Fork me on GitHub

Authorizers: (v5.1)

Authorizers are meant to check authorizations when accessing an URL (in the “security filter”):

Notice that this concept of Authorizer has a broader meaning than generally in the security field.

Generally, authorizers are defined in the security configuration of the application.

Various authorizers are available:

▸ Default authorizer names

Most pac4j implementations use the pac4j logics and authorizers and thus the DefaultAuthorizationChecker component. In that case, the following authorizers are automatically available via the following short keywords:

These short names are defined as constants in DefaultAuthorizers. You can override them with your own authorizers using the same names.

▸ The composition of authorizers

You can create a composition (conjunction or disjunction) of authorizers. For example:

final Authorizer authorizer = or(
    and(
        requireAnyRole("profile_role1"),
        requireAnyPermission("profile_permission1")
    ),
    and(
        requireAnyRole("profile_role2"),
        requireAnyPermission("profile_permission2")
    )
);