Authorizers: (v6.1)
Authorizers are meant to check authorizations to access an url (in the “security filter”):
- either on the authenticated user profile: has the user the appropriate role?
- or on the web context: can you call this resource in an iframe?
Notice that this concept of
Authorizer
has a broader meaning than generally in the security field.Generally, authorizers are defined in the security configuration of the application.
Various authorizers are available:
- Roles/permissions - Anonymous/remember-me/(fully) authenticated - Profile type, attribute
- CORS - CSRF - Security headers - IP address, HTTP method
▸ Default authorizer names
Most pac4j implementations use pac4j logics and authorizers and thus the DefaultAuthorizationChecker
component. In that case, the following Authorizer
are automatically available via the following short names:
hsts
for theStrictTransportSecurityHeader
authorizernosniff
for theXContentTypeOptionsHeader
authorizernoframe
for theXFrameOptionsHeader
authorizerxssprotection
for theXSSProtectionHeader
authorizernocache
for theCacheControlHeader
authorizersecurityheaders
as a shortcut forhsts,nosniff,noframe,xssprotection,nocache
csrfToken
for theCsrfTokenGeneratorAuthorizer
authorizercsrfCheck
for theCsrfAuthorizer
authorizercsrf
as a shortcut forcsrfToken,csrfCheck
isAnonymous
for theIsAnonymousAuthorizer
authorizerisAuthenticated
for theIsAuthenticatedAuthorizer
authorizerisFullyAuthenticated
for theIsFullyAuthenticatedAuthorizer
authorizerisRemembered
for theIsRememberedAuthorizer
authorizerallowAjaxRequests
for a default configuration of theCorsAuthorizer
authorizer with theAccess-Control-Allow-Origin
header set to*
.
These short names are defined as constants in DefaultAuthorizers
.