This is a follow up from Java Play! 2 - User management with cookies

from the zentask example

    public class Secured extends Security.Authenticator {

        @Override
        public String getUsername(Context ctx) {
            return ctx.session().get("email");
        }

        @Override
        public Result onUnauthorized(Context ctx) {
            return redirect(routes.Application.login());
        }

        // Access rights

        public static boolean isMemberOf(Long project) {
            return Project.isMember(
                project,
                Context.current().request().username()
            );
        }

        public static boolean isOwnerOf(Long task) {
            return Task.isOwner(
                task,
                Context.current().request().username()
            );
        }


}

For me this doesn't really makes sense.

User gets the following cookie. for example "email=test@test.com"

If I go to a "secured" page , zentask only checks if email is not null. How can this be secure?

The reason of sessions are to get load off the db. But with this approach he has to constantly check if the user has the rights to on a secured page.

For me it doesn't really makes sense. Why is there a function getUsername? And why is the return type a string?

I want to do somthing like this:

• User logs in and gets a cookie which looks somthing like this "value=randomString"

• Safe the user OBJECT in the cache for example Cache.set(randomstring,userObject);

• Now if the visitor comes back I check if his randomstring is in my cache, if yes check if the User object in the cash has the rights to be on the secured page.

I was able to achieve this, just without the @Security.Authenticated() annotation.

Is it possible to achieve this with this annotation?

It is just a sample, nothing else. You don't need to store a email in the cookie. You can for an example save some hash to identify logged user, or do some other matching.

Samples are as simple as possible, changing it to more sophisticated scenarios lays on the developers side.

BTW of course all Play's cookies are signed and I really doubt if you'll be able to manually change it.