-
Notifications
You must be signed in to change notification settings - Fork 19
Security configuration
lhoekenga edited this page Dec 5, 2019
·
14 revisions
You need to define the authentication mechanisms (Client
) and authorization checks (Authorizer
) you want.
The configuration (org.pac4j.core.config.Config
) contains all the clients and authorizers required by the application to handle security.
It can be built via a configuration factory (org.pac4j.core.config.ConfigFactory
) if the configFactory
servlet parameter is used:
public class DemoConfigFactory implements ConfigFactory {
@Override
public Config build(final Object... parameters) {
final SAML2ClientConfiguration cfg = new SAML2ClientConfiguration("resource:samlKeystore.jks", "pac4j-demo-passwd", "pac4j-demo-passwd", "resource:testshib-providers.xml");
cfg.setMaximumAuthenticationLifetime(3600);
cfg.setServiceProviderEntityId("http://localhost:8080/callback?client_name=SAML2Client");
cfg.setServiceProviderMetadataPath(new File("sp-metadata.xml").getAbsolutePath());
final SAML2Client saml2Client = new SAML2Client(cfg);
final FacebookClient facebookClient = new FacebookClient("145278422258960", "be21409ba8f39b5dae2a7de525484da8");
final TwitterClient twitterClient = new TwitterClient("CoxUiYwQOSFDReZYdjigBA", "2kAzunH5Btc4gRSaMr7D7MkyoJ5u1VzbOOzE8rBofs");
final FormClient formClient = new FormClient("http://localhost:8080/loginForm.jsp", new SimpleTestUsernamePasswordAuthenticator());
...
final Clients clients = new Clients("http://localhost:8080/callback", oidcClient, saml2Client, facebookClient,
twitterClient, formClient, indirectBasicAuthClient, casClient, parameterClient,
directBasicAuthClient, new AnonymousClient(), casProxy);
final Config config = new Config(clients);
config.addAuthorizer("admin", new RequireAnyRoleAuthorizer<>("ROLE_ADMIN"));
config.addAuthorizer("custom", new CustomAuthorizer());
config.addAuthorizer("mustBeAnon", new IsAnonymousAuthorizer<>("/?mustBeAnon"));
config.addAuthorizer("mustBeAuth", new IsAuthenticatedAuthorizer<>("/?mustBeAuth"));
config.addMatcher("excludedPath", new PathMatcher().excludeRegex("^/facebook/notprotected\\.jsp$"));
return config;
}
}
See a full example here.
Or produced via CDI:
@Dependent
public class SecurityConfig {
@Produces @ApplicationScoped
private Config buildConfiguration() {
logger.debug("building Security configuration...");
final OidcConfiguration oidcConfiguration = new OidcConfiguration();
oidcConfiguration.setClientId("167480702619-8e1lo80dnu8bpk3k0lvvj27noin97vu9.apps.googleusercontent.com");
oidcConfiguration.setSecret("MhMme_Ik6IH2JMnAT6MFIfee");
oidcConfiguration.setUseNonce(true);
oidcConfiguration.addCustomParam("prompt", "consent");
final GoogleOidcClient oidcClient = new GoogleOidcClient(oidcConfiguration);
oidcClient.setAuthorizationGenerator((ctx, profile) -> { profile.addRole("ROLE_ADMIN"); return profile; });
final FormClient jsfFormClient = new FormClient(
"http://localhost:8080/jsfLoginForm.action",
new SimpleTestUsernamePasswordAuthenticator()
);
jsfFormClient.setName("jsfFormClient");
final IndirectBasicAuthClient indirectBasicAuthClient = new IndirectBasicAuthClient(new SimpleTestUsernamePasswordAuthenticator());
final CasConfiguration configuration = new CasConfiguration("http://localhost:8888/cas/login");
final CasClient casClient = new CasClient(configuration);
final List<SignatureConfiguration> signatures = new ArrayList<>();
signatures.add(new SecretSignatureConfiguration(Constants.JWT_SALT));
ParameterClient parameterClient = new ParameterClient("token", new JwtAuthenticator(signatures));
parameterClient.setSupportGetRequest(true);
parameterClient.setSupportPostRequest(false);
final DirectBasicAuthClient directBasicAuthClient = new DirectBasicAuthClient(new SimpleTestUsernamePasswordAuthenticator());
...
final Clients clients = new Clients(
"http://localhost:8080/callback",
oidcClient,
formClient,
jsfFormClient,
saml2Client, facebookClient, twitterClient, indirectBasicAuthClient, casClient,
parameterClient, directBasicAuthClient, new AnonymousClient()
);
return new Config(clients);
}
}
See a full example here.
http://localhost:8080/callback
is the url of the callback endpoint, which is only necessary for indirect clients.
Notice that you can define specific matchers via the addMatcher(name, Matcher)
method.