The play-pac4j project is an easy and powerful security library for Play framework v2 web applications which supports authentication and authorization, but also application logout and advanced features like session fixation and CSRF protection. It's based on Play 2 and on the pac4j security engine. It's available under the Apache 2 license.

Several versions of the library are available for the different versions of the Play framework:

Main concepts and components:

1. A client represents an authentication mechanism (CAS, OAuth, SAML, OpenID Connect, LDAP, JWT...) It performs the login process and returns a user profile. An indirect client is for UI authentication while a direct client is for web services authentication

2. An authorizer is meant to check authorizations on the authenticated user profile(s) (role / permission, ...) or on the current web context (IP check, CSRF...)

3. A config defines the security configuration via clients and authorizers

4. The Secure annotation / function or the SecurityFilter protects an url by checking that the user is authenticated and that the authorizations are valid, according to the clients and authorizers configuration. If the user is not authenticated, it performs authentication for direct clients or starts the login process for indirect clients

5. The CallbackController finishes the login process for an indirect client

6. The ApplicationLogoutController logs out the user from the application.

Just follow these easy steps to secure your Play 2 web application:

You need to add a dependency on:

• the play-pac4j library (groupId: org.pac4j, version: 2.4.0-SNAPSHOT)
• the appropriate pac4j submodules (groupId: org.pac4j, version: 1.9.0): pac4j-oauth for OAuth support (Facebook, Twitter...), pac4j-cas for CAS support, pac4j-ldap for LDAP authentication, etc.

All released artifacts are available in the Maven central repository.

The configuration (org.pac4j.core.config.Config) contains all the clients and authorizers required by the application to handle security.

The Config is bound for injection in a SecurityModule (or whatever the name you call it):

In Java:

public class SecurityModule extends AbstractModule {

  @Override
  protected void configure() {
    FacebookClient facebookClient = new FacebookClient("fbId", "fbSecret");
    TwitterClient twitterClient = new TwitterClient("twId", "twSecret");

    FormClient formClient = new FormClient(baseUrl + "/loginForm", new SimpleTestUsernamePasswordAuthenticator());
    IndirectBasicAuthClient basicAuthClient = new IndirectBasicAuthClient(new SimpleTestUsernamePasswordAuthenticator());

    CasClient casClient = new CasClient("https://mycasserver/login");

    SAML2ClientConfiguration cfg = new SAML2ClientConfiguration("resource:samlKeystore.jks",
                    "pac4j-demo-passwd", "pac4j-demo-passwd", "resource:openidp-feide.xml");
    cfg.setMaximumAuthenticationLifetime(3600);
    cfg.setServiceProviderEntityId("urn:mace:saml:pac4j.org");
    cfg.setServiceProviderMetadataPath(new File("target", "sp-metadata.xml").getAbsolutePath());
    SAML2Client saml2Client = new SAML2Client(cfg);

    OidcClient oidcClient = new OidcClient();
    oidcClient.setClientID("id");
    oidcClient.setSecret("secret");
    oidcClient.setDiscoveryURI("https://accounts.google.com/.well-known/openid-configuration");
    oidcClient.addCustomParam("prompt", "consent");

    ParameterClient parameterClient = new ParameterClient("token", new JwtAuthenticator("salt"));

    Clients clients = new Clients("https://localhost:9000/callback", facebookClient, twitterClient, formClient,
      basicAuthClient, casClient, saml2Client, oidcClient, parameterClient);

    Config config = new Config(clients);
    config.addAuthorizer("admin", new RequireAnyRoleAuthorizer<>("ROLE_ADMIN"));
    config.addAuthorizer("custom", new CustomAuthorizer());
    config.setHttpActionAdapter(new DemoHttpActionAdapter());
    bind(Config.class).toInstance(config);
  }
}

