An example of how to integrate Play 2.x with Shiro
Switch branches/tags
Nothing to show
Clone or download
Latest commit 0a62073 Dec 3, 2015
Failed to load latest commit information.
app Move to bcrypt Nov 30, 2015
conf Upgrade to Play 2.4 Nov 18, 2015
project Move to bcrypt Nov 30, 2015
public Initial checkin Jan 9, 2012
.gitignore Move to bcrypt Nov 30, 2015 Upgrade to Play 2.3 Aug 17, 2014
build.sbt Fix indentation Dec 1, 2015

Play Shiro Integration

This is a very simple integration between Apache Shiro, an authorization and authentication platform, and Play 2.3.


This is in no way production level code. It is an experimental proof of concept, uploaded only out of idle interest; it may give you a leg up if you're already tasked with integration, but it is not going to help you if you want a turnkey authentication system. If that's what you're looking for, I recommend you use SecureSocial or Play-Authenticate.

In particular, Shiro assumes a stateful session strategy, which goes against Play's stateless application. Internally, Shiro uses a ThreadLocal to reference the session; shiro-web has a way of disabling session creation, but since Play isn't built on the Servlet model, I've created analogues for Play that will never create a session. I tested it using Firefox, Safari and Chrome on my Macbook Pro, and was able to log in with different credentials on each browser, but this is not a guarantee of safety.


To start the application, check the project out from Github, make sure you have Typesafe activator installed, then type

activator run

And run through the DB evolutions needed. Then go to http://localhost:9000.

How it works

When the Global object is called, it configures Shiro's security manager with security.SampleRealm.

When you hit the page, Play will look for a token called "email" in request.session, and find the email address corresponding to that token. That token is only set if we have successfully logged in.

When you login, User.authenticate will use Shiro's SecurityUtils.currentUser, call login on that, and that will go back to the Realm for digest checking. (Note that we use Jasypt to deal with password complexity.)

When you logout, User.logout will call Shiro to invalidate the current session.