In theory, this is possible. From memory, Spring security has a nice split between spring-security-core, which has no reliance on the servlet API, and spring-security-web, which is heavily based on the servlet API. Everything in spring-security-core would be able to be used in Play 2.0, this includes all the high level abstractions such as AuthenticationProvider, AuthenticationManager, authorization abstractions and so on. However, everything that actually interacts with the request, including the filter chain, storing the current user in the session, remember me etc, would need to be written specifically for Play 2.0.