javalin-pac4j project is an easy and powerful security library for Javalin web applications which supports
authentication and authorization, but also logout and advanced features like session fixation and CSRF protection.
It's based on Java 8 and the pac4j security engine v4. It's available under the Apache 2 license.
- A client represents an authentication mechanism. It performs the login process and returns a user profile. An indirect client is for UI authentication while a direct client is for web services authentication:
▸ OAuth - SAML - CAS - OpenID Connect - HTTP - OpenID - Google App Engine - LDAP - SQL - JWT - MongoDB - Stormpath - IP address
- An authorizer is meant to check authorizations on the authenticated user profile(s) or on the current web context:
▸ Roles / permissions - Anonymous / remember-me / (fully) authenticated - Profile type, attribute - CORS - CSRF - Security headers - IP address, HTTP method
SecurityHandlerprotects an url by checking that the user is authenticated and that the authorizations are valid, according to the clients and authorizers configuration. If the user is not authenticated, it performs authentication for direct clients or starts the login process for indirect clients
CallbackHandlerfinishes the login process for an indirect client
LogoutHandlerhandles the logout process.
Just follow these easy steps to secure your Javalin application:
1) Add the required dependencies (
You need to add a dependency for:
javalin-pac4jlibrary (groupId: org.pac4j, version: 3.0.0)
- the appropriate
pac4jsubmodules (groupId: org.pac4j, version: 4.0.0):
pac4j-oauthfor OAuth support (Facebook, Twitter...),
pac4j-casfor CAS support,
pac4j-ldapfor LDAP authentication, etc.
All released artifacts are available in the Maven central repository.
2) Define the configuration
The configuration (
org.pac4j.core.config.Config) contains all the clients and authorizers required by the application to handle security.
3) Protect urls
Create an implementation of
SecurityHandler and attach it to a
before handler that covers the URLs you want to protect.
The example app shows an implementation for every client.
4) Define the callback endpoint only for indirect clients (
For indirect clients (like Facebook), the user is redirected to an external identity provider for login and then back to the application. The example app shows an implementation.
5) Get the user profile (via
The example app shows an implementation.
6) Logout (
You can have a local logout or a global logout. The example app shows both implementations.
If you have any question, please use the following mailing lists:
Maven artifacts are built via Travis: and available in the Sonatype snapshots repository. This repository must be added in the Maven pom.xml file for example:
<repositories> <repository> <id>sonatype-nexus-snapshots</id> <name>Sonatype Nexus Snapshots</name> <url>https://oss.sonatype.org/content/repositories/snapshots</url> <releases> <enabled>false</enabled> </releases> <snapshots> <enabled>true</enabled> </snapshots> </repository> </repositories>