Fork me on GitHub

Authorizers: (v4.0)

Authorizers are meant to check authorizations to access an url (in the “security filter”):

Notice that this concept of Authorizer has a broader meaning than generally in the security field.

Generally, authorizers are defined in the security configuration of the application.

Various authorizers are available:

▸ Default authorizer names

Most pac4j implementations use pac4j logics and authorizers and thus the DefaultAuthorizationChecker component. In that case, the following Authorizer are automatically available via the following short names:

Since pac4j v4, if no authorizers are defined, the DefaultAuthorizationChecker applies the csrf,securityheaders configuration.

These short names are defined as constants in DefaultAuthorizers.

▸ The composition of authorizers

You can create a composition (conjunction or disjunction) of authorizers. For example:

final Authorizer<CommonProfile> authorizer = or(
    and(
        requireAnyRole("profile_role1"),
        requireAnyPermission("profile_permission1")
    ),
    and(
        requireAnyRole("profile_role2"),
        requireAnyPermission("profile_permission2")
    )
);