Security engine for Java (authentication, authorization, multi frameworks): OAuth, CAS, SAML, OpenID Connect, LDAP, JWT...

Overview

pac4j is an easy and powerful security engine for Java to authenticate users, get their profiles and manage authorizations in order to secure web applications and web services.

It provides a comprehensive set of concepts and components. It is based on Java 8 and available under the Apache 2 license. It is available for most frameworks/tools and supports most authentication/authorization mechanisms.

Available implementations (Get started by clicking on your framework):

Spring Web MVC (Spring Boot)JEEApache ShiroSpring Security (Spring Boot)Play 2.xVertx

Spark JavaJavalinRatpackPippoUndertowJooby

CAS serverJAX-RSDropwizardLagomAkka HTTPApache Knox

Authentication mechanisms:

OAuth (Facebook, Twitter, Google...) - SAML - CAS - OpenID Connect - HTTP - Google App Engine - Kerberos (SPNEGO/Negotiate)

LDAP - SQL - JWT - MongoDB - CouchDB - IP address - REST API

Authorization mechanisms:

Roles/permissions - Anonymous/remember-me/(fully) authenticated - Profile type, attribute

CORS - CSRF - Security headers - IP address, HTTP method


Versions

The latest released version is the Maven Central, available in the Maven central repository. The next version is under development.

Read the documentation for more information.

Need help?

You can use the mailing lists or the commercial support.

Supported by

CAS in the cloud The CAS and pac4j consulting company

Comments
  • New feature: Database configuration of SAML clients

    New feature: Database configuration of SAML clients

    Added a new Maven module with SAML clients able to be initialized from a relational database. There is quite a lot of duplicate code between PAC4J-SAML and PAC4J-SAML-DB, further changes are assumed that should remove most duplicates.

    opened by jkacer 31
  • Add CouchProfileService

    Add CouchProfileService

    This adds and documents a CouchDB authenticator and fixes #902.

    The tests in the current state of the PR require a CouchDB server running on http://localhost:13598 so I think it still needs some more work to find a proper CouchDB mocking. But I'm opening the pull request to see if you have some comments other than this one...?

    opened by eroux 26
  • Extraction of attributevalues with complex types

    Extraction of attributevalues with complex types

    Hello everyone,

    while using Pac4j for SAML Delegate Authentication in CAS, I have encountered a problem when extracting complex type attributes from SAML2 assertions. After checking with the Pac4j codebase, I have noticed that there is no differentiation at all and the value is just being extracted by calling dom.getTextContent(), which stuffs all attribute values from complex types into one long string.

    Example:

        <saml:AttributeStatement>
          <saml:Attribute Name="Foo">
            <saml:AttributeValue xsi:type="xs:string">Bar</saml:AttributeValue>
          </saml:Attribute>
          <saml:Attribute Name="Organization"
            NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
            <saml:AttributeValue>
              <OrganizationType
                xmlns:xsd="http://www.w3.org/2001/XMLSchema"
                xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                xmlns:q1="urn:osp:foo:schemas:identity"
                xsi:type="q1:OrganizationType"
                id="ab417e71-3fe8-4981-d629-08d90ef68525">
                <q1:OrganizationName q1:attributeId="urn:osp:foo:attribute:organizationName">Example Corp</q1:OrganizationName>
                <q1:EmailAddress q1:attributeId="urn:osp:foo:attribute:emailAddress">[email protected]</q1:EmailAddress>
                <q1:Address q1:attributeId="urn:osp:foo:attribute:address">
                  <q1:Street q1:attributeId="urn:osp:foo:attribute:street">Example St</q1:Street>
                  <q1:StreetNumber q1:attributeId="urn:osp:foo:attribute:streetNumber">123</q1:StreetNumber>
                  <q1:City q1:attributeId="urn:osp:foo:attribute:city">ExampleCity</q1:City>
                  <q1:ZipCode q1:attributeId="urn:osp:foo:attribute:zipCode">123456</q1:ZipCode>
                  <q1:Country q1:attributeId="urn:osp:foo:attribute:country">ExampleCountry</q1:Country>
                </q1:Address>
              </OrganizationType>
            </saml:AttributeValue>
          </saml:Attribute>
        </saml:AttributeStatement>
    

    While the attribute Foo is extracted without a problem, the attribute Organization with it's complex value type is extracted as one large text with line delimiters. After extraction with the current code base, printing the results looks like this:

    Foo=Bar
    Organization=
              
                Example Corp
                [email protected]
                
                  Example St
                  123
                  ExampleCity
                  123456
                  ExampleCountry
    

    I have implemented a more forgiving extractor. With it the output looks a little better:

    Foo=Bar
    OrganizationName=Example Corp
    [email protected]
    Street=Example St
    StreetNumber=123
    City=ExampleCity
    ZipCode=123456
    Country=ExampleCountry
    

    What do you think?

    Cheers

    opened by fbusselgln 21
  • Logging improvements

    Logging improvements

    Here is a less complex fix for #695 than #696 :)

    I still made some changes on some of the other exceptions, but everything stayed runtime exceptions.

