pac4j
is a Java security engine to authenticate users, get their profiles and manage their authorizations in order to secure Java web applications. It's available under the Apache 2 license.
It is currently available for many frameworks / tools and supports most authentication mechanisms. Its core API is provided by the pac4j-core
submodule (groupId: org.pac4j
).
You can even implement pac4j
for a new framework / tool by following these guidelines.
pac4j
supports most authentication mechanisms, called clients:
- indirect / stateful clients are for UI when the user authenticates once at an external provider (like Facebook, a CAS server...) or via a local form (or basic auth popup)
- direct / stateless clients are for web services when credentials (like basic auth, tokens...) are passed for each HTTP request.
See the authentication flows.
The authentication mechanism you want | The pac4j-* submodule(s) you must use |
---|---|
OAuth (1.0 & 2.0): Facebook, Twitter, Google, Yahoo, LinkedIn, Github... | pac4j-oauth |
CAS (1.0, 2.0, 3.0, SAML, logout, proxy) | pac4j-cas |
SAML (2.0) | pac4j-saml |
OpenID Connect (1.0) | pac4j-oidc |
HTTP (form, basic auth, IP, header, cookie, GET/POST parameter) + JWT or LDAP or Relational DB or MongoDB or Stormpath or CAS REST API |
pac4j-http + pac4j-jwt or pac4j-ldap or pac4j-sql or pac4j-mongo or pac4j-stormpath or pac4j-cas |
Google App Engine UserService | pac4j-gae |
OpenID | pac4j-openid |
pac4j
supports many authorization checks, called authorizers available in the pac4j-core
(and pac4j-http
) submodules: role / permission checks, IP check, profile type verification, HTTP method verification... as well as regular security protections for CSRF, XSS, cache control, Xframe...
The next version 1.9.0-SNAPSHOT is under development. Maven artifacts are built via Travis: and available in the Sonatype snapshots repository.
The source code can be cloned and locally built via Maven:
git clone git@github.com:pac4j/pac4j.git
cd pac4j
mvn clean install
The latest released version is the , available in the Maven central repository. See the release notes.
Read the Javadoc and the technical components documentation for more information.
If you have any question, please use the following mailing lists: