Authorizers: (v6.2)

Authorizers are meant to check authorizations to access an url (in the “security filter”):

either on the authenticated user profile: has the user the appropriate role?
or on the web context: can you call this resource in an iframe?

Notice that this concept of Authorizer has a broader meaning than generally in the security field.

Generally, authorizers are defined in the security configuration of the application.

Various authorizers are available:

▸ Default authorizer names

Most pac4j implementations use pac4j logics and authorizers and thus the DefaultAuthorizationChecker component. In that case, the following Authorizer are automatically available via the following short names:

hsts for the StrictTransportSecurityHeader authorizer
nosniff for the XContentTypeOptionsHeader authorizer
noframe for the XFrameOptionsHeader authorizer
xssprotection for the XSSProtectionHeader authorizer
nocache for the CacheControlHeader authorizer
securityheaders as a shortcut for hsts,nosniff,noframe,xssprotection,nocache
csrfToken for the CsrfTokenGeneratorAuthorizer authorizer
csrfCheck for the CsrfAuthorizer authorizer
csrf as a shortcut for csrfToken,csrfCheck
isAnonymous for the IsAnonymousAuthorizer authorizer
isAuthenticated for the IsAuthenticatedAuthorizer authorizer
isFullyAuthenticated for the IsFullyAuthenticatedAuthorizer authorizer
isRemembered for the IsRememberedAuthorizer authorizer
allowAjaxRequests for a default configuration of the CorsAuthorizer authorizer with the Access-Control-Allow-Origin header set to *.

These short names are defined as constants in DefaultAuthorizers.

▸ The composition of authorizers

You can create a composition (conjunction or disjunction) of authorizers. For example:

final Authorizer<CommonProfile> authorizer = or(
    and(
        requireAnyRole("profile_role1"),
        requireAnyPermission("profile_permission1")
    ),
    and(
        requireAnyRole("profile_role2"),
        requireAnyPermission("profile_permission2")
    )
);