    Everything is explained in the commit messages, it is similar to #696 in terms of behaviour, I made some improvements here and there.

    opened by victornoel 21
  • Introduces matches() in PasswordEncoder

    Introduces matches() in PasswordEncoder

    Here is a PR for #617 :)

    I added the matches method to PasswordEncoder. I added three password encoders: one for Spring, one for Shiro and one for jBcrypt.

    I updated MongoAuthenticator and DbAuthenticator to take advantage of the matches method.

    At first I wanted to update also StormpathAuthenticator (which extends AbstractUsernamePasswordAuthenticator like the other two), but it seems to me that StormpathAuthenticator really only need the Encoding part of the PasswordEncoder, the matching seems to be handled by the Stormpath library itself. Thus I really wonder if it makes sense to encode the password in the StormpathAuthenticator! But this is out of scope of the current PR, I can open an issue if you want.

    opened by victornoel 19
  • Allow PartialLogout to be a successful as SAML2 logout response, if configured explicitly.

    Allow PartialLogout to be a successful as SAML2 logout response, if configured explicitly.

    When sending a SAML2 logout response to a service, the IdP can respond with urn:oasis:names:tc:SAML:2.0:status:PartialLogout because it was unable to contact all participating services (SLO). The session has been terminated on the IdP however and since the logout request was initiated by the service, it may be ok to continue the flow even when SLO is not configured properly somewhere else.

    This changeset introduces a new SAML2 client property, allowing to treat PartialLogout responses like a Success, if configured explicitly. The default behaviour is not changed for now, although it would probably make sense, because the logout process between Pac4j-Service and IdP is still successful in the described case.

    opened by fbusselgln 18
  • OIDC: extract claims from JWT access token

    OIDC: extract claims from JWT access token

    When OIDC OP produces an access token as JWT, pac4j must be able to extract those claims as well, after verifying the AT. Currently, only ID token claims and profile claims are collected into the profile.

    opened by mmoayyed 17
  • Kerberos implementation

    Kerberos implementation

    I know you guys said you won't accept a kerberos implementation for whatever reasons.. But I wanted to make sure that the work I've done is somewhere. We are using a 1.8 pac4j version of this with our clients. The rationale in my mind for this is as follows. We create software that's distributed to multiple clients and each of them have there own security requirements. Our software allowed them to configure in the kind of security they want and we're using pac4j as that library. Even though kerberos may be supported via other mechanisms using pac4j as the common integration layer provides value for us. I'm not sure how to implement unit tests yet and until I know you're going to include it there's no point making the effort.

    opened by garpinc 17
  • Allow security logic to forcefully execute clients

    Allow security logic to forcefully execute clients

    • Adds an optional boolean flag to the default security logic to not load profiles from the session and instead loop through the existing clients to renew the user profile. The default behavior is as it was before, without change.
    • Add test cases to verify behavior.
    opened by mmoayyed 16
  • Compatibility with Microsoft ADFS 2.0

    Compatibility with Microsoft ADFS 2.0

    Added a short Read Me text file with steps to follow in order to use PAC4J against ADFS. Modified SAML2 response validation. NameID is not needed if at least one Subject Confirmation is present (even without a NameID). BaseID is also accepted. If NameID is empty, a dummy NameID is used for SAML2 credentials.

    opened by jkacer 16
  • CredentialException handling improvements

    CredentialException handling improvements

    EDIT: see comments below, this has been rebased on top of #697

    A fix for #695

    It became MUCH bigger than what I expected at first.

    The thing is that I found myself needing to differentiate between expect exception (such as bad formatted client request, invalid credentials, missing information, unexisting accounts) and unexpected exception (such as multiple accounts in the db, problem connecting to the remote authenticator provider, etc).

    So I made CredentialsException extends Exception instead of TechnicalException, I made MultipleAccountsFoundException extends TechnicalException, and then I had to make OAuthCredentialsException extends TechnicalException too because the OAuth client is not a IndirectClientV2 and does not use the Authenticator abstractions.

    Then because CredentialsException became a checked exception, I had to change a lot of things in many places, mostly tests.

    I took this opportunity to add a few improvements in the LocalCachingAuthenticator so that it rethrow the original exception and not the cache's ExecutionException. I also improved (but please check it is correct) the JwtAuthenticator to throw a CredentialsException instead of a TechnicalException when the JWT token can't be parsed, because it is expected that client could send wrong data. The opposite happened with the StormpathAuthenticator that was throwing a BadCredentialsException when it had a problem connecting to Stormpath.

    This changes the API of Authenticator because now it can throw 2 checked exception in validate. The same for CredentialsExtractor (maybe in its case, an exception for bad format could be introduced instead of using the generic CredentialsException by the way...).

    opened by victornoel 15
Owner
PAC4J
The security library for Java
PAC4J
An authorization library that supports access control models like ACL, RBAC, ABAC in Java

jCasbin News: still worry about how to write the correct jCasbin policy? Casbin online editor is coming to help! Try it at: http://casbin.org/editor/

Casbin 1.9k Dec 5, 2022
Spring-react-security - 🌶 Spring Security & React 🌶

Spring-react-security - ?? Spring Security & React ??

