Web Application Development with Clojure – Part 5

In this part of the Clojure Web application development blog post series, we’ll see how to create a simple secured administration area using ring session middleware. We’ll wrap up the blog engine by adding a simple form that will submit data to the server and add code to create a new blog post. This part completes all the necessary parts to create a simple blog engine. In the next and final paart of this series we’ll cover the deployment options available for deploying this application to production.

This post is part of the Web Application Development with Clojure tutorial. You might want to read the previous posts before this post for continuity’s sake.

Introduction

Over that past 4 parts you have seen how to start with creating a simple blog using Clojure, render the posts and finally how to add a simple login page that will check the username and password and redirect to “admin” page. In this part we’ll finish the administration area of the blog that will help us create new blog posts.

Source code on github

The code for this series is now available on github and the source code is tagged with part names. If you want to checkout the code for a specific part of this tutorial you can do so using the following command:

Sessions

You can read more about ring’s session and cookie store here and here

When a user logs into the “admin” area using our login form, we need to keep track of her session and allow them to perform administrative operations such as managing posts or setting their password etc. Ring library provides a simple session middleware that uses various session storage options – cookie, in-memory and database backed session stores. You can create your own session implementations by implementing the SessionStore protocol. For our application we’ll just use the cookie-store to store the session information.

First step in creating the session is using the wrap-session function. We’ll add this to our routes and make sure that the session is wrapped for all the starting with “/admin”. Update your routes definition in core.clj as follows:

Also make sure that you add the necessary namespaces to the core.clj namespace.

When a user logs in, we can use the session to store the username, and in subsequent requests to admin pages, we’ll verify if the session contains the username otherwise we send the user back to login page. First let us update the login method in the controller to make sure that we set the “username” on the session cookie.

When the username is valid according to our logic – we set the session map during redirect. This will set a cookie with the name “clog-session” when the user is logged in. You can check the cookie in your browser’s inspector.

Now we’ll tweak the admin handler to check whether the username is set on the session cookie, if not, we’ll redirect the user to the login page.

The next step is to add a logout function that will clear the session to make sure the username key is removed from the session.

We also need to update our routes to make sure that”/logout” works as expected. Just add the new logout handler to the routes in core.clj as follows:

After these changes, when you try to access “/admin” without logging in you’ll be redirected to the login page as expected. Browsing to “/logout” page will “clear” your session redirecting you back to the home page of the blog.

Since we are now having only one “secure” page, we just added the session check to the admin handler function itself. Clearly this isn’t a nice way, since in a production version of your blog, you might have many more admin pages such as user settings, post settings etc. This approach of verifying the session in every function look pretty stupid in that case.

You can move the session checking logic to a different security wrapper handler which will check the request before forwarding to the next handler. If this security wrapper handler sees that the url is one of the “secure” urls, it will verify the session. When the session doesn’t contain the username key, it can redirect to the login page.

Blog post admin page

Now we have our simple security in place, let us finish our blog posting function that will allow us to create a new post. First create the admin html page which contains the form for the blog post.

 

 

New Post

 

 

8 thoughts on “Web Application Development with Clojure – Part 5”

  1. Great series Vijay. Thanks for taking the time to prepare it.

    You’ve prompted me to look at Enlive, and while I’m interested in it, I’m enough of a Clojure newbie that I can’t get my mind around how you would use the same navigation, header, footer, etc around each of the different templates to avoid duplicating the markup in each html page. Is that something you could add to this installment?

    1. Hi, thanks for the comment. You can have “templates” composition with enlive. Unfortunately it will be too much for this series, since I wanted to keep the parts small and simple.

      But I’ll post more about my experiments with enlive soon – so keep an eye out :-)

  2. This is really awesome series of the tutorials for understanding the entire process with ease. Thanks a tonne man for the series. Nothing could help me push my self to go for it without such a insightful help for you brother. Thanks Again

Leave a Reply