Skip to content
forked from pac4j/pac4j

Security engine for Java (authentication, authorization, multi frameworks)

License

Notifications You must be signed in to change notification settings

samgurtman-zz/pac4j

 
 

Repository files navigation

pac4j is an easy and powerful Java security engine to authenticate users, get their profiles and manage authorizations in order to secure a Java web application. It provides a very comprehensive security model and implementation guidelines. It is based on Java 8 and available under the Apache 2 license.

It is currently available for most frameworks / tools and supports most authentication / authorization mechanisms.

pac4j big picture

Frameworks / tools implementing pac4j:

The framework / tool you develop with The *-pac4j library you must use The demo(s) for tests
J2E environment j2e-pac4j j2e-pac4j-demo
Spring Web MVC and Spring Boot spring-webmvc-pac4j spring-webmvc-pac4j-demo or spring-webmvc-pac4j-boot-demo
Play 2.x framework play-pac4j play-pac4j-java-demo or play-pac4j-scala-demo
Vertx vertx-pac4j vertx-pac4j-demo
Spark Java framework spark-pac4j spark-pac4j-demo
Ratpack ratpack-pac4j ratpack-pac4j-demo
Undertow undertow-pac4j undertow-pac4j-demo
Jooby framework jooby-pac4j jooby-pac4j-demo
Apache Shiro buji-pac4j buji-pac4j-demo
Spring Security spring-security-pac4j spring-security-pac4j-demo
SSO CAS server cas-server-support-pac4j cas-pac4j-oauth-demo
Knox gateway for Hadoop gateway-provider-security-pac4j knox-pac4j-demo

You can even implement pac4j for a new framework / tool by following these guidelines.

Main concepts:

In the pac4j project:

  1. A client represents an authentication mechanism. It performs the login process and returns a user profile. An indirect client is for UI authentication while a direct client is for web services authentication

  2. An authorizer is meant to check authorizations on the authenticated user profile(s) or on the current web context

In a pac4j implementation:

  1. The "security filter" (or whatever the mechanism used to intercept HTTP requests) protects an url by checking that the user is authenticated and that the authorizations are checked, according to the clients and authorizers configuration. If the user is not authenticated, it performs authentication for direct clients or starts the login process for indirect clients

  2. The "callback controller" finishes the login process for an indirect client

Versions

The next version 1.9.0-SNAPSHOT is under development. Maven artifacts are built via Travis: Build Status and available in the Sonatype snapshots repository.

The source code can be cloned and locally built via Maven:

git clone git@github.com:pac4j/pac4j.git
cd pac4j
mvn clean install

The latest released version is the Maven Central, available in the Maven central repository. See the release notes.

Read the Javadoc and the technical components documentation for more information.

Need help?

If you have any question, please use the following mailing lists:

About

Security engine for Java (authentication, authorization, multi frameworks)

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages

  • Java 100.0%