Security configuration

You need to define the authentication mechanisms (Client) and authorization checks (Authorizer) you want.

The configuration (org.pac4j.core.config.Config) contains all the clients and authorizers required by the application to handle security.

It can be built via a Spring context file or a Spring configuration class:

Spring context file:

   <bean id="samlConfig" class="org.pac4j.saml.client.SAML2ClientConfiguration">
        <property name="keystoreResourceClasspath" value="samlKeystore.jks" />
        <property name="keystorePassword" value="pac4j-demo-passwd" />
        <property name="privateKeyPassword" value="pac4j-demo-passwd" />
        <property name="identityProviderMetadataResourceClasspath" value="metadata-okta.xml" />
        <property name="maximumAuthenticationLifetime" value="3600" />
        <property name="serviceProviderEntityId" value="http://localhost:8080/callback?client_name=SAML2Client" />
        <property name="serviceProviderMetadataResourceFilepath" value="sp-metadata.xml" />
    </bean>

    <bean id="saml2Client" class="org.pac4j.saml.client.SAML2Client">
        <constructor-arg name="configuration" ref="samlConfig" />
    </bean>

    <bean id="facebookClient" class="org.pac4j.oauth.client.FacebookClient">
        <constructor-arg name="key" value="145278422258960" />
        <constructor-arg name="secret" value="be21409ba8f39b5dae2a7de525484da8" />
    </bean>

    <bean id="twitterClient" class="org.pac4j.oauth.client.TwitterClient">
        <constructor-arg name="key" value="CoxUiYwQOSFDReZYdjigBA" />
        <constructor-arg name="secret" value="2kAzunH5Btc4gRSaMr7D7MkyoJ5u1VzbOOzE8rBofs" />
    </bean>

    <bean id="testAuthenticator" class="org.pac4j.http.credentials.authenticator.test.SimpleTestUsernamePasswordAuthenticator">
    </bean>

    <bean id="formClient" class="org.pac4j.http.client.indirect.FormClient">
        <constructor-arg name="loginUrl" value="http://localhost:8080/loginForm" />
        <constructor-arg name="usernamePasswordAuthenticator" ref="testAuthenticator" />
    </bean>

    ...

    <bean id="clients" class="org.pac4j.core.client.Clients">
        <constructor-arg name="callbackUrl" value="http://localhost:8080/callback" />
        <constructor-arg name="clients">
            <list>
                <ref bean="oidClient" />
                <ref bean="saml2Client" />
                <ref bean="facebookClient" />
                <ref bean="twitterClient" />
                <ref bean="formClient" />
                <ref bean="indirectBasicAuthClient" />
                <ref bean="casClient" />
                <ref bean="parameterClient" />
                <ref bean="directBasicAuthClient" />
                <ref bean="casRestBasicAuthClient" />
            </list>
        </constructor-arg>
    </bean>

    <bean id="adminRoleAuthorizer" class="org.pac4j.core.authorization.authorizer.RequireAnyRoleAuthorizer">
        <constructor-arg name="roles" value="ROLE_ADMIN" />
    </bean>

    <bean id="customAuthorizer" class="org.pac4j.demo.spring.CustomAuthorizer">
    </bean>

    <bean id="config" class="org.pac4j.core.config.Config">
        <constructor-arg name="clients" ref="clients" />
        <constructor-arg name="authorizers">
            <map>
                <entry key="admin" value-ref="adminRoleAuthorizer" />
                <entry key="custom" value-ref="customAuthorizer" />
            </map>
        </constructor-arg>
    </bean>

See a full example here.

Spring configuration class:

@Configuration
public class Pac4jConfig {

    @Value("${salt}")
    private String salt;

    @Bean
    public Config config() {
        final OidcConfiguration oidcConfiguration = new OidcConfiguration();
        oidcConfiguration.setClientId("167480702619-8e1lo80dnu8bpk3k0lvvj27noin97vu9.apps.googleusercontent.com");
        oidcConfiguration.setSecret("MhMme_Ik6IH2JMnAT6MFIfee");
        oidcConfiguration.setPreferredJwsAlgorithm(JWSAlgorithm.PS384);
        oidcConfiguration.addCustomParam("prompt", "consent");
        final GoogleOidcClient oidcClient = new GoogleOidcClient(oidcConfiguration);
        oidcClient.setAuthorizationGenerator((ctx, profile) -> { profile.addRole("ROLE_ADMIN"); return profile; });

        final SAML2ClientConfiguration cfg = new SAML2ClientConfiguration(new ClassPathResource("samlKeystore.jks"), "pac4j-demo-passwd", "pac4j-demo-passwd", new ClassPathResource("metadata-okta.xml"));
        cfg.setMaximumAuthenticationLifetime(3600);
        cfg.setServiceProviderEntityId("http://localhost:8080/callback?client_name=SAML2Client");
        cfg.setServiceProviderMetadataResource(new FileSystemResource(new File("sp-metadata.xml").getAbsoluteFile()));
        final SAML2Client saml2Client = new SAML2Client(cfg);

        ...

        final CasConfiguration configuration = new CasConfiguration("https://casserverpac4j.herokuapp.com/login");
        final CasClient casClient = new CasClient(configuration);

        final SecretSignatureConfiguration secretSignatureConfiguration = new SecretSignatureConfiguration(salt);
        final SecretEncryptionConfiguration secretEncryptionConfiguration = new SecretEncryptionConfiguration(salt);
        final JwtAuthenticator authenticator = new JwtAuthenticator();
        authenticator.setSignatureConfiguration(secretSignatureConfiguration);
        authenticator.setEncryptionConfiguration(secretEncryptionConfiguration);
        ParameterClient parameterClient = new ParameterClient("token", authenticator);
        parameterClient.setSupportGetRequest(true);
        parameterClient.setSupportPostRequest(false);

        final DirectBasicAuthClient directBasicAuthClient = new DirectBasicAuthClient(new SimpleTestUsernamePasswordAuthenticator());

        final Clients clients = new Clients("http://localhost:8080/callback", oidcClient, saml2Client, facebookClient,
                twitterClient, formClient, indirectBasicAuthClient, casClient, parameterClient, directBasicAuthClient);

        final Config config = new Config(clients);
        config.addAuthorizer("admin", new RequireAnyRoleAuthorizer("ROLE_ADMIN"));
        config.addAuthorizer("custom", new CustomAuthorizer());
        return config;
    }
}

See a full example here.

http://localhost:8080/callback is the url of the callback endpoint, which is only necessary for indirect clients.

Notice that you can define specific matchers via the addMatcher(name, Matcher) method.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Security configuration

Spring context file:

Spring configuration class:

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Clone this wiki locally