In Scala:

class SecurityModule(environment: Environment, configuration: Configuration) extends AbstractModule {

  override def configure(): Unit = {

    val facebookClient = new FacebookClient("fbId", "fbSecret")
    val twitterClient = new TwitterClient("twId", "twSecret")

    val formClient = new FormClient(baseUrl + "/loginForm", new SimpleTestUsernamePasswordAuthenticator())
    val basicAuthClient = new IndirectBasicAuthClient(new SimpleTestUsernamePasswordAuthenticator())

    val casClient = new CasClient("https://mycasserver/login")

    val cfg = new SAML2ClientConfiguration("resource:samlKeystore.jks", "pac4j-demo-passwd", "pac4j-demo-passwd", "resource:openidp-feide.xml")
    cfg.setMaximumAuthenticationLifetime(3600)
    cfg.setServiceProviderEntityId("urn:mace:saml:pac4j.org")
    cfg.setServiceProviderMetadataPath(new File("target", "sp-metadata.xml").getAbsolutePath())
    val saml2Client = new SAML2Client(cfg)

    val oidcClient = new OidcClient()
    oidcClient.setClientID("id")
    oidcClient.setSecret("secret")
    oidcClient.setDiscoveryURI("https://accounts.google.com/.well-known/openid-configuration")
    oidcClient.addCustomParam("prompt", "consent")

    val parameterClient = new ParameterClient("token", new JwtAuthenticator("salt"))

    val clients = new Clients("https://localhost:9000/callback", facebookClient, twitterClient, formClient,
      basicAuthClient, casClient, saml2Client, oidcClient, parameterClient)

    val config = new Config(clients)
    config.addAuthorizer("admin", new RequireAnyRoleAuthorizer[Nothing]("ROLE_ADMIN"))
    config.addAuthorizer("custom", new CustomAuthorizer())
    config.setHttpActionAdapter(new DemoHttpActionAdapter())
    bind(classOf[Config]).toInstance(config)
  }
}

https://localhost:8080/callback is the url of the callback endpoint, which is only necessary for indirect clients.

Notice that you define:

1. an optional SessionStore using the setSessionStore(sessionStore) method (by default, the PlayCacheStore uses the Play cache to store pac4j data)

2. a specific HttpActionAdapter to handle specific HTTP actions (like redirections, forbidden / unauthorized pages) via the setHttpActionAdapter method. The available implementation is the DefaultHttpActionAdapter, but you can subclass it to define your own HTTP 401 / 403 error pages for example.

You can protect (authentication + authorizations) the urls of your Play application by using the Secure annotation / function. It has the following behaviour:

1. First, if the user is not authenticated (no profile) and if some clients have been defined in the clients parameter, a login is tried for the direct clients.

2. Then, if the user has a profile, authorizations are checked according to the authorizers configuration. If the authorizations are valid, the user is granted access. Otherwise, a 403 error page is displayed.

3. Finally, if the user is still not authenticated (no profile), he is redirected to the appropriate identity provider if the first defined client is an indirect one in the clients configuration. Otherwise, a 401 error page is displayed.

The following parameters are available:

1. clients (optional): the list of client names (separated by commas) used for authentication:

• in all cases, this filter requires the user to be authenticated. Thus, if the clients is blank or not defined, the user must have been previously authenticated
• if the client_name request parameter is provided, only this client (if it exists in the clients) is selected.

2. authorizers (optional): the list of authorizer names (separated by commas) used to check authorizations:

• if the authorizers is blank or not defined, no authorization is checked
• the following authorizers are available by default (without defining them in the configuration):
  • isFullyAuthenticated to check if the user is authenticated but not remembered, isRemembered for a remembered user, isAnonymous to ensure the user is not authenticated, isAuthenticated to ensure the user is authenticated (not necessary by default unless you use the AnonymousClient)
  • hsts to use the StrictTransportSecurityHeader authorizer, nosniff for XContentTypeOptionsHeader, noframe for XFrameOptionsHeader , xssprotection for XSSProtectionHeader , nocache for CacheControlHeader or securityHeaders for the five previous authorizers
  • csrfToken to use the CsrfTokenGeneratorAuthorizer with the DefaultCsrfTokenGenerator (it generates a CSRF token and saves it as the pac4jCsrfToken request attribute and in the pac4jCsrfToken cookie), csrfCheck to check that this previous token has been sent as the pac4jCsrfToken header or parameter in a POST request and csrf to use both previous authorizers.

3. multiProfile (optional): it indicates whether multiple authentications (and thus multiple profiles) must be kept at the same time (false by default).

For example in your controllers:

In Java:

@Secure(clients = "FacebookClient")
public Result facebookIndex() {
  return protectedIndexView();
}

In Scala:

def facebookIndex = Secure("FacebookClient") { profiles =>
 Action { request =>
   Ok(views.html.protectedIndex(profiles))
 }
}

In order to protect multiple urls at the same tine, you can configure the SecurityFilter. You need to configure your application to include the SecurityFilter as follows:

First define a Filters class in your application (if you have not yet done so).

