/pac4j

Security engine for Java (authentication, authorization, multi frameworks)

Primary LanguageJavaApache License 2.0Apache-2.0

pac4j is a Java security engine to authenticate users, get their profiles and manage their authorizations in order to secure Java web applications. It's available under the Apache 2 license.

It is currently available for many frameworks / tools and supports most authentication mechanisms. Its core API is provided by the pac4j-core submodule (groupId: org.pac4j).

pac4j big picture

Frameworks / tools implementing pac4j:

The framework / tool you develop with The *-pac4j library you must use The demo(s) for tests
J2E environment j2e-pac4j j2e-pac4j-demo
Spring Web MVC and Spring Boot spring-webmvc-pac4j spring-webmvc-pac4j-demo or spring-webmvc-pac4j-boot-demo
Play 2.x framework play-pac4j play-pac4j-java-demo or play-pac4j-scala-demo
Vertx vertx-pac4j vertx-pac4j-demo
Spark Java framework spark-pac4j spark-pac4j-demo
Ratpack ratpack-pac4j ratpack-pac4j-demo
Undertow undertow-pac4j undertow-pac4j-demo
Jooby framework jooby-pac4j jooby-pac4j-demo
Apache Shiro buji-pac4j buji-pac4j-demo
Spring Security spring-security-pac4j spring-security-pac4j-demo
SSO CAS server cas-server-support-pac4j cas-pac4j-oauth-demo

You can even implement pac4j for a new framework / tool by following these guidelines.

Supported authentication / authorization mechanisms:

pac4j supports most authentication mechanisms, called clients:

  • indirect / stateful clients are for UI when the user authenticates once at an external provider (like Facebook, a CAS server...) or via a local form (or basic auth popup)
  • direct / stateless clients are for web services when credentials (like basic auth, tokens...) are passed for each HTTP request.

See the authentication flows.

The authentication mechanism you want The pac4j-* submodule(s) you must use
OAuth (1.0 & 2.0): Facebook, Twitter, Google, Yahoo, LinkedIn, Github... pac4j-oauth
CAS (1.0, 2.0, 3.0, SAML, logout, proxy) pac4j-cas
SAML (2.0) pac4j-saml
OpenID Connect (1.0) pac4j-oidc
HTTP (form, basic auth, IP, header, cookie, GET/POST parameter)
+
JWT
or LDAP
or Relational DB
or MongoDB
or Stormpath
or CAS REST API
pac4j-http
+
pac4j-jwt
or pac4j-ldap
or pac4j-sql
or pac4j-mongo
or pac4j-stormpath
or pac4j-cas
Google App Engine UserService pac4j-gae
OpenID pac4j-openid

pac4j supports many authorization checks, called authorizers available in the pac4j-core (and pac4j-http) submodules: role / permission checks, IP check, profile type verification, HTTP method verification... as well as regular security protections for CSRF, XSS, cache control, Xframe...

Versions

The next version 1.9.0-SNAPSHOT is under development. Maven artifacts are built via Travis: Build Status and available in the Sonatype snapshots repository.

The source code can be cloned and locally built via Maven:

git clone git@github.com:pac4j/pac4j.git
cd pac4j
mvn clean install

The latest released version is the Maven Central, available in the Maven central repository. See the release notes.

Read the Javadoc and the technical components documentation for more information.

Need help?

If you have any question, please use the following mailing lists: