Skip to content


Folders and files

Last commit message
Last commit date

Latest commit


Repository files navigation

The javalin-pac4j project is an easy and powerful security library for Javalin web applications which supports authentication and authorization, but also logout and advanced features like session fixation and CSRF protection.

It's based on Java 11 and the pac4j security engine v5. It's available under the Apache 2 license.

Main concepts and components:

  1. A client represents an authentication mechanism. It performs the login process and returns a user profile. An indirect client is for UI authentication while a direct client is for web services authentication:

▸ OAuth - SAML - CAS - OpenID Connect - HTTP - Google App Engine - LDAP - SQL - JWT - MongoDB - Stormpath - IP address

  1. An authorizer is meant to check authorizations on the authenticated user profile(s) or on the current web context:

▸ Roles / permissions - Anonymous / remember-me / (fully) authenticated - Profile type, attribute - CORS - CSRF - Security headers - IP address, HTTP method

  1. A matcher defines whether the SecurityHandler must be applied and can be used for additional web processing

  2. The SecurityHandler protects an url by checking that the user is authenticated and that the authorizations are valid, according to the clients and authorizers configuration. If the user is not authenticated, it performs authentication for direct clients or starts the login process for indirect clients

  3. The CallbackHandler finishes the login process for an indirect client

  4. The LogoutHandler handles the logout process.

Just follow these easy steps to secure your Javalin application:

1) Add the required dependencies (javalin-pac4j and pac4j-* libraries)

You need to add a dependency for:

  • the javalin-pac4j library (groupId: org.pac4j, version: 6.0.0)
  • the appropriate pac4j submodules (groupId: org.pac4j, version: 5.7.1): pac4j-oauth for OAuth support (Facebook, Twitter...), pac4j-cas for CAS support, pac4j-ldap for LDAP authentication, etc.

All released artifacts are available in the Maven central repository.

2) Define the configuration

The configuration (org.pac4j.core.config.Config) contains all the clients and authorizers required by the application to handle security.

3) Protect urls

Create an implementation of SecurityHandler and attach it to a before handler that covers the URLs you want to protect. The example app shows an implementation for every client.

4) Define the callback endpoint only for indirect clients (CallbackHandler)

For indirect clients (like Facebook), the user is redirected to an external identity provider for login and then back to the application. The example app shows an implementation.

5) Get the user profile (via HttpServletRequest or ProfileManager)

The example app shows an implementation.

6) Logout (LogoutHandler)

You can have a local logout or a global logout. The example app shows both implementations.

Need help?

You can use the mailing lists or the commercial support.


Maven artifacts are built via Travis: Build Status and available in the Sonatype snapshots repository. This repository must be added in the Maven pom.xml file for example:

    <name>Sonatype Nexus Snapshots</name>


Security library for Javalin: OAuth, CAS, SAML, OpenID Connect, LDAP, JWT...






No packages published