A REST API built with the Play Framework featuring JWT authentication and Swagger documentation, including smart authentication bypass for Swagger UI requests.
- JWT Authentication: Secure API endpoints using token-based authentication
- Role-Based Access Control: Support for role-based authorization (e.g., ADMIN role)
- Swagger Integration: Interactive API documentation with Swagger UI
- Smart Authentication Bypass: Automatic authentication bypass for requests originating from Swagger UI
- Code Formatting: Integrated Scalafmt for consistent code formatting
- Comprehensive Testing: Unit tests for all major functionality
- Java: JDK 11, 17, or 21
Note: Java 23 is not officially supported by Play Framework
- SBT: Scala Build Tool (latest version)
- Scala: 2.13.18 (managed by SBT)
play-secure-rest-template/
├── app/
│ ├── auth/ # Authentication components
│ │ ├── JwtAuthAction.scala # JWT authentication action with Swagger bypass
│ │ ├── RoleAction.scala # Role-based authorization
│ │ └── AuthenticatedRequest.scala
│ ├── controllers/ # API controllers
│ │ ├── UserController.scala # User management endpoints
│ │ ├── HomeController.scala # Home page
│ │ └── ApiHelpController.scala
│ ├── models/ # Data models
│ ├── utils/ # Utility classes
│ └── views/ # HTML templates
├── conf/
│ ├── routes # URL routing configuration
│ ├── application.conf # Application configuration
│ └── openapi.yaml # OpenAPI specification
├── public/swagger-ui/ # Swagger UI static files
├── test/ # Test files
└── .scalafmt.conf # Code formatting configuration
sbt update
sbt compile
sbt test
sbt run
The application will start on
http://localhost:9000
GET /- Home pageGET /openapi.yaml- OpenAPI specificationGET /docs/*- Swagger UI documentation
POST /users- Create a new user (requires JWT or Swagger bypass)GET /admin- Admin-only endpoint (requires ADMIN role or Swagger bypass)
{
"userId": "user123",
"roles": ["USER", "ADMIN"]
}Include the JWT token in the Authorization header:
Authorization: Bearer <your-jwt-token>
The application automatically bypasses authentication for requests coming from Swagger UI through multiple detection methods:
- Query Parameter:
?from_swagger=true - Referer Header: Contains
/docs/orswagger-ui - User-Agent: Contains "swagger"
- Origin Header: Contains
/docs - Request Path: Starts with
/docs/
sbt scalafmt
sbt scalafmtCheck
sbt run
sbt test
sbt clean compile
Edit conf/application.conf to modify:
- Database connections
- Security filters
- Logging levels
- Swagger API metadata
The following security filters are disabled for easier development:
- CSRF Filter
- Security Headers Filter
- Allowed Hosts Filter
Access the interactive API documentation at:
http://localhost:9000/docs/index.html
The Swagger UI automatically bypasses authentication, allowing you to test all endpoints without providing JWT tokens.
sbt test
The project includes comprehensive tests for:
- Authentication bypass functionality
- Swagger request detection
- Controller endpoints
- JWT token validation
-
Java Version Warning: If you see warnings about Java 23, consider switching to Java 11, 17, or 21 for full compatibility.
-
Port Already in Use: If port 9000 is busy, stop other Play applications or use a different port:
sbt "run -Dhttp.port=9001"
-
Authentication Issues: Ensure JWT tokens are properly formatted and include required fields (
userIdandroles).