https://kotlinlang.org logo
#ktor
Title
# ktor
b

bitkid

04/06/2020, 11:21 AM
hey! i saw that ktor implements features for authentication. is there also a framework for authorization? i have a server in our organisation which basically can do RBAC and ABAC and handles access to resources. so in each call to my ktor app i have to make a http request to that server and check for authorization. how would i handle that? any suggestions? add an interceptor after the autentication pipeline? do it directly in my routes?
m

mp

04/06/2020, 2:42 PM
One way to do it would be to use a session cookie and store session data in Redis. When creating a session like when logging in, hit that RBAC server and load all applicable roles and keep them in your principal class. Then it's trivial to write a wrapper around your business logic that looks for the relevant role/capability/whatever.
Here's a wrapper I use in one of my ktor apps to give you the idea:
Copy code
internal suspend fun requireCapability(
    call: ApplicationCall,
    c: InternalCapability,
    block: suspend (InternalUserPrincipal) -> Unit
) {
    val principal = call.authentication.principal<InternalUserPrincipal>()!!
    if (!principal.capabilities.contains(c)) {
        logger.debug("Principal ${principal.internalUserId} did not have capability $c")
        call.respond(HttpStatusCode.Unauthorized)
        return
    }

    block(principal)
}
use:
requireCapability(foo) { your logic here }
15 Views