Skip to content


Subversion checkout URL

You can clone with
Download ZIP
Play2.0 Authentication and Authorization module
JavaScript Scala
Pull request Compare This branch is 18 commits ahead, 219 commits behind t2v:master.

Play2.0 module for stateless authentication

This module adds stateless authentication features to Play 2.0 applications.


This module targets the Scala version of Play 2.0.

This module has been tested on Play 2.0.1.


We wanted an authentication module that was:

Stateless (no server state)

Don't store any state on the server side. Store it on the client side and cryptographically sign it to prevent tampering.


Make it easy.


Allow multiple kinds of controller actions: login-required and login-optional.

Known Issues

  1. Auth cookies have no expiration.

  2. The contents of the auth cookie are visible to the client.

  3. Haven't copied the tests to this project yet.

  4. This code is definitely not ready for production use!! Use for development purposes only at your own risk.


  1. Add a dependency declaration into your Build.scala or build.sbt file.

    1. Snapshot

      "com.blendlabsinc" %% "play20-stateless-auth" % "0.2-SNAPSHOT"


The code below is taken from the sample application included in this git repository.

Configure your application

Define a trait that extends StatelessSecurityBase and specifies authentication handlers:

import com.blendlabsinc.play20.auth._

trait StatelessSecurity extends StatelessSecurityBase {
  type User = models.User

  def lookupUser(userId: String) = User.findByEmail(userId)
  def getUserId(user: User) =

  def onUnauthorized(request: RequestHeader) = Redirect(routes.Application.login)
  def onLoginSucceeded(request: RequestHeader) = Redirect(routes.Application.home)
  def onLogoutSucceeded(request: RequestHeader) = Redirect(routes.Application.login)

Define a User model

package models

case class User(email: String, password: String)

object User {
  def findByEmail(email: String): Option[User] = { /* user lookup code */ }

Add StatelessSecurity to your controllers and actions

import com.blendlabsinc.play20.auth._

object Application extends Controller with StatelessSecurity with LoginLogout {
  /* Login optional. currentUser is an Option[User]. */
  def home = withOptionalUser { implicit currentUser => implicit request =>

  /* Login required. currentUser is a User. */
  def clubhouse = withUser { implicit currentUser => implicit request =>

Use the currentUser val in your views


@()(implicit currentUser: Option[User], flash: Flash)

@template(currentUser)("Home") {

<h1>Home: { currentUser =>
  }.getOrElse("not logged in")

@flash.get("success").map { message =>
  <p class="success">@message</p>



@()(implicit currentUser: User, flash: Flash)

@template(Some(currentUser))("Clubhouse (login required)") {

<h1>Welcome to the clubhouse,

This page is only visible to logged-in users.



Play20-stateless-auth was developed by Blend Labs:

This module was originally based on play20-auth at


This library is released under the Apache Software License, version 2, which should be included with the source in a file named LICENSE.

Something went wrong with that request. Please try again.