Matchers: (v4.4)
1) Definition
The “security filter” is in charge of protecting URL, requesting authentication and optionally authorization.
In some cases, you may want to bypass this “security filter” and this can be done using the matchers parameter which is generally a list of matcher names. A matcher is generally defined in the security configuration.
The matchers can also be used to always apply some logic on the URLs, like adding some security headers.
2) Available matchers
A matcher can be defined by implementing the Matcher
interface. It has only one method: boolean matches(WebContext context)
to say if the “security filter” must be applied.
A few matchers are available (but you can of course develop your own matchers):
-
the
PathMatcher
allows you to exclude some paths from the security checks -
the
HeaderMatcher
allows you to check if a given header isnull
or matches a regular expression -
the
HttpMethodMatcher
allows you to check if the method of the HTTP request is one of the expected defined methods.
3) Default matchers
Most pac4j implementations use the pac4j logics and matchers and thus the DefaultMatchingChecker
component. In that case, the following matchers are automatically available via the following short keywords:
- the
get
,post
,put
anddelete
keywords for the related configurations of theHttpMethodMatcher
(if they do not already exist) - the
hsts
keyword for theStrictTransportSecurityMatcher
- the
nosniff
keyword for theXContentTypeOptionsMatcher
- the
noframe
keyword for theXFrameOptionsMatcher
- the
xssprotection
keyword for theXSSProtectionMatcher
- the
nocache
keyword for theCacheControlMatcher
- the
securityheaders
keyword as a shortcut forhsts,nosniff,noframe,xssprotection,nocache
- the
csrfToken
keyword for theCsrfTokenGeneratorMatcher
with theDefaultCsrfTokenGenerator
(it generates a CSRF token and saves it as thepac4jCsrfToken
request attribute and in thepac4jCsrfToken
cookie) - the
allowAjaxRequests
keyword for a default configuration of theCorsMatcher
with theAccess-Control-Allow-Origin
header set to*
. - the
none
keyword for no matchers at all.