Skip to content
CAS in the cloud LELEU Jérôme edited this page Dec 12, 2022 · 11 revisions

You can protect (authentication + authorization) the URLs of web application/services by using the SecurityFilter.

>> Read the documentation to understand its behavior and the available options.

The available options can be set via setters and servlet parameters.

1) web.xml

Yet, there is no config servlet parameter, the configFactory servlet parameter may be used instead to define a configuration.
The configFactory servlet parameter must be defined at least for one filter: it will be shared with other filters.

The SecurityFilter can be defined in the web.xml file:

<filter>
  <filter-name>FacebookAdminFilter</filter-name>
  <filter-class>org.pac4j.jee.filter.SecurityFilter</filter-class>
  <init-param>
    <param-name>configFactory</param-name>
    <param-value>org.pac4j.demo.j2e.DemoConfigFactory</param-value>
  </init-param>
  <init-param>
    <param-name>clients</param-name>
    <param-value>FacebookClient</param-value>
  </init-param>
  <init-param>
    <param-name>authorizers</param-name>
    <param-value>isAuthenticated</param-value>
  </init-param>
</filter>
<filter-mapping>
  <filter-name>FacebookAdminFilter</filter-name>
  <url-pattern>/facebook/*</url-pattern>
</filter-mapping>

2) CDI (JEE)

or using CDI and the org.pac4j.jee.util.FilterHelper:

@Named
@ApplicationScoped
public class WebConfig {

    @Inject
    private Config config;

    public void build(@Observes @Initialized(ApplicationScoped.class) ServletContext servletContext) {

        final FilterHelper filterHelper = new FilterHelper(servletContext);

        ...

        final SecurityFilter facebookAdminFilter = new SecurityFilter(config, "FacebookClient", "admin,securityHeaders");
        filterHelper.addFilterMapping("facebookAdminFilter", facebookAdminFilter, "/facebookadmin/*");

        ...
    }
}

3) Spring

It can be defined as a simple JEE filter via Spring:

    @Bean
    public FilterRegistrationBean twitterFilter() {
        final SecurityFilter filter = new SecurityFilter(config(), "TwitterClient");
        final FilterRegistrationBean registrationBean = new FilterRegistrationBean();
        registrationBean.setFilter(filter);
        registrationBean.addUrlPatterns("/twitter/index.html");
        return registrationBean;
    }

4) Spring Security

It can be defined in a Java configuration like any Spring Security filter:

   @Configuration
    @Order(2)
    public static class CasWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {

        @Autowired
        private Config config;

        protected void configure(final HttpSecurity http) throws Exception {

            final SecurityFilter filter = new SecurityFilter(config, "CasClient");

            http
                    .antMatcher("/cas/**")
                    .addFilterBefore(filter, BasicAuthenticationFilter.class)
                    .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.ALWAYS);
        }
    }

5) Shiro

Or it can be defined in a shiro.ini file:

[main]
saml2SecurityFilter = org.pac4j.jee.filter.SecurityFilter
saml2SecurityFilter.config = $config
saml2SecurityFilter.clients = SAML2Client

[urls]
/saml2/** = saml2SecurityFilter
Clone this wiki locally