Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

Secure your Spring Boot Web App in 5 Minutes with pac4j

DZone's Guide to

Secure your Spring Boot Web App in 5 Minutes with pac4j

pac4j is a full security library, easy and powerful, which supports authentication and authorization, but also application logout and advanced features like CSRF protection.

· Database Zone ·
Free Resource

MariaDB TX, proven in production and driven by the community, is a complete database solution for any and every enterprise — a modern database for modern applications.

I'm proud to announce the release of spring-webmvc-pac4j v1.0 (https://github.com/pac4j/spring-webmvc-pac4j) based on pac4j v1.8 (https://github.com/pac4j/pac4j) for any Spring MVC / Boot web application. It's a full security library, easy and powerful, which supports authentication and authorization, but also application logout and advanced features like CSRF protection.

It supports most authentication mechanisms: OAuth (Facebook, Twitter, Google, Yahoo...), CAS, HTTP (form, basic auth...), OpenID, SAML, Google App Engine, OpenID Connect, JWT, LDAP, RDBMS, MongoDB and Stormpath and authorization checks (role / permission, CSRF token...)

In four easy steps, secure your webapp:

1) add the dependency on the library (spring-webmvc-pac4j) and on the required authentication mechanisms (the pac4j-oauth library for Facebook for example)

2) define the authentication mechanisms (clients) and authorizers (to check authorizations). For example: Facebook authentication and ROLE_ADMIN

@Configuration
public class Pac4jConfig {

    @Bean
    public Config config() {
        FacebookClient facebookClient = new FacebookClient("fbId", "fbSecret");
        Config config = new Config("http://localhost:8080/callback", facebookClient);
        config.addAuthorizer("admin", new RequireAnyRoleAuthorizer("ROLE_ADMIN"));
        return config;
    }
}

3) Define the callback controller on the /callback url (by scanning the appropriate package):


@ComponentScan(basePackages = "org.pac4j.springframework.web")


4) Secure the /facebook/* url to require the user to be authenticated and perform a Facebook authentication if he is not:

@Configuration
public class SecurityConfig extends WebMvcConfigurerAdapter {

    @Autowired
    private Config config;

    @Override
    public void addInterceptors(InterceptorRegistry registry) {
        registry
          .addInterceptor(new RequiresAuthenticationInterceptor(config, "FacebookClient"))
          .addPathPatterns("/facebook/*");
    }
}

or in addition, requires the user to have the ROLE_ADMIN:

@Configuration
public class SecurityConfig extends WebMvcConfigurerAdapter {

    @Autowired
    private Config config;

    @Override
    public void addInterceptors(InterceptorRegistry registry) {
        registry
          .addInterceptor(new RequiresAuthenticationInterceptor(config, "FacebookClient", "admin"))
          .addPathPatterns("/facebook/*");
    }
}

Read the documentation: https://github.com/pac4j/spring-webmvc-pac4j and the demo: https://github.com/pac4j/spring-webmvc-pac4j-boot-demo

MariaDB AX is an open source database for modern analytics: distributed, columnar and easy to use.

Topics:
spring web mvc ,spring boot ,security ,authentication ,authorization

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}