Authentication / authorization support in play


Authentication/authorization are two crucial components of web apps. I find it very surprising that Play doesn’t have out-of-the-box support for handling them, i.e. ready to use components that you can plug into your app, depending on your requirements. If you look at vertx - - they provide various components for different needs. Spring is the same.

Granted, there are libraries written by third-party developers that support Play (they can be found here:, but it’s hard to choose. In some cases you can hear the crickets - those components are not developed anymore, or the respective devs don’t have time/funding to continue and those components support older versions of Play.

Can someone from Lightbend please comment? Do you provide such components for subscribers only? Just curious. What do people use for authentication and authorization these days?



In our case some routes - Actions need to be secure and some not - example sign up may not and some other actions may - so gives us better control of the Actions. So just replaced Action.async with authenticate.authAsync so this route authenticates the call.

Overwrote the default - invoke block to use authenticate the action or not. So this gives better way of different action we need to secure or not…

We are using JWT - default in session file - and overwrote some of settings for JWT session. We are also adding other information in the session

You can use different models for generating the session cookies.

1 Like

Hi there,

Sometimes i feel the same, in Play open source ecosystem there are some “gaps in completeness”. Propably they have philosophy “do it yourself, it is simple with Play”.

I use pac4j with deadbolt 2, both projects are third party-community driven-one man show library and i hope the libs will be still alive in next years…


@petahathub I took over the deadbolt 2 project from the original maintainer. I know the documentation isn’t up to date because of lack of time, however I definitely will release new versions in the future.


Thank you very much, Mr. Kurz.

1 Like

I’ve had success for many years with: GitHub - pac4j/play-pac4j: Security library for Play framework 2 in Java and Scala: OAuth, CAS, SAML, OpenID Connect, LDAP, JWT...

There is an example project that shows you all the basics: GitHub - pac4j/play-pac4j-scala-demo: Play Scala demo to test the play-pac4j security library

The docs are here: pac4j: security for Java

It supports a wide variety of implementations, authentication, and authorization schemes.

There is a google group where you can ask questions:

It has been in constant development/release for years and the lead developer is still delivering new features, bug fixes, and keeping all the pieces current.

Good luck!

1 Like

I also use Deadbolt2 in various projects. Works very well, thanks @mkurz for maintaining it!