The buji-pac4j library is a web multi-protocols client for Apache Shiro.
It supports these 5 protocols on client side:
- OAuth (1.0 & 2.0)
- CAS (1.0, 2.0, SAML, logout & proxy)
- HTTP (form & basic auth authentications)
- OpenID
- SAML (2.0) (still experimental).
It's available under the Apache 2 license and based on my pac4j library.
| Provider | Protocol | Maven dependency | Client class | Profile class |
|---|---|---|---|---|
| CAS server | CAS | pac4j-cas | CasClient & CasProxyReceptor | CasProfile |
| CAS server using OAuth Wrapper | OAuth 2.0 | pac4j-oauth | CasOAuthWrapperClient | CasOAuthWrapperProfile |
| DropBox | OAuth 1.0 | pac4j-oauth | DropBoxClient | DropBoxProfile |
| OAuth 2.0 | pac4j-oauth | FacebookClient | FacebookProfile | |
| GitHub | OAuth 2.0 | pac4j-oauth | GitHubClient | GitHubProfile |
| OAuth 2.0 | pac4j-oauth | Google2Client | Google2Profile | |
| OAuth 1.0 & 2.0 | pac4j-oauth | LinkedInClient & LinkedIn2Client | LinkedInProfile & LinkedIn2Profile | |
| OAuth 1.0 | pac4j-oauth | TwitterClient | TwitterProfile | |
| Windows Live | OAuth 2.0 | pac4j-oauth | WindowsLiveClient | WindowsLiveProfile |
| WordPress | OAuth 2.0 | pac4j-oauth | WordPressClient | WordPressProfile |
| Yahoo | OAuth 1.0 | pac4j-oauth | YahooClient | YahooProfile |
| PayPal | OAuth 2.0 | pac4j-oauth | PayPalClient | PayPalProfile |
| Vk | OAuth 2.0 | pac4j-oauth | VkClient | VkProfile |
| Foursquare | OAuth 2.0 | pac4j-oauth | FoursquareClient | FoursquareProfile |
| Web sites with basic auth authentication | HTTP | pac4j-http | BasicAuthClient | HttpProfile |
| Web sites with form authentication | HTTP | pac4j-http | FormClient | HttpProfile |
| OpenID | pac4j-openid | GoogleOpenIdClient | GoogleOpenIdProfile | |
| SAML Identity Provider | SAML 2.0 | pac4j-saml | Saml2Client | Saml2Profile |
This library has just 8 classes:
- the ClientFilter class is called after the authentication at the provider: it creates the ClientToken to be used by the ClientRealm
- the ClientToken class is the token representing the credentials and the profile of the user
- the ClientRealm class is the realm responsible for authenticating a ClientToken: it finishes the authentication process by retrieving the profile of the authenticated user and computing its default roles and permissions
- the ShiroWebContext class is a Shiro wrapper for the user request, response and session
- the ClientPermissionsAuthorizationFilter class is a filter to protect the application if the user has not the right permissions
- the ClientRolesAuthorizationFilter class is a filter to protect the application if the user has not the right roles
- the ClientUserFilter class is a filter to protect the application if the user is not authenticated
- the NoAuthenticationException class is an exception when no user profile is returned.
and is based on the pac4j-* libraries.
Learn more by browsing the buji-pac4j Javadoc and the pac4j Javadoc.
If you want to use a specific client support, you need to add the appropriate Maven dependency in the pom.xml file:
- for OAuth support, the pac4j-oauth dependency is required
- for CAS support, the pac4j-cas dependency is required
- for HTTP support, the pac4j-http dependency is required
- for OpenID support, the pac4j-openid dependency is required.
