Fork me on GitHub

Authenticators: (v1.9)

HTTP clients require an Authenticator to validate the credentials.

This Authenticator interface has only one method: void validate(C credentials, WebContext context) throws HttpAction;.

Credentials can be of two kinds:

The HttpAction allows you to interrupt the credentials validation and trigger a specific HTTP action (like a temporary redirection).

You can use various Authenticator for many identity systems:

1) Deal with performance issues

For direct HTTP clients, credentials are passed and validated for each request, which may lead to performance issues (too many calls to the underlying identity system). So the use of a cache is highly recommended.

This can be done using the LocalCachingAuthenticator class (available in the pac4j-core module) which caches the resulted user profile depending on the provided credentials and can thus spare credentials validation on the identity system.

Example:

LocalCachingAuthenticator authent = new LocalCachingAuthenticator(new JwtAuthenticator(secret), 10000, 15, TimeUnit.MINUTES);
Notice that this LocalCachingAuthenticator requires the additionnal guava dependency.

2) PasswordEncoder

For the Authenticator<UsernamePasswordCredentials> types of authenticators, the root implementation: AbstractUsernamePasswordAuthenticator allows you to define a PasswordEncoder with the setPasswordEncoder(passwordEncoder) method.

The PasswordEncoder can encode plaintext passwords into crypted passwords as well as check if a plaintext password matches with an already encoded password. The latter is especially used in database Authenticators such as MongoAuthenticator or DbAuthenticator.

By default, no encoding is performed (NopPasswordEncoder), but you can use one of the default implementations: BasicSaltedSha512PasswordEncoder, JBCryptPasswordEncoder or create your own. Wrappers for Spring Security Crypto PasswordEncoder (SpringSecurityPasswordEncoder) and Apache Shiro PasswordService (ShiroPasswordEncoder) are also available.

Notice that the SpringSecurityPasswordEncoder requires the additionnal spring-security-crypto dependency, the ShiroPasswordEncoder the shiro-core dependency, the JBCryptPasswordEncoder the jBCrypt dependency and the BasicSaltedSha512PasswordEncoder the commons-codec dependency.

3) ProfileCreator

In fact, in the HTTP clients, you can also define the way the user profile is created via a ProfileCreator in addition to the way of validating credentials (Authenticator).

In practice:

So it works out of the box, even if providing a specific ProfileCreator is perfectly feasible.

Notice that you can change the returned profile from the AuthenticatorProfileCreator by using the setProfileFactory method to build the appropriate profile.