In Java:

package filters;

import org.pac4j.play.filters.SecurityFilter;
import play.http.HttpFilters;
import play.api.mvc.EssentialFilter;

import javax.inject.Inject;

public class Filters implements HttpFilters {

  private final SecurityFilter securityFilter;

  @Inject
  public Filters(SecurityFilter securityFilter) {
    this.securityFilter = securityFilter;
  }

  @Override
  public EssentialFilter[] filters() {
    return new EssentialFilter[] {securityFilter};
  }
}

In Scala:

package filters

import javax.inject.Inject
import org.pac4j.play.filters.SecurityFilter
import play.api.http.HttpFilters

/**
  * Configuration of all the Play filters that are used in the application.
  */
class Filters @Inject()(securityFilter: SecurityFilter) extends HttpFilters {

  def filters = Seq(securityFilter)

}

Then tell your application to use the filters in application.conf:

play.http.filters = "filters.Filters"

See for more information on the use of filters in Play the Play documentation on Filters.

Rules for the security filter can be supplied in application.conf. An example is shown below. It consists of a list of filter rules, where the key is a regular expression that will be used to match the url. Make sure that the / is escaped by \ to make a valid regular expression.

For each regex key, there are two subkeys: authorizers and clients. Here you can define the correct values, like you would supply to the RequireAuthentication method in controllers. There two exceptions: authorizers can have two special values: _authenticated_ and _anonymous_.

_anonymous_ will disable authentication and authorization for urls matching the regex. _authenticated_ will require authentication, but will set clients and authorizers both to null.

Rules are applied top to bottom. The first matching rule will define which clients and authorizers are used. When not provided, the value will be null.

pac4j.security.rules = [
  # Admin pages need a special authorizer and do not support login via Twitter.
  {"/admin/.*" = {
    authorizers = "admin"
    clients = "FormClient"
  }}
  # Rules for the REST services. These don't specify a client and will return 401
  # when not authenticated.
  {"/restservices/.*" = {
    authorizers = "_authenticated_"
  }}
  # The login page needs to be publicly accessible.
  {"/login.html" = {
    authorizers = "_anonymous_"
  }}
  # 'Catch all' rule to make sure the whole application stays secure.
  {".*" = {
    authorizers = "_authenticated_"
    clients = "FormClient,TwitterClient"
  }}
]

For indirect clients (like Facebook), the user is redirected to an external identity provider for login and then back to the application. Thus, a callback endpoint is required in the application. It is managed by the CallbackController which has the following behaviour:

1. the credentials are extracted from the current request to fetch the user profile (from the identity provider) which is then saved in the web session

2. finally, the user is redirected back to the originally requested url (or to the defaultUrl).

The following parameters are available:

1. defaultUrl (optional): it's the default url after login if no url was originally requested (/ by default)

2. multiProfile (optional): it indicates whether multiple authentications (and thus multiple profiles) must be kept at the same time (false by default).

In the routes file:

GET    /callback    @org.pac4j.play.CallbackController.callback()

In the SecurityModule:

In Java:

CallbackController callbackController = new CallbackController();
callbackController.setDefaultUrl("/");
bind(CallbackController.class).toInstance(callbackController);

In Scala:

val callbackController = new CallbackController()
callbackController.setDefaultUrl("/")
bind(classOf[CallbackController]).toInstance(callbackController)

You can get the profile of the authenticated user using profileManager.get(true) (false not to use the session, but only the current HTTP request). You can test if the user is authenticated using profileManager.isAuthenticated(). You can get all the profiles of the authenticated user (if ever multiple ones are kept) using profileManager.getAll(true).

Examples:

In Java:

PlayWebContext context = new PlayWebContext(ctx());
ProfileManager<CommonProfile> profileManager = new ProfileManager(context);
Optional<CommonProfile> profile = manager.get(true);

In Scala:

val webContext = new PlayWebContext(request)
val profileManager = new ProfileManager[CommonProfile](webContext)
val profile = profileManager.get(true)

The retrieved profile is at least a CommonProfile, from which you can retrieve the most common attributes that all profiles share. But you can also cast the user profile to the appropriate profile according to the provider used for authentication. For example, after a Facebook authentication:

In Java:

FacebookProfile facebookProfile = (FacebookProfile) commonProfile;

In Scala:

val facebookProfile = commonProfile.asInstanceOf[FacebookProfile]

You can log out the current authenticated user using the ApplicationLogoutController. It has the following behaviour:

1. after logout, the user is redirected to the url defined by the url request parameter if it matches the logoutUrlPattern

2. or the user is redirected to the defaultUrl if it is defined

3. otherwise, a blank page is displayed.