For example, to add OAuth support, add the following XML snippet:
<dependency>
<groupId>org.pac4</groupId>
<artifactId>pac4j-oauth</artifactId>
<version>1.5.0</version>
</dependency>
As these snapshot dependencies are only available in the Sonatype snapshots repository, the appropriate repository may need be added in the pom.xml file also:
<repositories>
<repository>
<id>sonatype-nexus-snapshots</id>
<name>Sonatype Nexus Snapshots</name>
<url>https://oss.sonatype.org/content/repositories/snapshots</url>
<releases>
<enabled>false</enabled>
</releases>
<snapshots>
<enabled>true</enabled>
</snapshots>
</repository>
</repositories>
If you want to authenticate at an OAuth or OpenID provider, at a CAS server or through HTTP, you have to define all the clients in the shiro.ini file:
[main]
facebookClient = org.pac4j.oauth.client.FacebookClient
facebookClient.key = fbkey
facebookClient.secret = fbsecret
twitterClient = org.pac4j.oauth.client.TwitterClient
twitterClient.key = twkey
twitterClient.secret = twsecret
simpleAuthenticator = org.pac4j.http.credentials.SimpleTestUsernamePasswordAuthenticator
formClient = org.pac4j.http.client.FormClient
formClient.loginUrl = http://localhost:8080/theForm.jsp
formClient.usernamePasswordAuthenticator = $simpleAuthenticator
basicAuthClient = org.pac4j.http.client.BasicAuthClient
basicAuthClient.usernamePasswordAuthenticator = $simpleAuthenticator
# the CAS server is started on localhost:8888/cas
casClient = org.pac4j.cas.client.CasClient
casClient.casLoginUrl = http://localhost:8888/cas/login
# application is started on localhost:8080
clients = org.pac4j.core.client.Clients
clients.callbackUrl = http://localhost:8080/callback
clients.clientsList = $facebookClient,$twitterClient,$formClient,$basicAuthClient,$casClient
To handle callback from providers, you need to define the appropriate filter:
[main]
clientsFilter = io.buji.pac4j.ClientFilter
clientsFilter.clients = $clients
clientsFilter.failureUrl = /error500.jsp
[url]
/callback = clientsFilter
To finish the authentication process after being callbacked by the provider, a specific realm must be declared:
[main]
clientsRealm = io.buji.pac4j.ClientRealm
clientsRealm.defaultRoles = ROLE_USER
clientsRealm.clients = $clients</code></pre>
You can protect your urls and force the user to be authenticated by a client by using one of the following filter: ClientPermissionsAuthorizationFilter, ClientRolesAuthorizationFilter or ClientUserFilter. For example:
[main]
facebookRoles = io.buji.pac4j.filter.ClientRolesAuthorizationFilter
facebookRoles.client = $facebookClient
formRoles = io.buji.pac4j.filter.ClientRolesAuthorizationFilter
formRoles.client = $formClient
casRoles = io.buji.pac4j.filter.ClientRolesAuthorizationFilter
casRoles.client = $casClient
[urls]
/facebook/** = facebookRoles[ROLE_USER]
/form/** = formRoles[ROLE_USER]
/cas/** = casRoles[ROLE_USER]
/callback = clientsFilter
/logout = logout
/** = anon
You can also explicitely compute a redirection url to a provider for authentication by using the getRedirectionUrl method. For example:
<%
ShiroWebContext context = new ShiroWebContext(request, response);
%>
<a href="<%=facebookClient.getRedirectionUrl(context,false,false)%>">Authenticate with Facebook</a>
After successfull authentication, the first principal is the typedId (a unique id accross providers and users) and the second principal is the user profile:
String typedId = (String) SecurityUtils.getSubject().getPrincipal();
// common profile to all providers
CommonProfile commonProfile = (CommonProfile) SecurityUtils.getSubject().getPrincipals().asList().get(1);
From the CommonProfile, you can retrieve the most common properties that all profiles share. But you can also cast the user profile to the appropriate profile according to the provider used for authentication. For example, after a Facebook authentication:
// facebook profile
FacebookProfile facebookProfile = (FacebookProfile) commonProfile;
Or for all the OAuth profiles, to get the access token:
OAuthProfile oauthProfile = (OAuthProfile) commonProfile
String accessToken = oauthProfile.getAccessToken();
// or
String accessToken = facebookProfile.getAccessToken();
A demo with Facebook, Twitter, CAS, form authentication and basic auth authentication providers is available with buji-pac4j-demo.
The current version 1.2.3-SNAPSHOT is under development. It's available on the Sonatype snapshots repository as a Maven dependency:
The last released version is the 1.2.2:
<dependency>
<groupId>io.buji</groupId>
<artifactId>buji-pac4j</artifactId>
<version>1.2.2</version>
</dependency>
See the release notes.
For any question or problem, don't hesitate to post it on the Shiro user mailing list or on the Shiro developer mailing list.
Or please use the dedicated mailing lists: