pac4j
is an easy and powerful Java security engine to authenticate users, get their profiles and manage authorizations in order to secure a Java web application. It provides a comprehensive set of concepts and components. It is based on Java 8 and available under the Apache 2 license.
It is currently available for most frameworks / tools and supports most authentication / authorization mechanisms.
You can implement pac4j
for a new framework / tool by following these guidelines.
-
A client represents an authentication mechanism. It performs the login process and returns a user profile. An indirect client is for UI authentication while a direct client is for web services authentication
-
An authorizer is meant to check authorizations on the authenticated user profile(s) or on the current web context
-
A matcher defines whether the security must apply on a specific url
-
A config defines the security configuration via clients, authorizers and matchers
-
The "security filter" (or whatever the mechanism used to intercept HTTP requests) protects an url by checking that the user is authenticated and that the authorizations are valid, according to the clients and authorizers configuration. If the user is not authenticated, it performs authentication for direct clients or starts the login process for indirect clients
-
The "callback controller" finishes the login process for an indirect client
-
The application logout controller" logs out the user from the application.
The version 1.9.1-SNAPSHOT is under development. Maven artifacts are built via Travis: and available in the Sonatype snapshots repository.
The source code can be cloned and locally built via Maven:
git clone [email protected]:pac4j/pac4j.git
cd pac4j
mvn clean install
The latest released version is the , available in the Maven central repository. See the release notes.
Read the Javadoc and the technical components documentation for more information.
If you have any question, please use the following mailing lists: