Fork me on GitHub

Main concepts and components: (v4.4)

1) A client represents an authentication mechanism (flow). It performs the login process and returns a user profile. An indirect client is for UI authentication while a direct client is for web services authentication

2) An authenticator is a subcomponent of clients to validate credentials. It is related to the ProfileService component which handles the creation, update, and removal of users

3) An authorizer is meant to check authorizations on the authenticated user profile(s) or on the current web context

4) A matcher defines whether the security must apply on the security filter or additional web processing (security headers for example)

5) A config defines the security configuration composed of clients, authorizers and matchers


6) A user profile is the profile of the authenticated user. It has an identifier, attributes, roles, permissions, a “remember-me” nature and a linked identifier (to another account)


7) The web context is an abstraction of the HTTP request and response specific to the pac4j implementation and the associated SessionStore represents an implementation of the session

8) The security filter (or whatever the mechanism used to intercept HTTP requests) protects an URL by checking that the user is authenticated and that the authorizations are valid, according to the clients and authorizers configuration. If the user is not authenticated, it performs authentication for direct clients or starts the login process for indirect clients

9) The callback endpoint finishes the login process for an indirect client

10) The logout endpoint handles the application and/or the identity server logouts