pac4j
is an easy and powerful Java security engine to authenticate users, get their profiles and manage authorizations in order to secure a Java web application. It provides a very comprehensive security model and implementation guidelines. It is based on Java 8 and available under the Apache 2 license.
It is currently available for most frameworks / tools and supports most authentication / authorization mechanisms.
You can even implement pac4j
for a new framework / tool by following these guidelines.
In the pac4j project:
-
A client represents an authentication mechanism. It performs the login process and returns a user profile. An indirect client is for UI authentication while a direct client is for web services authentication
-
An authorizer is meant to check authorizations on the authenticated user profile(s) or on the current web context
In a pac4j implementation:
-
The "security filter" (or whatever the mechanism used to intercept HTTP requests) protects an url by checking that the user is authenticated and that the authorizations are checked, according to the clients and authorizers configuration. If the user is not authenticated, it performs authentication for direct clients or starts the login process for indirect clients
-
The "callback controller" finishes the login process for an indirect client
The next version 1.9.0-SNAPSHOT is under development. Maven artifacts are built via Travis: and available in the Sonatype snapshots repository.
The source code can be cloned and locally built via Maven:
git clone [email protected]:pac4j/pac4j.git
cd pac4j
mvn clean install
The latest released version is the , available in the Maven central repository. See the release notes.
Read the Javadoc and the technical components documentation for more information.
If you have any question, please use the following mailing lists: