import ballerina/auth;
import ballerina/config;
import ballerina/http;
import ballerina/log;
auth:InboundBasicAuthProvider basicAuthProvider = new;
http:BasicAuthHandler basicAuthHandler = new (basicAuthProvider);
listener http:Listener ep = new (9090, config = {
auth: {
authHandlers: [basicAuthHandler]
},
secureSocket: {
keyStore: {
path: config:getAsString("b7a.home") +
"/bre/security/ballerinaKeystore.p12",
password: "ballerina"
}
}
});@http:ServiceConfig {
basePath: "/hello",
auth: {
scopes: ["scope1"]
}
}
service echo on ep { @http:ResourceConfig {
methods: ["GET"],
path: "/sayHello",
auth: {
scopes: ["scope2"]
}
}
resource function hello(http:Caller caller, http:Request req) {
error? result = caller->respond("Hello, World!!!");
if (result is error) {
log:printError("Error in responding to caller", result);
}
}
}# At the command line, navigate to the directory that contains the `.bal` file.
# Ensure that the `sample-users.toml` file is populated correctly with the user
# information. If required, user passwords can be encrypted using the
# `ballerina encrypt` configuration encryption command.
echo '["b7a.users"]
["b7a.users.alice"]
password="password1"
scopes="scope1"
["b7a.users.bob"]
password="password2"
scopes="scope2,scope3"' > sample-users.toml# To run the service, execute the below command by specifying the configuration
# file name and passing Ballerina home path as a system property.
ballerina run secured_service_with_basic_auth.bal --b7a.config.file=sample-users.toml --b7a.home=<ballerina_home_path>
[ballerina/http] started HTTPS/WSS listener 0.0.0.0:9090# Since the resource configuration has overridden the required scopes to denote
# that `scope2` is required to invoke `sayHello` resource, the invocation will
# fail during authorization.
curl -k -u alice:password1 https://localhost:9090/hello/sayHello
Authorization failure# Since `bob` has `scope2`, the invocation will succeed.
curl -k -u bob:password2 https://localhost:9090/hello/sayHello
Hello, World!!!
Secured Service with Basic AuthA service can be secured using basic authentication and optionally, by
enforcing authorization. The auth provider reads the username and password
from a file which has a toml format. This stores usernames, passwords for
authentication, and scopes for authorization.
Ballerina uses the concept of scopes for authorization. A resource
declared in a service can be bound to one/more scope(s). In the config
auth provider, scopes are mapped to users.
In the authorization phase, the scopes of the resource are compared against
the scopes mapped to the user for at least one match between the two sets.
The following code block shows the contents of the file
There are two users defined - Alice and Bob. Each user has a password and assigned scopes. |
|
|
|
Creates a Basic Auth header handler with the relevant configurations. |
|
The endpoint used here is the |
|
The secure hello world sample uses HTTPS. |
|
|
|
The Auth configuration comprises of two parts -
authentication & authorization.
Authentication can be disabled by setting the |
|
|
|
The authentication and authorization settings can be overridden at the
resource level.
The hello resource would inherit the |
|
|
|
|
|
|