You could implement authenticators to authenticate users. you could you write your authentication logic in your authenticator implementation.

Play already comes with a built in authenticator action, which we will extend to add our logic. We will call this authenticator Secured.

import play.*;
import play.mvc.*;
import play.mvc.Http.*;

import models.*;

public class Secured extends Security.Authenticator {

    @Override
    public String getUsername(Context ctx) {
        return ctx.session().get("email");
    }

    @Override
    public Result onUnauthorized(Context ctx) {
        return redirect(routes.Application.login());
    }
}

We have implemented two methods here. getUsername is used to get the username of the current logged in user. In our case this is the email address, that we set in the email attribute in the session when the user logged in. If this method returns a value, then the authenticator considers the user to be logged in, and lets the request proceed. If however the method returns null, then the authenticator will block the request, and instead invoke onUnathorized, which we have implemented to redirect to our login screen. You could implement your own business logic for user verify user.

Now let’s use this authenticator. In Application.java, add the @Security.Authenticated annotation with our authenticator to the index method:

import play.mvc.Controller;
import play.mvc.Result;

public class Application extends Controller {

     @Security.Authenticated(Secured.class)
      public static Result index() {
        return ok(index.render(
         Project.findInvolving(request().username()), 
           Task.findTodoInvolving(request().username()),
            User.find.byId(request().username())
         )); 
     }
}

Refs:Play Implementing Authenticator Example