Release notes (older versions): (v5.2)
v2.3.1:
- Saving the profile in session can be disabled on the callback endpoint
v2.2.1:
- Improve SAML support: fix generated binding, handle AttributeConsumingServiceIndex in authentication request, add capability to add authentication-related attributes to the user profile with specific attributes added to the profile…
v2.1.0:
- Added Kerberos support
- Removed Stormpath support
- The password encoders and LDAP/SQL authenticators can be defined via properties through the
PropertiesConfigFactory
- Supports CouchDB for authentication and user management
- REST API
Authenticator
- In case of an unauthorized AJAX request, the redirection URL to the identity server is added as the
Location
header to the 401 error - Allow passive authentication for SAML
v2.0.0:
- All clients are built using sub-components (
RedirectActionBuilder
,CredentialsExtractor
,Authenticator
,ProfileCreator
andLogoutActionBuilder
): theIndirectClientV2
andDirectClientV2
are renamed asIndirectClient
andDirectClient
(and the existingIndirectClient
andDirectClient
components are removed) - The
LdapProfileService
,DbProfileService
andMongoProfileService
replace the deprecatedLDapAuthenticator
,DbAuthenticator
andMongoAuthenticator
to validate username/password and create, update or delete users in a LDAP, in a relational database and in a MongoDB database - A user profile can be linked to another user profile
- The
LogoutLogic
(formerlyApplicationLogoutLogic
) handles the application and identity provider logout - The
WebContext
directly relies on theSessionStore
whose capabilities are upgraded to handle back-channel logout - The
AuthorizationGenerator
takes theWebContext
as input and can return a new built profile - Using Spring framework
Resource
components for SAML files/URLs - The session renewal is properly handled by clients (and especially CAS)
- Caches are backed via a
Store
component - Upgrade the OAuth support with Scribe v3.3 and rebuild all clients on the generic
OAuth10Client
andOAuth20Client
- User profiles are simple POJOs, the
AttributesDefinition
is replaced by theProfileDefinition
- CAS specificities (Kryo serialization,
toString
service ticket validation) are handled via theInternalAttributeHandler
- Authenticators may throw the checked
CredentialsException
- Only two
PasswordEncoder
wrappers are available: one for Spring Security Crypto, the other one for Shiro - Added new matcher
PathMatcher
and deprecatedExcludedPathMatcher
v1.9.7:
- Security fix on
JwtAuthenticator
v1.9.6:
- Added LinkedIn support in
PropertiesConfigFactory
CallbackLogic
andApplicationLogoutLogic
can be set at theConfig
level
v1.9.5:
- Various bug fixes
v1.9.4:
- Critical security issue since the version 1.9.2 on the
NopPasswordEncoder
regarding theMongoAuthenticator
and theDbAuthenticator
: upgrading is mandatory
v1.9.3:
- Bug fixes (
Authenticator
initialization,resource:
/classpath:
prefixes in the SAML support…) - New
HeaderMatcher
andHttpMethodMatcher
- The
Config
holds aSecurityLogic
- The OpenID Connect configuration can be done without a discovery URL
- The Dropbox support uses the OAuth protocol v2.0
- The expiration time is checked on JWT, as well as the existence of the subject
- The
IpExtractor
can work on an alternative header name - A specific profile can be built by the
AuthenticatorProfileCreator
v1.9.2:
- the CAS support has been upgraded: the CAS configuration is defined via the
CasConfiguration
, the newDirectCasProxyClient
must be used to validate proxy tickets, the front channel logout is supported by theCasSingleSignOutHandler
, the OAuth support is compatible with CAS v5 - the JWT support has been upgraded:
SignatureConfiguration
classes allow to define HMac, RSA or Elliptic Curve signatures - the OpenID Connect support has been upgraded: the OIDC configuration is defined via the
OidcConfiguration
, all standard claims are supported in theOidcProfile
, most flows are supported - CORS (AJAX) requests can be controlled via the
CorsAuthorizer
and its default pre-definedallowAjaxRequests
name - Profile attribute can be checked via the
RequireAnyAttributeAuthorizer
- the
AjaxRequestResolver
,CallbackUrlResolver
andAuthorizationGenerator
can be defined at theClients
level for all defined clients - new implementations for the
PasswordEncoder
are available for Spring Security, Shiro or JBCrypt.
v1.9.1:
- the
Authenticator
andProfileCreator
have access to the web context - the signature of the SAML authentication requests can be disabled
v1.9.0:
- Upgraded to Java 8 as well as all most dependency versions
- Removed useless concepts: client type, client cloning capabilities, raw data, direct/indirect redirection, proxy configuration for OAuth clients (to be set at the JVM level or by overriding the
OAuthRequest
class) - All security logics are now available in the core via the
SecurityLogic
,CallbackLogic
andApplicationLogoutLogic
components - Any client can be built using the
RedirectActionBuilder
,CredentialsExtractor
,Authenticator
andProfileCreator
concepts (DirectClientV2
andIndirectClientV2
): to be re-used to build asynchronous clients CredentialsExtractor
,Authenticator
,ProfileCreator
andAuthorizer
can throwHttpAction
(previously namedRequiresHttpAction
) to break the flow and handle custom use cases- Typed id are now defined using the full class name (with package): “org.pac4j.oauth.profile.facebook.FacebookProfile#id” instead of “FacebookProfile#id” (use the
getOldTypedId()
method to get the old value) - Comparisons for clients/authorizers names are case insensitive and trimmed
- Most integration tests have been replaced by manual tests (RunXXX classes)
- Updated OpenID Connect support (
GoogleOidClient
andAzureAdClient
)
pac4j 1.8.8:
- Support default client in
Clients
- Properly handle Javascript calls on
FormClient
- Add
Resource
concept from Spring (in SAML support)
pac4j 1.8.7:
- Ability to define the ticket validator for the CAS REST authenticator
- Option to disable SAML requests signing
pac4j 1.8.6:
- New DirectFormClient
- Improved CAS support: callbackUrlResolver applies on CAS prefix url + the LocalCachingAuthenticator can be used with the CasRest*Client
- The
RelativeCallbackUrlResolver
properly handles HTTPS requests - Roles/permissions are kept through JWT
pac4j 1.8.5:
- Remove the
setResponseCharacterEncoding
from theWebContext
pac4j 1.8.4:
- Improved SAML support security configuration
pac4j 1.8.2 & 1.8.3:
- Improved JWT support
- Added Microsft Azure AD (OpenID Connect) support
pac4j 1.8.1:
- More authorizers: IP check, HTTP method check, profile type verification, Spring Security like security filters (cache control, Xframe…)
- Updated CSRF protection support
- Path exclusions support
- new AnonymousClient for advanced use cases
- Updated OAuth, CAS, SAML and OpenID Connect supports
- new session store mechanism
- new configuration module (build clients via properties only)
- Customizable callback urls
pac4j 1.8.0:
- Support REST authentication (basic auth, request parameter, request header, IP, cookie)
- New authentication mechanisms (JWT, LDAP, RDBMS, MongoDB, Stormpath)
- AJAX requests are automatically detected
- Arbitrary attributes are allowed on profiles (even with a definition)
- Upgrade SAML support
- Upgrade CAS support (protocol v3, REST API)
- Handle authorizations (on roles, permissions, CSRF protection…)
- Bring default guidelines (DefaultClientFinder, DefaulutAuthorizationChecker)
- Add ok.ru support
- Remove the LinkedIn OAuth v1 support (use the OAuth version 2 support)
pac4j 1.7.1:
- the SAML support is improved, but unfortunately, it only works in J2E environment (j2e-pac4j and spring-security-pac4j libraries)
pac4j 1.7.0:
- Improve roles management
- Remove Google OpenID support
- Add Strava (OAuth 2) support
- Add OpenID Connect support
pac4j 1.6.0:
- Update to scribe 1.3.6
- SAML improvments
- CAS client update (v3.3.3 for a security fix)
- New Google App Engine module
- Support for Yahoo with OpenID
- Upgrade to Java 6
- Support for ORCiD (OAuth)
pac4j 1.5.1:
- add Bitbucket support
pac4j 1.5.0:
- callback urls can be dynamically computed according to the current host and port
- added PayPal support (OAuth 2.0)
- AJAX requests can be handled properly instead of performing a redirection to the provider for authentication
- infinite loop when accessing a protected page and authentication fails are now automatically handled by returning a forbidden response (HTTP 403)
- remove myopenid.com support
- add Vk.com support
- add Foursquare support
- add SAML support
- authorizations support: roles, permissions and a “remembered” status are now available in all user profiles
pac4j 1.4.1:
- Add LinkedIn OAuth 2.0 protocol support
- Add Google OpenID support
pac4j 1.4.0:
- Rebuilding of the project to support also CAS, HTTP (form & basic auth), OpenID (myopenid.com)… protocols
- “Cancel” actions are/can be now properly handled (Facebook, Twitter)
- Indirect redirection urls (OAuth 1.0, myopenid.com) are integrated within the library
- handle Kryo serialization
- remove Google OAuth 1.0 support
scribe-up 1.3.1:
- Bug fix the CAS OAuth wrapping
scribe-up 1.3.0:
- Create common profile for all profiles
- Add providers definition with specific mechanism to handle redirection to and from OAuth provider when having multiples providers with only one callback url
- Add the ability to handle HTTP exceptions when requesting a user profile (use BaseOAuthProvider.retrieveUserProfile method instead of OAuthProvider.getUserProfile method)
- Add the ability to handle credential exceptions when retriving credentials (use BaseOAuthProvider.retrieveCredential method instead of OAuthProvider.getCredential method)
- Add support for CAS OAuth wrapper
scribe-up 1.2.0:
- Add 2 providers: DropBox and Google (OAuth 2.0)
- Make provider type settable
- Make providers cloneable
- Replace java.awt.Color by a specific Color object to be compatible with Google App Engine
- Optimize Facebook calls and add more data
- Hide completely the dependency on scribe
- Add proxy capabilities for OAuth requests
- Add state parameter (security) for Facebook
- Optimize profile creations for none CAS usage
- Upgrade to scribe 1.3.2, Jackson 2.0.6 and slf4j-api 1.7.0
- Add dependency on commons-lang3
scribe-up 1.1.0:
- Simplify OAuth provider interface : 4 methods instead of 6, remove explicit dependency on scribe
- Create specific and more complete profiles for all providers
- Add 2 more providers : Windows Live and WordPress
- Refactor profiles to be compatible with “CAS serialization” on client side
- Add typedId concept to differentiate profiles
- Make init() calls implicit
- Add access_token as default attribute of profile
- Add connect and read timeouts
- Switch GitHub provider from API v2 to API v3
- Make profiles serializable
- Upgrade to scribe 1.3.1 and Jackson 1.9.7
scribe-up 1.0.0:
- This is the first version of the project
- 6 OAuth providers are available : Google (OAuth 1.0), GitHub, LinkedIn, Twitter, Yahoo and Facebook
- Each provider returns a generic profile (UserProfile class), except the Facebook one which returns a minimal FacebookProfile
- Based on scribe 1.3.0, Jackson 1.9.4 and slf4j-api 1.6.4