Apply security - pac4j/play-pac4j GitHub Wiki

1) Protect methods with the Secure annotation/function

You can protect (authentication + authorization) the URLs of web application/services by using the Secure annotation/function.

>> Read the documentation to understand its behavior and the available options.

For example in your controllers:

In Java:

@Secure(clients = "FacebookClient")
public Result facebookIndex() {
  return protectedIndexView();
}

In Scala:

import org.pac4j.play.scala.Security

class MyController @Inject()(val controllerComponents: SecurityComponents) extends MyBaseController with Security[CommonProfile] {
  def facebookIndex = Secure("FacebookClient") { implicit request =>
    Ok(views.html.protectedIndex(profiles))
  }
}

2) Protect URLs via the SecurityFilter

In order to protect multiple urls at the same time, you can use the SecurityFilter.

You need to configure your application to include the SecurityFilter as follows:

First define a Filters class in your application (if you have not yet done so).

In Java:

package filters;

import org.pac4j.play.filters.SecurityFilter;
import play.http.HttpFilters;
import play.mvc.EssentialFilter;

import javax.inject.Inject;

public class Filters implements HttpFilters {

    private final SecurityFilter securityFilter;

    @Inject
    public Filters(SecurityFilter securityFilter) {
        this.securityFilter = securityFilter;
    }

    @Override
    public EssentialFilter[] filters() {
        return new EssentialFilter[] { securityFilter.asJava() };
    }
}

In Scala:

package filters

import javax.inject.Inject
import org.pac4j.play.filters.SecurityFilter
import play.api.http.HttpFilters

class Filters @Inject()(securityFilter: SecurityFilter) extends HttpFilters {

  def filters = Seq(securityFilter)

}

Then tell your application to use the filters in application.conf:

play.http.filters = "filters.Filters"

Rules for the security filter can be supplied in application.conf. An example is shown below. It consists of a list of filter rules, where the key is a regular expression that will be used to match the url. Make sure that the / is escaped by \ to make a valid regular expression.

For each regex key, there are three subkeys: clients, authorizers and matchers. Here you can define the correct values, like you would supply to the SecureAction method in controllers.

Rules are applied top to bottom. The first matching rule will define which clients and authorizers are used. When not provided, the value will be null.

pac4j.security.rules = [
  # Admin pages need a special authorizer and login is done via a form page.
  {"/admin/.*" = {
    clients = "FormClient"
    authorizers = "admin"
  }}
  # Rules for the REST services. These don't specify a client and will return 401
  # when not authenticated.
  {"/restservices/.*" = {
  }}
  # The login page needs to be publicly accessible.
  {"/login.html" = {
    clients = "AnonymousClient"
  }}
  # 'Catch all' rule to make sure the whole application stays secure.
  {".*" = {
    clients = "FormClient,TwitterClient"
    matchers = "excludedPath"
  }}
]