Authorizers: (v4.0)
Authorizers are meant to check authorizations to access an url (in the “security filter”):
- either on the authenticated user profile: has the user the appropriate role?
- or on the web context: can you call this resource with that HTTP method?
Notice that this concept of Authorizer has a broader meaning than generally in the security field.
Generally, authorizers are defined in the security configuration of the application.
Various authorizers are available:
- Roles/permissions - Anonymous/remember-me/(fully) authenticated - Profile type, attribute
- CSRF - IP address, HTTP method
▸ Default authorizer names
Most pac4j implementations use pac4j logics and authorizers and thus the DefaultAuthorizationChecker component. In that case, the following Authorizer are automatically available via the following short keywords:
csrfCheckfor theCsrfAuthorizerauthorizerisAnonymousfor theIsAnonymousAuthorizerauthorizerisAuthenticatedfor theIsAuthenticatedAuthorizerauthorizerisFullyAuthenticatedfor theIsFullyAuthenticatedAuthorizerauthorizerisRememberedfor theIsRememberedAuthorizerauthorizernonefor no authorizers at all.
Since pac4j v4, if no authorizers are defined, the
DefaultAuthorizationChecker applies the csrfCheck configuration.These short names are defined as constants in DefaultAuthorizers.
▸ The composition of authorizers
You can create a composition (conjunction or disjunction) of authorizers. For example:
final Authorizer<CommonProfile> authorizer = or(
and(
requireAnyRole("profile_role1"),
requireAnyPermission("profile_permission1")
),
and(
requireAnyRole("profile_role2"),
requireAnyPermission("profile_permission2")
)
);