Authentication in Play Framework using Java
Play Framework is a great web framework for Java or Scala developers. It has a lot of great freatues baked in to help create amazing web applications. One aspect that most web applications have is the need for authentication for specific requests. Not surprisingly, Play has some tools at your disposal to help.
I will show three three different ways to add authentication to Actions in Play using Java:
- @Security.Authenticated on each Action
- @With using a custom Action
- @With on a controller using a custom Action
I will use a basic token-based authentication for our application and a user model that looks like this:
The @Security.Authenticated annotation adds a check to any Action that has the annotation. By default, it will call a method
getUsername(Http.Context ctx) from the
Security.Authenticator class which will attempt to retrieve the username from the session cookie. If the username is present, the Action will continue on like it normally would. If the username isn't present, a response will be returned with a 401 error.
Luckily, we can implement our own Authenticator thats checks for an authentication token and pass it as a parameter with this annotation. Here is how you could do it:
And this is how it would look when used in a controller:
This way could be used to add other kinds of checks or to add a layer of authorization (different than authentication) to your request.
@With using a custom Action
The @With annotation runs an Action before the target Action is run. We can use this annotation to add our security checks in a similar way as we did with the ActionAuthentication class.
Now we just use this class with the @With annotation on our Actions:
@With on a controller using a custom Action
Sometimes we may have a controller where every single Action in that controller requires authentication. It would be a huge pain to add the @With annotation to every action. Luckily (because Play is awesome and makes our work much easier) we can just annotate a Controller and have each of its actions use our authentication.
But what if I'm lazy and don't want to add that annotation to my controllers??
Good question! You can create a custom controller with this annotation and have all controllers that have only authenticated Actions extend from that class.
And with our other controllers:
Play gives us the tools and options to add authentication to our applications quite easily. Other ways exist to add authentication but these methods are pretty simple to implement and expand on.
For more references, checkout the Play-REST Security by James Ward on Github. He explains how to implement security for a RESTful backend (this where I looked for ideas when I first needed to add authentication for my projects). Also, dive into Play's documentation. A lot of great information there.
Example code is available on Github which also includes an example of authentication in Scala.