Authenticator interface has only one method:
void validate(C credentials, WebContext context) throws HttpAction, CredentialsException.
Credentials can be of two kinds:
HttpAction allows you to interrupt the credentials validation and trigger a specific HTTP action (like a temporary redirection).
You can use various
Authenticator for many identity mechanisms:
1) Deal with performance issues
For direct HTTP clients, credentials are passed and validated for each request, which may lead to performance issues (too many calls to the underlying identity system). So the use of a cache is highly recommended.
This can be done using the
LocalCachingAuthenticator class (available in the
pac4j-core module) which caches the resulted user profile depending on the provided credentials and can thus spare credentials validation on the identity system.
LocalCachingAuthenticator authent = new LocalCachingAuthenticator(new JwtAuthenticator(secret), 10000, 15, TimeUnit.MINUTES);
By default, the
LocalCachingAuthenticator uses Guava as its internal
Store but you can provide your own store via the
LocalCachingAuthenticatorrequires the additionnal guava dependency.
Regarding the IP address authenticator, there is no need for password protection. Regarding the LDAP and Stormpath authenticators, the password protection is handled by the systems themselves.
But for the MongoDB and SQL authenticators, the password protection must be handled explicitly by the
which can encode plaintext passwords into crypted passwords as well as check if a plaintext password matches with an already encoded password.
The password encoder must be defined for these two authenticators via constructors or via the
PasswordEncoder implementations are available:
- a wrapper for the Spring Security Crypto
- a wrapper for the Apache Shiro
- one based on the jBCrypt library: the
SpringSecurityPasswordEncoderrequires the additionnal spring-security-crypto dependency, the
ShiroPasswordEncoderthe shiro-core dependency and the
JBCryptPasswordEncoderthe jBCrypt dependency.
In fact, in the HTTP clients, you can also define the way the user profile is created via a
ProfileCreator in addition to the way of validating credentials (
- all the available
Authenticatorcreate a specific user profile when validating credentials and save it in the current
- all the clients are configured by default with the
AuthenticatorProfileCreatorwhich retrieves the user profile from the current
Credentialsand returns it.
So it works out of the box, even if providing a specific
ProfileCreator is perfectly feasible.