Fork me on GitHub

Security configuration: (v6.0)

1) The Config component

In most pac4j implementations, the security configuration can be defined via a Config object.

It gathers the required:

Example:

FacebookClient facebookClient = new FacebookClient("145278422258960", "be21409ba8f39b5dae2a7de525484da8");
TwitterClient twitterClient = new TwitterClient("CoxUiYwQOSFDReZYdjigBA", "2kAzunH5Btc4gRSaMr7D7MkyoJ5u1VzbOOzE8rBofs");
ParameterClient parameterClient = new ParameterClient("token", new JwtAuthenticator(salt));

Config config = new Config("http://localhost:8080/callback", facebookClient, twitterClient, parameterClient);

config.addAuthorizer("admin", new RequireAnyRoleAuthorizer<>("ROLE_ADMIN"));
config.addAuthorizer("custom", new CustomAuthorizer());

config.addMatcher("excludedPath", new ExcludedPathMatcher("^/facebook/notprotected\\.jsp$"));

You can also use an intermediate Clients object to build the Config one.

Example:

Clients clients = new Clients("http://localhost:8080/callback", facebookClient, twitterClient, parameterClient);

Config config = new Config(clients);

In that case, you can define for all clients:

2) The pac4j-config module

The pac4j-config module gathers all the pac4j facilities to define this Config object. Currently, there is only one component which allows you to build the clients from a set of properties: the PropertiesConfigFactory. It is used by Dropwizard, CAS and Knox.

Notice that dependencies must be explicitly declared when necessary (the pac4j-saml module if you want to use SAML, the pac4j-oauth module if you want to use OAuth...)

Example (YAML dropwizard configuration file):

pac4j:
  callbackUrl: /callback
  clientsProperties:
    facebook.id: 145278422258960
    facebook.secret: be21409ba8f39b5dae2a7de525484da8
    saml.keystorePath: resource:samlKeystore.jks
    saml.keystorePassword: pac4j-demo-passwd
    saml.privateKeyPassword: pac4j-demo-passwd
    saml.identityProviderMetadataPath: resource:metadata-okta.xml
    saml.maximumAuthenticationLifetime: 3600
    saml.serviceProviderEntityId: http://localhost:8080/callback?client_name=SAML2Client
    saml.serviceProviderMetadataPath: sp-metadata.xml
    anonymous: fakevalue
    ldap.type: direct
    ldap.url: ldap://ldap.jumpcloud.com:389
    ldap.useStartTls: false
    ldap.useSsl: false
    ldap.dnFormat: uid=%s,ou=Users,o=58e69adc0914b437324e7632,dc=jumpcloud,dc=com
    ldap.usersDn: ou=Users,o=58e69adc0914b437324e7632,dc=jumpcloud,dc=com
    ldap.principalAttributeId: uid
    ldap.principalAttributes: firstName,lastName
    ldap.enhanceWithEntryResolver: false
    formClient.loginUrl: /login.html
    formClient.authenticator: ldap

Here are the properties you can use to define the clients (, password encoders and authenticators):