KimJunhan 2 Mar 28, 2022
Bridging IOTA's self-sovereign identities to existing "Web 2.0" OAuth solutions

IOTA Identity Provider Bridging IOTA's self-sovereign identities to existing "Web 2.0" OAuth solutions. NOTE: This plugin has NOT been audited or test

null 17 Nov 7, 2022
Java JWT: JSON Web Token for Java and Android

Java JWT: JSON Web Token for Java and Android JJWT aims to be the easiest to use and understand library for creating and verifying JSON Web Tokens (JW

null 8.7k Nov 28, 2022
JSON Web Token (JWT) implementation for Java with support for signatures (JWS), encryption (JWE) and web keys (JWK).

Nimbus JOSE+JWT Nimbus JOSE+JWT is a popular open source (Apache 2.0) Java library which implements the Javascript Object Signing and Encryption (JOSE

Connect2ID 35 Jul 1, 2022
JAP is an open source authentication middleware, it is highly decoupled from business code and has good modularity and flexiblity. Developers could integrate JAP into web applications effortlessly.

?? JAP 是什么? JAP 是一款开源的登录中间件,基于模块化设计,并且与业务高度解耦,使用起来非常灵活,开发者可以毫不费力地将 JAP 集

Fujie 140 Dec 1, 2022
A simple HWID authentication system for your minecraft mod.

HWID-Authentication-System A simple HWID authentication system for your minecraft mod. This is a simple mod which can prevent unwanted users from runn

null 42 Dec 2, 2022
A simple HWID authentication system for your minecraft mod.

HWID-Authentication-System A simple HWID authentication system for your minecraft mod. This is a simple mod which can prevent unwanted users from runn

null 42 Dec 2, 2022
Library to easily configure API Key authentication in (parts of) your Spring Boot Application

42 API Key Authentication A library to easily configure API Key authentication in (parts of) your Spring Boot Application. Features Easily configure A

null 2 Dec 8, 2021
A Vaadin example application that use Firebase Authentication as its user database

Vaadin + Firebase Auth example A trivial example to use Firebase Authentication with a Vaadin application. The app is built based on start.vaadin.com

Matti Tahvonen 3 Mar 9, 2022
Jacksum (JAva ChecKSUM) is a free, open source, cross-platform, feature-rich, multi-threaded command line tool for calculating hash values, verifying data integrity, finding files by their fingerprints, and finding algorithms to a hash value.

Jacksum (JAva ChecKSUM) is a free, open source, cross-platform, feature-rich, multi-threaded command line tool for calculating hash values, verifying data integrity, finding files by their fingerprints, and finding algorithms to a hash value.

Johann N. Löfflmann 16 Nov 28, 2022
Tink is a multi-language, cross-platform, open source library that provides cryptographic APIs that are secure, easy to use correctly, and hard(er) to misuse.

Tink A multi-language, cross-platform library that provides cryptographic APIs that are secure, easy to use correctly, and hard(er) to misuse. Ubuntu

Google 12.8k Nov 30, 2022
Multi-platform transparent client-side encryption of your files in the cloud

Supporting Cryptomator Cryptomator is provided free of charge as an open-source project despite the high development effort and is therefore dependent

Cryptomator 8.5k Dec 4, 2022
MARIOCASH: a trust-based multi-dimensional blockchains (branches)

MARIOCASH is a trust-based multi-dimensional blockchains (branches) built with a vision to “Digitize everything into reality” and to connect everything and any blockchain networks.

Brantley·Williams 23 Mar 10, 2022
PicketLink is a security framework for securing Java EE applications.

PicketLink http://picketlink.org Java EE Application Security Identity Management Federation Social REST Security Standard-based Security This reposit

PicketLink 92 Feb 21, 2022
OACC (Object ACcess Control) is an advanced Java Application Security Framework

OACC Java Application Security Framework What is OACC? OACC - pronounced [oak] - is a fully featured API to both enforce and manage your application's

null 104 Feb 9, 2022
A library for bypassing all of Java's security mechanisms, visibility checks, and encapsulation measures via the JNI API

Narcissus: thwart strong encapsulation in JDK 16+ Narcissus is a JNI native code library that provides a small subset of the Java reflection API, whil

ToolFactory 29 Nov 3, 2022
OAUTHScan is a Burp Suite Extension written in Java with the aim to provide some automatic security checks

OAUTHScan is a Burp Suite Extension written in Java with the aim to provide some automatic security checks, which could be useful during penetration testing on applications implementing OAUTHv2 and OpenID standards.

Maurizio S 162 Nov 11, 2022
Spring Security

Spring Security Spring Security provides security services for the Spring IO Platform. Spring Security 5.0 requires Spring 5.0 as a minimum and also r

Spring 7.3k Dec 4, 2022