Documentation

You are viewing the documentation for Play 1. The documentation for Play 2 is here.

Secure module

The simple Secure module help you to set up basic authentication and authorization management to your application. It provides a simple controllers.Secure controller that defines a set of interceptors that you can easily add to your own controllers using the @With annotation.

Enable the Secure module for the application

In the /conf/application.conf file, enable the Secure module by adding this line:

# The secure module
module.secure=${play.path}/modules/secure

Import default Secure routes

In the conf/routes file, import the default module routes by adding this line:

# Import Secure routes
*      /                module:secure

Note that it’s not required to use the default routes file. You can also define your own routes, or mix the two.

Protecting a controller

To protect a controller you just have to annotate it using @With. For example:

@With(Secure.class)
public class Application extends Controller {
    
    public static void index() {
        render();
    }
    
}

This controller will be automatically protected with the default authentication page.

Customize the authentication mechanism

By default, the login page will accept any login/password. To customize it your application has to provide a Security provider. Just create a class in the controllers package that extends the controllers.Secure.Security class. Then you can override the authenticate(String username, String password) method.

package controllers;
 
public class Security extends Secure.Security {
    
    static boolean authenticate(String username, String password) {
        User user = User.find("byEmail", username).first();
        return user != null && user.password.equals(password);
    }    
    
}

Note that you can override other methods as well to customize how the application should react to authentication events (onAuthenticated, onDisconnected).

Retrieving the connected user

From your application code, your can reuse the Security helper that you’ve just created to retrieve the connected user.

@With(Secure.class)
public class Application extends Controller {
    
    public static void index() {
        String user = Security.connected();
        render(user);
    }
    
}

Adding authorization check

You can use the @Check annotation either on controller classes or action methods to tell the Secure module to check that the connected user has required authorization to call this action.

For example:

@With(Secure.class)
public class Application extends Controller {
    
   ...
   
   @Check("isAdmin")
   public static void delete(Long id) {
       ...
   }
    
}

By default the secure module will always authorize all checks. You have to customize by overriding one more method in your Security class.

package controllers;
 
public class Security extends Secure.Security {
    
    ...
    
    static boolean check(String profile) {
        User user = User.find("byEmail", connected()).first();
        if ("isAdmin".equals(profile)) {
            return user.admin;
        }
        else {
            return false;
        }
    }    
    
}