Available properties Usage
encoder.spring.type (bcrypt, noop, pbkdf2, scrypt or standard), encoder.spring.bcrypt.length, encoder.spring.pbkdf2.secret, encoder.spring.pbkdf2.iterations, encoder.spring.pbkdf2.hashWidth, encoder.spring.scrypt.cpuCost, encoder.spring.scrypt.memoryCost, encoder.spring.scrypt.parallelization, encoder.spring.scrypt.keyLength, encoder.spring.scrypt.saltLength and encoder.spring.standard.secret To define a SpringPasswordEncoder based on the provided properties and named encoder.spring or encoder.spring.N
encoder.shiro (if no specific properties are required), encoder.shiro.generatePublicSalt, encoder.shiro.hashAlgorithmName, encoder.shiro.hashIterations and encoder.shiro.privateSalt To define a ShiroPasswordEncoder based on the provided properties and named encoder.shiro or encoder.shiro.N
ldap.type, ldap.dnFormat, ldap.principalAttributes,ldap.principalAttributeId, ldap.principalAttributePassword, ldap.subtreeSearch, ldap.usersDn, ldap.userFilter, ldap.enhanceWithEntryResolver, ldap.trustCertificates, ldap.keystore, ldap.keystorePassword, ldap.keystoreType, ldap.minPoolSize, ldap.maxPoolSize, ldap.poolPassivator, ldap.validateOnCheckout, ldap.validatePeriodically, ldap.validatePeriod, ldap.failFast, ldap.idleTime, ldap.prunePeriod, ldap.blockWaitTime, ldap.url, ldap.useSsl, ldap.useStartTls, ldap.connectTimeout, ldap.providerClass, ldap.allowMultipleDns, ldap.bindDn, ldap.bindCredential, ldap.saslRealm, ldap.saslMechanism, ldap.saslAuthorizationId, ldap.saslSecurityStrength and ldap.saslQualityOfProtection To define a LdapAuthenticator based on the provided properties and named ldap or ldap.N
db.dataSourceClassName, db.jdbcUrl, db.userAttributes, db.userIdAttribute, db.usernameAttribute, db.userPasswordAttribute, db.usersTable, db.username, db.password, db.autoCommit, db.connectionTimeout, db.idleTimeout, db.maxLifetime, db.connectionTestQuery, db.minimumIdle, db.maximumPoolSize, db.poolName, db.initializationFailTimeout, db.isolateInternalQueries, db.allowPoolSuspension, db.readOnly, db.registerMbeans, db.catalog, db.connectionInitSql, db.driverClassName, db.transactionIsolation, db.validationTimeout, db.leakDetectionThreshold, db.customParamKey, db.customParamValue, db.loginTimeout, db.dataSourceJndi and db.passwordEncoder To define a DbAuthenticator based on the provided properties and named db or db.N
rest.url To define a RestAuthenticator based on the provided properties and named rest or rest.N
anonymous To define the AnonymousClient, the value is ignored
directBasicAuth.authenticator To define a DirectBasicAuthClient based on the provided properties
saml.keystorePassword, saml.privateKeyPassword, saml.keystorePath, saml.identityProviderMetadataPath, saml.maximumAuthenticationLifetime, saml.serviceProviderEntityId, saml.serviceProviderMetadataPath, saml.destinationBindingType, saml.keystoreAlias To define a SAML2Client based on the provided properties
cas.loginUrl, cas.protocol To define a CasClient based on the provided properties
oidc.type (google or azure), oidc.azure.tenant (for the AzureAD tenant), oidc.id, oidc.secret, oidc.scope, oidc.discoveryUri, oidc.useNonce, oidc.preferredJwsAlgorithm, oidc.maxClockSkew, oidc.clientAuthenticationMethod, oidc.customParamKey1, oidc.customParamValue1, oidc.customParamKey2,oidc.customParamValue2 To define an OpenID connect client based on the provided properties
formClient.authenticator, formClient.loginUrl, formClient.usernameParameter formClient.passwordParameter To define a FormClient based on the provided properties
indirectBasicAuth.authenticator, indirectBasicAuth.realName To define an IndirectBasicAuthClient based on the provided properties
facebook.id, facebook.secret, facebook.scope, facebook.fields To define a FacebookClient based on the provided properties
twitter.id, twitter.secret To define a TwitterClient based on the provided properties
github.id, github.secret To define a GitHubClient based on the provided properties
dropbox.id, dropbox.secret To define a DropBoxClient based on the provided properties
windowslive.id, windowslive.secret To define a WindowsLiveClient based on the provided properties
yahoo.id, yahoo.secret To define a YahooClient based on the provided properties
linkedin.id, linkedin.secret, linkedin.fields, linkedin.scope To define a LinkedIn2Client based on the provided properties
foursquare.id, foursquare.secret To define a FoursquareClient based on the provided properties
google.id, google.secret, google.scope To define a Google2Client based on the provided properties

Notice that: