Expand description
§Actix Security
Spring Security-inspired authentication and authorization for Actix Web.
This crate provides a unified API combining:
actix-security-core: Security middleware, authentication, and authorizationactix-security-codegen: Procedural macros (#[secured],#[pre_authorize], etc.)
§Quick Start
Add to your Cargo.toml:
[dependencies]
actix-web = "4"
actix-security = { version = "0.2", features = ["argon2", "http-basic"] }§Example
ⓘ
use actix_web::{get, App, HttpServer, HttpResponse, Responder};
use actix_security::{secured, pre_authorize};
use actix_security::http::security::{
AuthenticatedUser, AuthenticationManager, AuthorizationManager,
Argon2PasswordEncoder, PasswordEncoder, User,
};
use actix_security::http::security::middleware::SecurityTransform;
#[secured("ADMIN")]
#[get("/admin")]
async fn admin(user: AuthenticatedUser) -> impl Responder {
HttpResponse::Ok().body(format!("Welcome, Admin {}!", user.get_username()))
}
#[pre_authorize("hasRole('USER') AND hasAuthority('posts:write')")]
#[post("/posts")]
async fn create_post(user: AuthenticatedUser) -> impl Responder {
HttpResponse::Created().body("Post created")
}§Features
| Feature | Default | Description |
|---|---|---|
macros | Yes | Procedural macros (#[secured], #[pre_authorize], etc.) |
argon2 | Yes | Argon2 password encoder |
http-basic | Yes | HTTP Basic authentication |
jwt | No | JWT authentication (with RSA support) |
session | No | Session-based authentication with fixation protection |
form-login | No | Form-based login with redirect support |
remember-me | No | Remember-me persistent authentication |
csrf | No | CSRF protection middleware |
oauth2 | No | OAuth2/OIDC authentication |
user-details | No | Async UserDetailsService trait |
full | No | All features enabled |
§Modules
The main functionality is available through the http module:
http::security- Authentication, authorization, and middlewarehttp::error- Error types
Modules§
Attribute Macros§
- authenticated
- Deprecated: Use
#[pre_authorize(authenticated)]instead. - deny_
all - Marks an endpoint as completely inaccessible (always returns 403 Forbidden).
- has_
access - Deprecated: Use
#[pre_authorize(authority = "...")]instead. - has_
role - Deprecated: Use
#[secured("ROLE")]instead. - permit_
all - Marks an endpoint as publicly accessible (no authentication required).
- pre_
authorize - Flexible method security annotation with SpEL-like expressions.
- roles_
allowed - Role-based method security annotation (Java EE standard).
- secured
- Role-based method security annotation.