Chapter 11. Authentication
This chapter covers
- Stateful vs. stateless authentication
- The Scentry authentication framework
- HTTP Basic authentication
- Session handling in Scalatra
- Form-based login with a username and password
- Remembering a user with a cookie
- Defining multiple authentication strategies for a single application
Authentication, the act of confirming that somebody is who you think they are, is something you’ll do over and over when constructing HTTP applications. To illustrate how authentication works in Scalatra, you’ll protect parts of the Hacker Tracker application from chapter 4. You’ll change it so that only logged-in users can add, remove, or edit hackers.
It’s worth understanding right at the start that typically there are big differences between web applications and HTTP APIs when it comes to authentication. Web applications usually require a user to log in once, and then they hold on to that authentication state across multiple requests: they are stateful. APIs usually require that each request is authenticated independently of all other requests: they are stateless.
We’ll take a look at web application security using stateful authentication in this chapter. If you’re interested in protecting your APIs, there are many ways to accomplish that—OAuth2 and HMACs are the most popular. OAuth2 is beyond the scope of this chapter. HMAC is shown in chapter 13.