Fork me on GitHub

Authenticators: (v6.1)

HTTP clients require an Authenticator to validate the credentials.

This Authenticator interface has only one method: Optional<Credentials> validate(CallContext ctx, Credentials credentials).

Credentials can be of two kinds:

The HttpAction allows you to interrupt the credentials validation and trigger a specific HTTP action (like a temporary redirection).

You can use various Authenticator for many identity mechanisms:

1) Dealing with performance issues

For direct HTTP clients, credentials are passed and validated for each request, which may lead to performance issues (too many calls to the underlying identity system). So the use of a cache is highly recommended.

This can be done using the LocalCachingAuthenticator class (available in the pac4j-core module) which caches the resulted user profile depending on the provided credentials and can thus spare credentials validation on the identity system.

Example:

LocalCachingAuthenticator authent = new LocalCachingAuthenticator(new JwtAuthenticator(secret), 10000, 15, TimeUnit.MINUTES);

By default, the LocalCachingAuthenticator uses Guava as its internal Store but you can provide your own store via the setStore method.

Notice that this LocalCachingAuthenticator requires the additionnal guava dependency.

In some cases, you may also rely on the session by using: client.setSaveProfileInSession(true);.

In case of a “noop” authenticator (Authenticator.ALWAYS_VALIDATE) where only the profile creation matters, you should use the LocalCachingProfileCreator instead.

2) PasswordEncoder

Regarding the IP address authenticator, there is no need for password protection. Regarding the LDAP authenticator, the password protection is handled by the system itself.

But for the MongoDB and SQL authenticators, the password protection must be handled explicitly by the PasswordEncoder which can encode plaintext passwords into encrypted passwords as well as check if a plaintext password matches with an already encoded password.

The password encoder must be defined for these two authenticators via constructors or via the setPasswordEncoder(passwordEncoder) method.

Three PasswordEncoder implementations are available:

Notice that the SpringSecurityPasswordEncoder requires the additionnal spring-security-crypto dependency, the ShiroPasswordEncoder the shiro-core dependency and the JBCryptPasswordEncoder the jBCrypt dependency.

3) ProfileCreator

In fact, in the HTTP clients, you can also define the way the user profile is created via a ProfileCreator in addition to the way of validating credentials (Authenticator).

In practice:

So it works out of the box, even if providing a specific ProfileCreator is possible.