Authentication and authorization
You are currently viewing the documentation for the unreleased version 5.0.0.CR2 of Vert.x. Visit the latest stable version of this page.

.htpasswd Auth Provider

We provide an implementation of AuthenticationProvider which uses the Apache htpasswd file format to perform authentication. The provider will not watch for updates to the file after loading. If you need dynamic user management it would be more convenient to use dynamic providers such as jdbc or mongo providers.

To use this project, add the following dependency to the dependencies section of your build descriptor:

  • Maven (in your pom.xml):

<dependency>
<groupId>io.vertx</groupId>
<artifactId>vertx-auth-htpasswd</artifactId>
<version>5.0.0.CR2</version>
</dependency>
  • Gradle (in your build.gradle file):

compile 'io.vertx:vertx-auth-htpasswd:5.0.0.CR2'

To create an instance you first need an htpasswd file. This file is created using the apache htpasswd tool.

Once you’ve got one of these you can create a HtpasswdAuth instance as follows:

HtpasswdAuth authProvider = HtpasswdAuth
  .create(vertx, new HtpasswdAuthOptions());

Once you’ve got your instance you can authenticate with it just like any AuthenticationProvider.

The out of the box config assumes the usage of the file htpasswd in the root of the project.

Provider internal behavior

The provider will load the specified htpasswd file at start time and will not watch for modifications. If you require dynamic reloads, you will need to restart the provider.

The implementation does not have any other state than the htpasswd file itself.

Authentication

When authenticating using this implementation, it assumes that the username and password are parsed as a JSON object which we refer from now on as authentication info:

Credentials authInfo = new UsernamePasswordCredentials(
  "someUser", "somePassword");

authProvider.authenticate(authInfo)
  .onSuccess(user -> {
    // OK
  })
  .onFailure(err -> {
    // Failed!
  });

Authorization

Apache htpasswd file is a pure authentication mechanism and not authorization. This means that permission checks will always be false.