Security configuration: (v6.1)
1) The Config component
In most pac4j implementations, the security configuration can be defined via a Config object.
It gathers the required:
Example:
FacebookClient facebookClient = new FacebookClient("145278422258960", "be21409ba8f39b5dae2a7de525484da8");
TwitterClient twitterClient = new TwitterClient("CoxUiYwQOSFDReZYdjigBA", "2kAzunH5Btc4gRSaMr7D7MkyoJ5u1VzbOOzE8rBofs");
ParameterClient parameterClient = new ParameterClient("token", new JwtAuthenticator(salt));
Config config = new Config("http://localhost:8080/callback", facebookClient, twitterClient, parameterClient);
config.addAuthorizer("admin", new RequireAnyRoleAuthorizer<>("ROLE_ADMIN"));
config.addAuthorizer("custom", new CustomAuthorizer());
config.addMatcher("excludedPath", new ExcludedPathMatcher("^/facebook/notprotected\\.jsp$"));
You can also use an intermediate Clients object to build the Config one.
Example:
Clients clients = new Clients("http://localhost:8080/callback", facebookClient, twitterClient, parameterClient);
Config config = new Config(clients);
In that case, you can define for all clients:
- a callback URL and a
CallbackUrlResolver:clients.setCallbackUrl(callbackUrl);andclients.setCallbackUrlResolver(callbackUrlResolver); - an
AjaxRequestResolver:clients.setAjaxRequestResolver(ajaxRequestResolver); - an
AuthorizationGenerator:clients.addAuthorizationGenerator(authorizationGenerator);
2) The pac4j-config module
The pac4j-config module gathers all the pac4j facilities to define this Config object.
Currently, there is only one component which allows you to build the clients from a set of properties: the PropertiesConfigFactory.
It is used by Dropwizard, CAS and Knox.
Notice that dependencies must be explicitly declared when necessary (the
pac4j-saml module if you want to use SAML, the pac4j-oauth module if you want to use OAuth...)Example (YAML dropwizard configuration file):
pac4j:
callbackUrl: /callback
clientsProperties:
facebook.id: 145278422258960
facebook.secret: be21409ba8f39b5dae2a7de525484da8
saml.keystorePath: resource:samlKeystore.jks
saml.keystorePassword: pac4j-demo-passwd
saml.privateKeyPassword: pac4j-demo-passwd
saml.identityProviderMetadataPath: resource:metadata-okta.xml
saml.maximumAuthenticationLifetime: 3600
saml.serviceProviderEntityId: http://localhost:8080/callback?client_name=SAML2Client
saml.serviceProviderMetadataPath: sp-metadata.xml
anonymous: fakevalue
ldap.type: direct
ldap.url: ldap://ldap.jumpcloud.com:389
ldap.useStartTls: false
ldap.useSsl: false
ldap.dnFormat: uid=%s,ou=Users,o=58e69adc0914b437324e7632,dc=jumpcloud,dc=com
ldap.usersDn: ou=Users,o=58e69adc0914b437324e7632,dc=jumpcloud,dc=com
ldap.principalAttributeId: uid
ldap.principalAttributes: firstName,lastName
ldap.enhanceWithEntryResolver: false
formClient.loginUrl: /login.html
formClient.authenticator: ldap
Here are the properties you can use to define the clients (, password encoders and authenticators):
| Available properties | Usage |
|---|---|
encoder.spring.type (bcrypt, noop, pbkdf2, scrypt or standard), encoder.spring.bcrypt.length, encoder.spring.pbkdf2.secret, encoder.spring.pbkdf2.iterations, encoder.spring.pbkdf2.hashWidth, encoder.spring.scrypt.cpuCost, encoder.spring.scrypt.memoryCost, encoder.spring.scrypt.parallelization, encoder.spring.scrypt.keyLength, encoder.spring.scrypt.saltLength and encoder.spring.standard.secret |
To define a SpringPasswordEncoder based on the provided properties and named encoder.spring or encoder.spring.N |
encoder.shiro (if no specific properties are required), encoder.shiro.generatePublicSalt, encoder.shiro.hashAlgorithmName, encoder.shiro.hashIterations and encoder.shiro.privateSalt |
To define a ShiroPasswordEncoder based on the provided properties and named encoder.shiro or encoder.shiro.N |
