Typesafe Access Control List (ACL) in Play framework for Scala

Ronald Marske Developed a typesafe Access Control List (ACL) in Play framework for Scala

A software project mostly doesn’t work without a good rights management. You need to manage all these roles and resources and restrict access to some resources. For this reason, I wrote an ACL-management component for Play Framework using resources and privileges.

What is an ACL?

At secu-ring, we’re developing software and internet platforms, which won’t work without a good right management. During all this time, we gathered a lot of information on how you should create and use an ACL-system. We also do a lot of PHP-Projects, which are developed in Zend Framework. The ACL-system in Zend Framework provides very good possibilities to combine roles and assertions for resources and privileges.

Maybe I should give you a short explanation, what this means: In software projects you usually have to manage logged in users. Those users can have different rights, which are collected in roles. A role is kind of a group, which the user is combined to. Resources are abstract descriptions of your models or modules in a project. Let’s say, you have a job offer platform and in this example, a job can and should be a resource. Privileges should be used as actions. When you want to read a job, the privilege should be “read”. If you want to modify the job, your privilege should be “edit” or “manage”. Assertions are kind of special rules on a resource. Let’s imagine that your software should use an icon to show, that this job is owned by the current logged in user. In this case you should write an assertion, which gets the current job and checks for the owner and compares this to the current logged in user.

Creating a stateless ACL-component in Scala

In Play Framework, there is also a component called Secure Social which is a very simple way, to protect actions against not logged in users. Considering the complexity of the example, I’ve describe before, this is not providing the needed level of security. Therefore I developed an ACL-component which is kind of similar to the one in Zend Framework. The most difficult part was to realize this component in a stateless way. A big advantage of the play framework is being stateless – which means, that the server doesn’t store any information or states of the user. My first implementation of the ACL-component was a stateful component and it didn’t worked well. But still, the basic implementation was done, so I refactored the component to be stateless. For the implementation I started to write some main classes for *Resources*, *Privileges*, *Roles* and *AclObject*.

Defining a resource or a privilege, is more like a configuration. The only thing you should do, is creating a Scala object which extends from privilege. For resources it’s exactly the same procedure. Roles are a little bit more complicated, because you have to define the rights they have. Also you need an identifier for this role and the inherited roles. The role “registered” should inherit from “guest”. For defining roles you need to implement the 4 methods of the role interface.

Then you need to implement the security trait, which is used to initialize the ACL-component and is implemented in the controller, as your starting point for every page. You have to implement 4 methods for the security trait. The first retrieves the user from your storage system. The next method is just a simple list, to define your available roles. To define the guest role and the guest user instance, you’ll need the last two methods. With this small configurations and implementations your software is ready for the ACL-system.

Now it’s easy for the controller to protect the action against users, which are not allowed to enter this page. You simply extend your action from the given method by the security trait. The method “withProtectedAcl” will protected your action and inject the ACL-component into the controller to reuse the component. This is an example of a implementation in a controller:

 /** Admin controller - we want to protected this */
 class Admin @Inject() extends Controller with Security {
>def dashboard = withProtectedAcl(AdminResource, ReadPrivilege) { implicit acl: Acl[UserEntity] => implicit request =>

To use this component you also need to implement the dependency to the ACL-component like this:

 libraryDependencies ++= Seq(
 // add your dependencies
 "com.github.scyks" %% "playacl" % "0.2.0"


In this article I’ve described a way, on how you can use an ACL-component in your play framework application in Scala. The component is deployed on GitHub and in apache maven repository. Hopefully this will help you, implementing an ACL-component in your application. A more advanced and detailed documentation for the component is available on GitHub.

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.