Skip to content
Switch branches/tags

Latest commit


Git stats


Failed to load latest commit information.

The javalin-pac4j project is an easy and powerful security library for Javalin web applications which supports authentication and authorization, but also logout and advanced features like session fixation and CSRF protection.

It's based on Java 8 and the pac4j security engine v4. It's available under the Apache 2 license.

Main concepts and components:

  1. A client represents an authentication mechanism. It performs the login process and returns a user profile. An indirect client is for UI authentication while a direct client is for web services authentication:

▸ OAuth - SAML - CAS - OpenID Connect - HTTP - OpenID - Google App Engine - LDAP - SQL - JWT - MongoDB - Stormpath - IP address

  1. An authorizer is meant to check authorizations on the authenticated user profile(s) or on the current web context:

▸ Roles / permissions - Anonymous / remember-me / (fully) authenticated - Profile type, attribute - CORS - CSRF - Security headers - IP address, HTTP method

  1. The SecurityHandler protects an url by checking that the user is authenticated and that the authorizations are valid, according to the clients and authorizers configuration. If the user is not authenticated, it performs authentication for direct clients or starts the login process for indirect clients

  2. The CallbackHandler finishes the login process for an indirect client

  3. The LogoutHandler handles the logout process.

Just follow these easy steps to secure your Javalin application:

1) Add the required dependencies (javalin-pac4j and pac4j-* libraries)

You need to add a dependency for:

  • the javalin-pac4j library (groupId: org.pac4j, version: 3.0.0)
  • the appropriate pac4j submodules (groupId: org.pac4j, version: 4.0.0): pac4j-oauth for OAuth support (Facebook, Twitter...), pac4j-cas for CAS support, pac4j-ldap for LDAP authentication, etc.

All released artifacts are available in the Maven central repository.

2) Define the configuration

The configuration (org.pac4j.core.config.Config) contains all the clients and authorizers required by the application to handle security.

3) Protect urls

Create an implementation of SecurityHandler and attach it to a before handler that covers the URLs you want to protect. The example app shows an implementation for every client.

4) Define the callback endpoint only for indirect clients (CallbackHandler)

For indirect clients (like Facebook), the user is redirected to an external identity provider for login and then back to the application. The example app shows an implementation.

5) Get the user profile (via HttpServletRequest or ProfileManager)

The example app shows an implementation.

6) Logout (LogoutHandler)

You can have a local logout or a global logout. The example app shows both implementations.

Need help?

If you have any question, please use the following mailing lists:


Maven artifacts are built via Travis: Build Status and available in the Sonatype snapshots repository. This repository must be added in the Maven pom.xml file for example:

    <name>Sonatype Nexus Snapshots</name>


Security library for Javalin: OAuth, CAS, SAML, OpenID Connect, LDAP, JWT...



No packages published