Authenticator interface has only one method:
void validate(C credentials, WebContext context) throws HttpAction;.
Credentials can be of two kinds:
HttpAction allows you to interrupt the credentials validation and trigger a specific HTTP action (like a temporary redirection).
You can use various
Authenticator for many identity systems:
1) Deal with performance issues
For direct HTTP clients, credentials are passed and validated for each request, which may lead to performance issues (too many calls to the underlying identity system). So the use of a cache is highly recommended.
This can be done using the
LocalCachingAuthenticator class (available in the
pac4j-core module) which caches the resulted user profile depending on the provided credentials and can thus spare credentials validation on the identity system.
LocalCachingAuthenticator authent = new LocalCachingAuthenticator(new JwtAuthenticator(secret), 10000, 15, TimeUnit.MINUTES);
LocalCachingAuthenticatorrequires the additionnal guava dependency.
Authenticator<UsernamePasswordCredentials> types of authenticators, the root implementation:
AbstractUsernamePasswordAuthenticator allows you to define a
PasswordEncoder with the
PasswordEncoder can encode plaintext passwords into crypted passwords as well as check if a plaintext password matches with an already encoded password.
The latter is especially used in database
Authenticators such as
By default, no encoding is performed (
NopPasswordEncoder), but you can use one of the default implementations:
JBCryptPasswordEncoder or create your own.
Wrappers for Spring Security Crypto
SpringSecurityPasswordEncoder) and Apache Shiro
ShiroPasswordEncoder) are also available.
SpringSecurityPasswordEncoderrequires the additionnal spring-security-crypto dependency, the
ShiroPasswordEncoderthe shiro-core dependency, the
JBCryptPasswordEncoderthe jBCrypt dependency and the
BasicSaltedSha512PasswordEncoderthe commons-codec dependency.
In fact, in the HTTP clients, you can also define the way the user profile is created via a
ProfileCreator in addition to the way of validating credentials (
- all the available
Authenticatorcreate a specific user profile when validating credentials and save it in the current
- all the clients are configured by default with the
AuthenticatorProfileCreatorwhich retrieves the user profile from the current
Credentialsand returns it.
So it works out of the box, even if providing a specific
ProfileCreator is perfectly feasible.
Notice that you can change the returned profile from the
AuthenticatorProfileCreator by using the
setProfileFactory method to build the appropriate profile.