-
Notifications
You must be signed in to change notification settings - Fork 27
Security configuration
LELEU Jérôme edited this page Dec 20, 2019
·
4 revisions
You need to define the authentication mechanisms (Client) and authorization checks (Authorizer) you want.
The configuration (org.pac4j.core.config.Config) contains all the clients and authorizers required by the application to handle security.
It can be built via a Spring context file or a Spring configuration class:
<bean id="samlConfig" class="org.pac4j.saml.config.SAML2Configuration">
<property name="keystoreResourceClasspath" value="samlKeystore.jks" />
<property name="keystorePassword" value="pac4j-demo-passwd" />
<property name="privateKeyPassword" value="pac4j-demo-passwd" />
<property name="identityProviderMetadataResourceClasspath" value="metadata-okta.xml" />
<property name="maximumAuthenticationLifetime" value="3600" />
<property name="serviceProviderEntityId" value="http://localhost:8080/callback?client_name=SAML2Client" />
<property name="serviceProviderMetadataResourceFilepath" value="sp-metadata.xml" />
</bean>
<bean id="saml2Client" class="org.pac4j.saml.client.SAML2Client">
<constructor-arg name="configuration" ref="samlConfig" />
</bean>
<bean id="facebookClient" class="org.pac4j.oauth.client.FacebookClient">
<constructor-arg name="key" value="145278422258960" />
<constructor-arg name="secret" value="be21409ba8f39b5dae2a7de525484da8" />
</bean>
<bean id="twitterClient" class="org.pac4j.oauth.client.TwitterClient">
<constructor-arg name="key" value="CoxUiYwQOSFDReZYdjigBA" />
<constructor-arg name="secret" value="2kAzunH5Btc4gRSaMr7D7MkyoJ5u1VzbOOzE8rBofs" />
</bean>
<bean id="testAuthenticator" class="org.pac4j.http.credentials.authenticator.test.SimpleTestUsernamePasswordAuthenticator">
</bean>
<bean id="formClient" class="org.pac4j.http.client.indirect.FormClient">
<constructor-arg name="loginUrl" value="http://localhost:8080/loginForm" />
<constructor-arg name="usernamePasswordAuthenticator" ref="testAuthenticator" />
</bean>
...
<bean id="clients" class="org.pac4j.core.client.Clients">
<constructor-arg name="callbackUrl" value="http://localhost:8080/callback" />
<constructor-arg name="clients">
<list>
<ref bean="oidClient" />
<ref bean="saml2Client" />
<ref bean="facebookClient" />
<ref bean="twitterClient" />
<ref bean="formClient" />
<ref bean="indirectBasicAuthClient" />
<ref bean="casClient" />
<ref bean="parameterClient" />
<ref bean="directBasicAuthClient" />
<ref bean="casRestBasicAuthClient" />
</list>
</constructor-arg>
</bean>
<bean id="adminRoleAuthorizer" class="org.pac4j.core.authorization.authorizer.RequireAnyRoleAuthorizer">
<constructor-arg name="roles" value="ROLE_ADMIN" />
</bean>
<bean id="customAuthorizer" class="org.pac4j.demo.spring.CustomAuthorizer">
</bean>
<bean id="config" class="org.pac4j.core.config.Config">
<constructor-arg name="clients" ref="clients" />
<constructor-arg name="authorizers">
<map>
<entry key="admin" value-ref="adminRoleAuthorizer" />
<entry key="custom" value-ref="customAuthorizer" />
</map>
</constructor-arg>
</bean>See a full example here.
@Configuration
public class Pac4jConfig {
@Value("${salt}")
private String salt;
@Bean
public Config config() {
final OidcConfiguration oidcConfiguration = new OidcConfiguration();
oidcConfiguration.setClientId("167480702619-8e1lo80dnu8bpk3k0lvvj27noin97vu9.apps.googleusercontent.com");
oidcConfiguration.setSecret("MhMme_Ik6IH2JMnAT6MFIfee");
oidcConfiguration.setPreferredJwsAlgorithm(JWSAlgorithm.PS384);
oidcConfiguration.addCustomParam("prompt", "consent");
final GoogleOidcClient oidcClient = new GoogleOidcClient(oidcConfiguration);
oidcClient.setAuthorizationGenerator((ctx, profile) -> { profile.addRole("ROLE_ADMIN"); return profile; });
final SAML2Configuration cfg = new SAML2Configuration(new ClassPathResource("samlKeystore.jks"), "pac4j-demo-passwd", "pac4j-demo-passwd", new ClassPathResource("metadata-okta.xml"));
cfg.setMaximumAuthenticationLifetime(3600);
cfg.setServiceProviderEntityId("http://localhost:8080/callback?client_name=SAML2Client");
cfg.setServiceProviderMetadataResource(new FileSystemResource(new File("sp-metadata.xml").getAbsoluteFile()));
final SAML2Client saml2Client = new SAML2Client(cfg);
...
final CasConfiguration configuration = new CasConfiguration("https://casserverpac4j.herokuapp.com/login");
final CasClient casClient = new CasClient(configuration);
final SecretSignatureConfiguration secretSignatureConfiguration = new SecretSignatureConfiguration(salt);
final SecretEncryptionConfiguration secretEncryptionConfiguration = new SecretEncryptionConfiguration(salt);
final JwtAuthenticator authenticator = new JwtAuthenticator();
authenticator.setSignatureConfiguration(secretSignatureConfiguration);
authenticator.setEncryptionConfiguration(secretEncryptionConfiguration);
ParameterClient parameterClient = new ParameterClient("token", authenticator);
parameterClient.setSupportGetRequest(true);
parameterClient.setSupportPostRequest(false);
final DirectBasicAuthClient directBasicAuthClient = new DirectBasicAuthClient(new SimpleTestUsernamePasswordAuthenticator());
final Clients clients = new Clients("http://localhost:8080/callback", oidcClient, saml2Client, facebookClient,
twitterClient, formClient, indirectBasicAuthClient, casClient, parameterClient, directBasicAuthClient);
final Config config = new Config(clients);
config.addAuthorizer("admin", new RequireAnyRoleAuthorizer("ROLE_ADMIN"));
config.addAuthorizer("custom", new CustomAuthorizer());
return config;
}
}See a full example here.
http://localhost:8080/callback is the url of the callback endpoint, which is only necessary for indirect clients.
Notice that you can define specific matchers via the addMatcher(name, Matcher) method.