ldap.type, ldap.dnFormat, ldap.principalAttributes,ldap.principalAttributeId, ldap.principalAttributePassword, ldap.subtreeSearch, ldap.usersDn, ldap.userFilter, ldap.enhanceWithEntryResolver, ldap.trustCertificates, ldap.keystore, ldap.keystorePassword, ldap.keystoreType, ldap.minPoolSize, ldap.maxPoolSize, ldap.poolPassivator, ldap.validateOnCheckout, ldap.validatePeriodically, ldap.validatePeriod, ldap.failFast, ldap.idleTime, ldap.prunePeriod, ldap.blockWaitTime, ldap.url, ldap.useSsl, ldap.useStartTls, ldap.connectTimeout, ldap.providerClass, ldap.allowMultipleDns, ldap.bindDn, ldap.bindCredential, ldap.saslRealm, ldap.saslMechanism, ldap.saslAuthorizationId, ldap.saslSecurityStrength and ldap.saslQualityOfProtection |
To define a LdapAuthenticator based on the provided properties and named ldap or ldap.N |
db.dataSourceClassName, db.jdbcUrl, db.userAttributes, db.userIdAttribute, db.usernameAttribute, db.userPasswordAttribute, db.usersTable, db.username, db.password, db.autoCommit, db.connectionTimeout, db.idleTimeout, db.maxLifetime, db.connectionTestQuery, db.minimumIdle, db.maximumPoolSize, db.poolName, db.initializationFailTimeout, db.isolateInternalQueries, db.allowPoolSuspension, db.readOnly, db.registerMbeans, db.catalog, db.connectionInitSql, db.driverClassName, db.transactionIsolation, db.validationTimeout, db.leakDetectionThreshold, db.customParamKey, db.customParamValue, db.loginTimeout, db.dataSourceJndi and db.passwordEncoder |
To define a DbAuthenticator based on the provided properties and named db or db.N |
rest.url |
To define a RestAuthenticator based on the provided properties and named rest or rest.N |
anonymous |
To define the AnonymousClient, the value is ignored |
directBasicAuth.authenticator |
To define a DirectBasicAuthClient based on the provided properties |
saml.keystorePassword, saml.privateKeyPassword, saml.keystorePath, saml.identityProviderMetadataPath, saml.maximumAuthenticationLifetime, saml.serviceProviderEntityId, saml.serviceProviderMetadataPath, saml.destinationBindingType, saml.keystoreAlias |
To define a SAML2Client based on the provided properties |
cas.loginUrl, cas.protocol |
To define a CasClient based on the provided properties |
oidc.type (google or azure), oidc.id, oidc.secret, oidc.scope, oidc.discoveryUri, oidc.useNonce, oidc.preferredJwsAlgorithm, oidc.maxClockSkew, oidc.clientAuthenticationMethod, oidc.customParamKey1, oidc.customParamValue1, oidc.customParamKey2,oidc.customParamValue2 |
To define an OpenID connect client based on the provided properties |
formClient.authenticator, formClient.loginUrl, formClient.usernameParameter formClient.passwordParameter |
To define a FormClient based on the provided properties |
indirectBasicAuth.authenticator, indirectBasicAuth.realName |
To define an IndirectBasicAuthClient based on the provided properties |
facebook.id, facebook.secret, facebook.scope, facebook.fields |
To define a FacebookClient based on the provided properties |
twitter.id, twitter.secret |
To define a TwitterClient based on the provided properties |
github.id, github.secret |
To define a GitHubClient based on the provided properties |
dropbox.id, dropbox.secret |
To define a DropBoxClient based on the provided properties |
windowslive.id, windowslive.secret |
To define a WindowsLiveClient based on the provided properties |
yahoo.id, yahoo.secret |
To define a YahooClient based on the provided properties |
linkedin.id, linkedin.secret, linkedin.fields, linkedin.scope |
To define a LinkedIn2Client based on the provided properties |
foursquare.id, foursquare.secret |
To define a FoursquareClient based on the provided properties |
google.id, google.secret, google.scope |
To define a Google2Client based on the provided properties |
Notice that:
-
you can define multiple clients of the same type by adding a number at the end of the properties:
cas.loginUrl.2,oidc.type.5… -
the
.passwordEncoderproperty must be set to the name of an already definedPasswordEncoderlikeencoder.springorencoder.shiro.3 -
the
.authenticatorproperty must be set to the name of an already definedAuthenticatorlikeldapordb.1or the implicit values:testUsernamePasswordortestToken.