEY) // test with/without it
public CompletionStage<Result> test(final String something) {
    System.out.println(ConfigFactory.load());
    return CompletableFuture.completedFuture(ok());
}

I get this error all the time now.

I guess that it's caused by my getSubject method, but I have timed "Application.getLoggedOnUser()" and it takes 14-27ms so it couldn't be that I guess. So what could cause this?

2015-04-16 15:00:52,716 - [error] b.o.d.j.u.RequestUtils - Error getting subject: Futures timed out after [2000 milliseconds]
java.util.concurrent.TimeoutException: Futures timed out after [2000 milliseconds]
    at scala.concurrent.impl.Promise$DefaultPromise.ready(Promise.scala:219) ~[org.scala-lang.scala-library-2.11.6.jar:na]
    at scala.concurrent.impl.Promise$DefaultPromise.result(Promise.scala:223) ~[org.scala-lang.scala-library-2.11.6.jar:na]
    at scala.concurrent.Await$$anonfun$result$1.apply(package.scala:190) ~[org.scala-lang.scala-library-2.11.6.jar:na]
    at akka.dispatch.MonitorableThreadFactory$AkkaForkJoinWorkerThread$$anon$3.block(ThreadPoolBuilder.scala:169) ~[com.typesafe.akka.akka-actor_2.11-2.3.4.jar:na]
    at scala.concurrent.forkjoin.ForkJoinPool.managedBlock(ForkJoinPool.java:3640) [org.scala-lang.scala-library-2.11.6.jar:na]

My getSubject method looks like this.

public F.Promise<Subject> getSubject(Http.Context context) {
        return F.Promise.promise(new F.Function0<Subject>()
        {
            @Override
            public Subject apply() throws Throwable {
                return Application.getLoggedOnUser();
            }
        });
    }

I just upgraded to deadbolt-2-java v2.3.3 (from v2.3.2).
Also I am using JPA/Hibernate.

The Problem

I have a controller with a @Restrict(@Group("mygroup")) annotation. Inside this controller there is an action method which calls play.db.jpa.JPA.em() to retrieve the current hibernate entity manager. Starting with v2.3.3 I get following exception:

Execution exception[[RuntimeException: No EntityManager bound to this thread. Try to annotate your action method with @play.db.jpa.Transactional]]

The Cause

After some research I am pretty sure I know what's the problem:

First you should know that Play's JPA implemenation puts the entity manager into the current HTTP context args (if there is a HTTP context, which is true in our case), so we can retrieve it from there.
After an action method (and it's annotations) are finished, the entity manager gets removed from the HTTP context args.

The problem is now that you create and return a new Promise from your RestrictAction, so the action method inside the controller itself gets called at later point in time, which means the entity manager gets set to null before the action method's code runs.

I hope you understand my description, if you need more information let me know.

Http.Context.current() will be deprecated in future versions of Play: playframework/playframework#6168

Right now deadbolt uses that method inside ViewSupport.java. It should be easy to remove its occurrences and just have the user pass the context to the various twirl tags defined in code/app/be/objectify/deadbolt/java/views/di instead.

Migration would be easy: Instead of calling e.g. @subjectPresent(), @restrict(...) or @pattern(...) users have to call @subjectPresent(ctx()), @restrict(ctx(),...) or @pattern(ctx(),...) now.

In future version of Play when @ctx() will (maybe) be removed, users have to pass the context from the controllers to their templates, however that isn't deadbolts problem anymore 😉

are you changing something? Because suddenly SBT can not find dependency:

 ::::::::::::::::::::::::::::::::::::::::::::::
 ::          UNRESOLVED DEPENDENCIES         ::
 ::::::::::::::::::::::::::::::::::::::::::::::
 :: be.objectify#deadbolt-core_2.11;2.4.0-SNAPSHOT: not found
 ::::::::::::::::::::::::::::::::::::::::::::::

Play 2.4.0 was released this week. Will Deadbolt have a release to match?

General

• Replace occurences of F.Promise in the docs. See #27
• Mention possibility of setting play.http.actionComposition.controllerAnnotationsFirst = [true | false] to controll if controller annotations/constraints should run before or after the method ones.

Since version 2.6.3

• There is a DefaultSubject class that can be used. See pull request #44

Since version 2.6.4

• deadbolt.java.cache-before-auth-check=[true | false (default) ]
  Caches the result of deadboltHandler.beforeAuthCheck(...) for the current request (similar to deadbolt.java.cache-user). Also see #48 (comment)
• Constraint modes
  deadbolt.java.constraint-mode can be PROCESS_FIRST_CONSTRAINT_ONLY (the default, backward compatible), AND (all constraint annotations of the current action composition chain have to be successful) or OR (only one constraint annotation of the current action composition chain has to be successful) See tests added in #83 for examples
• @Pattern: added mode attribute (can be AND or OR) + value attribute takes an array now
  Exampe see #88
• Clarify how caching works, see mkurz/deadbolt-2#75 (comment)

Since version 2.7.0

• Moved away from Http.Context and ctx.args to Http.RequestHeader and it's request attributes (e.g. in the deadbolt handler methods): See Play migration guide and #95
• The "Commented routes" feature changed to use route modifier tags instead of comments. In short that means #deadbolt:... becomes + deadbolt:... and DeadboltRouteCommentFilter* classes were renamed to DeadboltRouteModifierTagsFilter*. For more details please see #96.
• Reflect in docs that DeadboltHandler.beforeAuthCheck(Http.RequestHeader context, Optional<String> content) also gets content passed now, see #77
• Constraint annotations are now @Repeatable (actually works with version 2.6.4 and Play 2.6.11 already, however we shouldn't mention it before deadbolt 2.7 comes out so people try to use it with lets say Play 2.6.8). Example see #70
• @Deferrable was removed - remove it from the docs, see #81
• alwaysExecute is now false by default (it should have been false always anyway like it says in the docs) see #76
• Remove the whole ExecutionContextProvider stuff and the deadbolt.java.custom-execution-context config, see #46
• The deadbolt twirl templates/tags expect an implicit requestheader to be present in the implicit scope now. That however is not a breaking change immediately, because Play's TemplateMagicForJava takes care of this by provding you that implicit requestheader by getting it from the context thread-local. More details see Play migration guide
• Finally moved the default configs to the reference.conf file (instead of having it in a ConfigKeys class)

For DeadboltRouteModifierTagsFilter

Deadbolt does support multiple deadbolt route modifier tags for one route, which all have to pass to process the route (meaning it's AND and ignores the deadbolt.java.constraint-mode config). See #96.

We might want to implement an OR mode as well.
However that should be a different config than deadbolt.java.constraint-mode because

1. before using route modifier tags we were using comments and back than only one comment was allowed (meaning there was no AND mode back then as well of course). Therefore we also don't need
   something like PROCESS_FIRST_CONSTRAINT_ONLY but only AND and OR.
2. to be able to control annotations and filter differently. Maybe someone want's to OR the filter constraints but AND the annotation constraints.

For DeadboltRoutePathFilter

Same here, we could add AND and OR mode. Right now you can not even add multiple constraints for one route...
What needs to be done is:
In AuthorizedRoute change the constraint field to be a List:

private final List<FilterFunction> constraints;

and maybe even add a mode field to be even able to set a different mode for each route:

private final Mode mode;

and of course add a mode config in reference.conf which defines the default for all routes. (Maybe share/use the same config like DeadboltRouteModifierTagsFilter above uses?)

Hi Steve,

According to the Guide https://deadbolt-java.readme.io/docs/template-constraints

We should include these lines in the view template:

@import be.objectify.deadbolt.java.views.html.di.{subjectPresent, subjectPresentOr}

@subjectPresent() {
    This content will be present if handler#getSubject results in a Some 
}

@subjectPresentOr() {
    This content will be present if handler#getSubject results in a Some 
} {
  fallback content
}

However this resulted in

play.sbt.PlayExceptions$CompilationException: Compilation error[not found: value subjectPresent]
        at play.sbt.PlayExceptions$CompilationException$.apply(PlayExceptions.scala:34)
        at play.sbt.PlayExceptions$CompilationException$.apply(PlayExceptions.scala:34)
        at scala.Option.map(Option.scala:230)
        at play.sbt.run.PlayReload$.$anonfun$taskFailureHandler$8(PlayReload.scala:131)
        at scala.Option.map(Option.scala:230)
        at play.sbt.run.PlayReload$.taskFailureHandler(PlayReload.scala:104)
        at play.sbt.run.PlayReload$.compileFailure(PlayReload.scala:38)
        at play.sbt.run.PlayReload$.$anonfun$compile$3(PlayReload.scala:156)
        at scala.util.Either$LeftProjection.map(Either.scala:573)
        at play.sbt.run.PlayReload$.compile(PlayReload.scala:156)

Am I missing some dependencies? I am able to set up the Controller constraints. Perhaps the issue is Dependency Injection related?

I am using
libraryDependencies += "be.objectify" %% "deadbolt-java" % "2.8.1"

on Play Framework 2.8.8

Thank you

Hello,

I am opting an error when clean dist, javadoc fail in deadbolt2 class.

[error]  app/security/HandlerQualifiers.java:17: inner classes cannot be classfile annotations
[error]     public @interface MainHandler{}
[error]                       ^

This error produce when generate javadoc, and don't generate zip with deploy contents.

[info] No documentation generated with unsuccessful compiler run
[error] one error found
[error] (compile:doc) Scaladoc generation failed
[error] Total time: 21 s, completed 30-oct-2017 11:44:17

Class contains

public class HandlerQualifiers {
    @Retention(RetentionPolicy.RUNTIME)
    @Target({ElementType.TYPE, ElementType.PARAMETER})
    @BindingAnnotation
    public @interface MainHandler{}
}

What are doing wrong?

Thanks.

If I annotate my Controller as @Restrict(@Group("MY_ROLE")) - everything works, but if I annotate it as @MyRoleOnly where:

@Retention(RetentionPolicy.RUNTIME)
@Target({ElementType.METHOD, ElementType.TYPE})
@Documented
@Inherited
@Restrict(@Group("MY_ROLE"))
public @interface MyRoleOnly {
}

it is ignored, despite the fact @Restrict is annotated by @Inherited

Hi,

I have an interesting problem I am running play 2.3

SubjectPresent and SubjectNotPresent both work very well.
Although no matter how I mark my actions with Restrict and Pattern annotations they do not get triggered.

is there something in the docs I am missing ?
is there a way to debug this ? I enabled logging but as far as I can see there is no logging in the classes.

My deadbolt config is
deadbolt {
before-auth-check-timeout=4000,
java {
cache-user=true,
handler=security.HttpHeaderDeadboltHandler
handlers {
defaultHandler=security.HttpHeaderDeadboltHandler
}
}
}

10000:be.objectify.deadbolt.java.DeadboltPlugin

"be.objectify" %% "deadbolt-java" % "2.3.1",
and
addSbtPlugin("com.typesafe.play" % "sbt-plugin" % "2.3.7")

Thanks in advance.

When a Pattern constraint is defined with invert = true and no subject is present, access to the resource is allowed. It should be denied.

Here: https://leanpub.com/deadbolt-2/read it would be good to replace F.Promise<Optional<Result>> with CompletionStage<Optional<Result>>

This is originaly from schaloner, he entered that as normal text in a GitHub project I just closed,

Hi, there

I need something like @restrict(@group("my_group") or @SubjectNotPresent)
Can I combine these two annotations?

I am not sure if this is a problem with Deadbolt. Probably it's something with my code. But I get the following errors when I annotate an action (let's say Application.about) with SubjectPresent but not if i remove that annotation. Every time I hit refresh it's a different error but always one of these three.

[IllegalStateException: EntityManager is closed]
[PersistenceException: org.hibernate.SessionException: Session is closed!]
[RuntimeException: No EntityManager found in the context. Try to annotate your action method with @play.db.jpa.Transactional]

I have added a comment in all my Deadbolt methods and the only method that is executed is "MyDeadboltHandler.getSubject". When I have the annotation this method is executed once but when i remove the annotation it is executed several times. So it feels like the getSubject method should be OK.

public F.Promise<Optional<Subject>> getSubject(Http.Context context) {
        Logger.error("MyDeadboltHandler.getSubject");
        return F.Promise.promise(() -> Optional.ofNullable(User.authenticate(Application.getCurrentSessionId().orElse(null)).get()));
}

I could replace the last line with

return F.Promise.promise(() -> JPA.withTransaction(() -> Optional.ofNullable(User.authenticate(Application.getCurrentSessionId().orElse(null)).get())));

But then the code in the about action wouldn't be able to access the EntityManager.