The following parameters are available:

1. defaultUrl (optional): the default logout url if no url request parameter is provided or if the url does not match the logoutUrlPattern (not defined by default)

2. logoutUrlPattern (optional): the logout url pattern that the url parameter must match (only relative urls are allowed by default).

In the routes file:

GET     /logout     @org.pac4j.play.ApplicationLogoutController.logout()

In the SecurityModule:

In Java:

ApplicationLogoutController logoutController = new ApplicationLogoutController();
logoutController.setDefaultUrl("/");
bind(ApplicationLogoutController.class).toInstance(logoutController);

In Scala:

val logoutController = new ApplicationLogoutController()
logoutController.setDefaultUrl("/")
bind(classOf[ApplicationLogoutController]).toInstance(logoutController)

The RequiresAuthentication annotation and function have been renamed as Secure with the clients and authorizers parameters (instead of clientName and authorizerName).

The UserProfileController class and the getUserProfile method in the Security trait no longer exist and the ProfileManager must be used instead.

The ApplicationLogoutController behaviour has slightly changed: even without any url request parameter, the user will be redirected to the defaultUrl if it has been defined

The separate Scala and Java projects have been merged. You need to change the dependency play-pac4j-java or play-pac4j-scala to simply play-pac4j.

The getUserProfile method of the Security trait returns a Option[CommonProfile] instead of just a UserProfile.

The DataStore concept is replaced by the pac4j SessionStore concept. The PlayCacheStore does no longer need to be bound in the security module. A new session store could be defined using the config.setSessionStore method.

The DefaultHttpActionAdapter does not need to be bound in the security module, but must to be set using the config.setHttpActionAdapter method.

play-pac4j v2.0 is a huge refactoring of the previous version 1.5. It takes advantage of the new features of pac4j v1.8 (REST support, authorizations, configuration objects...) and is fully based on dependency injection -> see Play 2.4 migration guide.

In Java, the SecurityController and JavaController are deprecated and you need to use the UserProfileController to get the user profile (you can also use the ProfileManager object directly).

The "target url" concept has disappeared as it was too complicated, it could be simulated though.

The SecurityCallbackController is deprecated and you must use the CallbackController. The logout support has been moved to the ApplicationLogoutController.

The JavaWebContext and ScalaWebContext have been merged into a new PlayWebContext.

The StorageHelper has been removed, replaced by the PlayCacheStore implementation where you can set the timeouts. You can provide your own implementation of the CacheStore if necessary.

The PlayLogoutHandler has been moved to the org.pac4j.play.cas.logout package and renamed as PlayCacheLogoutHandler (it relies on the Play Cache).

The static specific Config has been replaced by the default org.pac4j.core.config.Config object to define the clients (authentication) and the authorizers (authorizations).

Custom 401 / 403 HTTP error pages must now be defined by overriding the DefaultHttpActionAdapter.

The isAjax parameter is no longer available as AJAX requests are now automatically detected. The stateless parameter is no longer available as the stateless nature is held by the client itself. The requireAnyRole and requieAllRoles parameters are no longer available and authorizers must be used instead (with the authorizerName parameter).

Two demo webapps: play-pac4j-java-demo & play-pac4j-scala-demo are available for tests and implement many authentication mechanisms: Facebook, Twitter, form, basic auth, CAS, SAML, OpenID Connect, JWT...

Test them online: https://play-pac4j-java-demo.herokuapp.com and https://play-pac4j-scala-demo.herokuapp.com.

See the release notes. Learn more by browsing the play-pac4j Javadoc and the pac4j Javadoc.

If you have any question, please use the following mailing lists:

• pac4j users
• pac4j developers

The version 2.4.0-SNAPSHOT is under development.

Maven artifacts are built via Travis: and available in the Sonatype snapshots repository. This repository must be added in the resolvers of your build.sbt file:

resolvers ++= Seq(Resolver.mavenLocal, "Sonatype snapshots repository" at "https://oss.sonatype.org/content/repositories/snapshots/")