Authorizers: (v6.2)

Authorizers are meant to check authorizations to access an url (in the “security filter”):

• either on the authenticated user profile: has the user the appropriate role?
• or on the web context: can you call this resource in an iframe?

Generally, authorizers are defined in the security configuration of the application.

Various authorizers are available:

• Roles/permissions - Anonymous/remember-me/(fully) authenticated - Profile type, attribute
• CORS - CSRF - Security headers - IP address, HTTP method

▸ Default authorizer names

Most pac4j implementations use pac4j logics and authorizers and thus the DefaultAuthorizationChecker component. In that case, the following Authorizer are automatically available via the following short names:

• hsts for the StrictTransportSecurityHeader authorizer
• nosniff for the XContentTypeOptionsHeader authorizer
• noframe for the XFrameOptionsHeader authorizer
• xssprotection for the XSSProtectionHeader authorizer
• nocache for the CacheControlHeader authorizer
• securityheaders as a shortcut for hsts,nosniff,noframe,xssprotection,nocache
• csrfToken for the CsrfTokenGeneratorAuthorizer authorizer
• csrfCheck for the CsrfAuthorizer authorizer
• csrf as a shortcut for csrfToken,csrfCheck
• isAnonymous for the IsAnonymousAuthorizer authorizer
• isAuthenticated for the IsAuthenticatedAuthorizer authorizer
• isFullyAuthenticated for the IsFullyAuthenticatedAuthorizer authorizer
• isRemembered for the IsRememberedAuthorizer authorizer
• allowAjaxRequests for a default configuration of the CorsAuthorizer authorizer with the Access-Control-Allow-Origin header set to *.

These short names are defined as constants in DefaultAuthorizers.