Authorizers are meant to check authorizations when accessing an URL (in the “security filter”):
- either on the authenticated user profile: has the user the appropriate role?
- or on the web context: can you call this resource with that HTTP method?
Notice that this concept of
Authorizer has a broader meaning than generally in the security field.
Generally, authorizers are defined in the security configuration of the application.
Various authorizers are available:
- Roles - Anonymous/remember-me/(fully) authenticated - Profile type, attribute
- CSRF - IP address, HTTP method
▸ Default authorizer names
Most pac4j implementations use the pac4j logics and authorizers and thus the
DefaultAuthorizationChecker component. In that case, the following authorizers are automatically available via the following short keywords:
CsrfAuthorizerauthorizer) to check that the CSRF token has been sent as the
pac4jCsrfTokenheader or parameter in a POST request
IsAnonymousAuthorizerauthorizer) to ensure the user is not authenticated
IsAuthenticatedAuthorizerauthorizer) to ensure the user is authenticated (not necessary by default unless you use the
IsFullyAuthenticatedAuthorizerauthorizer) to check if the user is authenticated but not remembered
IsRememberedAuthorizerauthorizer) for a remembered user
nonefor no authorizers at all.
These short names are defined as constants in
DefaultAuthorizers. You can override them with your own authorizers using the same names.
▸ The composition of authorizers
You can create a composition (conjunction or disjunction) of authorizers. For example:
final Authorizer authorizer = or( and( requireAnyRole("profile_role1"), requireAnyRole("profile_role2") ), and( requireAnyRole("profile_role3"), requireAnyRole("profile_role4"), ) );