Fork me on GitHub

HTTP (v5.3)

pac4j allows you to login using HTTP mechanims (like basic auth or form posting).

The HTTP clients require to define an Authenticator to handle the credentials validation.

Except the X509Client with its default X509Authenticator whichs extracts an identifier from the subjectDN of the X509 certificate.

1) Dependency

You need to use the following module: pac4j-http.

Example (Maven dependency):


2) Clients

You can use the following clients depending on what are the credentials and how they are passed in the HTTP request:

Credentials Client
username/password sent via a form posting FormClient (indirect client)
DirectFormClient (direct client)
username/password sent via basic auth IndirectBasicAuthClient (indirect client)
DirectBasicAuthClient (direct client)
value sent as a cookie CookieClient (direct client)
value sent as a HTTP header HeaderClient (direct client)
value sent as a Authorization header starting with “Bearer “ DirectBearerAuthClient (direct client)
value sent as a HTTP parameter ParameterClient (direct client)
IP address IpClient (direct client)
X509 certificate X509Client (direct client)
username/token sent via digest auth DirectDigestAuthClient (direct client)


// REST authentication with JWT token passed in the url as the "token" parameter
ParameterClient parameterClient = new ParameterClient("token", new JwtAuthenticator(salt));

// if the 'Authorization' header is passed with the 'Basic token' value
HeaderClient client = new HeaderClient("Authorization", "Basic ", (credentials, ctx) -> {
    String token = ((TokenCredentials) credentials).getToken();
    // check the token and create a profile
    if ("goodToken".equals(token)) {
        CommonProfile profile = new CommonProfile();
        // save in the credentials to be passed to the default AuthenticatorProfileCreator