Fork me on GitHub

Authorizers: (v4.3)

Authorizers are meant to check authorizations when accessing an URL (in the “security filter”):

Notice that this concept of Authorizer has a broader meaning than generally in the security field.

Generally, authorizers are defined in the security configuration of the application.

Various authorizers are available:

▸ Default authorizer names

Most pac4j implementations use the pac4j logics and authorizers and thus the DefaultAuthorizationChecker component. In that case, the following authorizers are automatically available via the following short keywords:

These short names are defined as constants in DefaultAuthorizers.

▸ The composition of authorizers

You can create a composition (conjunction or disjunction) of authorizers. For example:

final Authorizer<CommonProfile> authorizer = or(
    and(
        requireAnyRole("profile_role1"),
        requireAnyPermission("profile_permission1")
    ),
    and(
        requireAnyRole("profile_role2"),
        requireAnyPermission("profile_permission2")
    )
);