Fork me on GitHub

What's new with Spring and pac4j?

pac4j is a security framework available for many frameworks in the Java ecosystem. Unlike other Java security libraries which are dedicated to one framework, pac4j is composed of a security engine (the “core” pac4j project) and many specific implementations.

pac4j being a security engine for many implementations allows developers to only learn one security model for all the frameworks and switch from one framework to another one very easily. You can use it in a simple JEE web application, with Undertow, Spark Java, JAX-RS, Ratpack, etc., and of course with Spring. It can even be used only for authentication delegation like in the CAS SSO server.

In the Java ecosystem, Spring is a very popular and important framework and pac4j is integrated with three Spring libraries:

Spring Webflux support

This is a new implementation for pac4j: spring-webflux-pac4j.

While pac4j is not a reactive engine, it has been smartly implemented for many asynchronous frameworks: Play 2, Vert.x, … and Spring Webflux.

In the Spring Webflux pac4j security library, you have:

Spring 6 support

As Spring fans know, a new major version 6 of the Spring framework will come soon. It is based on JDK 17 and JakartaEE 9.

All related pac4j security libraries have been already upgraded (using Spring 6 milestones) to anticipate this arrival:

Bridge from pac4j to Spring Security

Spring Security is a well-known security framework for Spring.

You can replace it with spring-webmvc-pac4j to only use a pac4j security framework or if it’s too much work, you can make it work with pac4j thanks to the spring-security-pac4j security library.

In the Spring security pac4j library, you have:

Since version 8, the SecurityFilter, CallbackFilter, and LogoutFilter have been removed. You must use another pac4j security library like the javaee-pac4j or jakartaee-pac4j security library which has similar filters (in different packages). See the migration guide.

Only the SpringSecurityProfileManager component remains and spring-security-pac4j version >= 8 is now only a bridge from pac4j to Spring Security.

Smart “builders” for spring-webmvc-pac4j and spring-webflux-pac4j

All pac4j implementations share a similar way of configuring security: you need to create a Config and a “security filter”:

    // CAS login process
    var casClient = new CasClient(new CasConfiguration("https://casserverpac4j.herokuapp.com/login"));

    var clients = new Clients("http://localhost:8080/callback", casClient);

    var config = new Config(clients);
    // ROLE_ADMIN authorization check
    config.addAuthorizer("admin", new RequireAnyRoleAuthorizer("ROLE_ADMIN"));

    ...

    // protect the /cas/ URL with a CAS login process and a ROLE_ADMIN check
    registry.addInterceptor(
            new SecurityInterceptor(config, "CasClient", "admin")
        ).addPathPatterns("/cas/*");

In the latest versions of spring-webmvc-pac4j (>= 6.1) and spring-webflux-pac4j (>= 1.1), you can directly create the Authorizer in the “security filter”:

    // CAS login process
    var casClient = new CasClient(new CasConfiguration("https://casserverpac4j.herokuapp.com/login"));

    var clients = new Clients("http://localhost:8080/callback", casClient);

    var Config config = new Config(clients);
    // no ROLE_ADMIN authorization check definition in the Config

    ...

    // protect the /cas/ URL with a CAS login process and a ROLE_ADMIN check
    registry.addInterceptor(
            new SecurityInterceptor(config, "CasClient", new RequireAnyRoleAuthorizer("ROLE_ADMIN"))
        ).addPathPatterns("/cas/*");

What’s next?

Follow this blog or subscribe to the pac4j mailing lists to get updated news.

Jérôme LELEU - September 2022