pac4j / javalin-pac4j Goto Github PK

Security library for Javalin: OAuth, CAS, SAML, OpenID Connect, LDAP, JWT...

Java 100.00%

javalin-pac4j's Introduction

`pac4j` is an easy and powerful security framework for Java to authenticate users, get their profiles and manage authorizations in order to secure web applications and web services.

It provides a comprehensive set of concepts and components. It is available for most frameworks/tools and supports most authentication/authorization mechanisms. It is licensed under the Apache 2 license.

JDK	pac4j	Usage of Lombok
17	v6.x	Yes
11	v5.x	No
8	v4.x	No

Available implementations (Get started by clicking on your framework):

JEE • Spring Web MVC (Spring Boot) • Spring Webflux (Spring Boot) • Apache Shiro • Spring Security (Spring Boot)

CAS server • Syncope • Apache Knox

Play 2.x • Vertx • Spark Java • Ratpack • JAX-RS • Dropwizard

Javalin • Pippo • Undertow • Lagom • Akka HTTP • Jooby

Authentication mechanisms:

OAuth (Facebook, Twitter, Google...) - SAML - CAS - OpenID Connect - HTTP - Google App Engine - Kerberos (SPNEGO/Negotiate)

LDAP - SQL - JWT - MongoDB - CouchDB - IP address - REST API

Authorization mechanisms:

Roles - Anonymous/remember-me/(fully) authenticated - Profile type, attribute

CORS - CSRF - Security headers - IP address, HTTP method

Versions

The latest released version is the , available in the Maven central repository. The next version is under development.

Read the documentation for more information.

Need help?

You can use the mailing lists or the commercial support.

Supported by

The CAS and pac4j consulting company

javalin-pac4j's People

Contributors

Stargazers

Watchers

Forkers

vcka schmas vkolomeyko jmshih spinscale pauliesnug trensetim hlkn edelagnier

javalin-pac4j's Issues

How to use CSRF?

Was wondering if you could clarify how to use the CSRF protection in PAC4J with Javalin? I've fiddled around with it and, although I'm not getting any errors, it doesn't seem to be adding the protection either. From my understanding we'd first need to register an authorizer here

val config = Config(clients)
config.addAuthorizer("csrf", CsrfAuthorizer("X-CSRF-TOKEN","X-CSRF-TOKEN"))
return config

I then assumed we would need to set up a security handler which used the relevant client and authorizer i.e.

val handler = SecurityHandler(config,"FacebookClient","csrf")

Then use that in a before handler.

Problem is, I am getting a pac4j CSRF token cookie back so it is definitely doing something but equally it is not stopping me sending a form with no csrf token via post so I obviously don't understand how to integrate this.

Might be really useful for other people to add an example of this to the JavalinPac4jExample

Csrf Don't work when use NullSessionCache

NullSessionCacheとCSRFを同時に使うことができません。
これは、beforeハンドラでCSRFトークンをセッションから取得するときに、まだDataSourceが使えないからだと予測しています。
このため、POST/PUTリクエストがすべて403になってしまいます。

対処方法を教えて頂けませんでしょうか？
よろしくお願い致します。

NullSessionCache and CSRF cannot be used at the same time.
I predict this is because the DataSource is still not available when getting the CSRF token from the session in the before handler.
All POST/PUT requests will be 403.

Could you tell me how to deal with it?
Thank you.

When will the next version released?

Hi, I was wondering when the new version with Pac4J 5 will be available?

Update README to suggest correct javalin-pac4j version

The README.md indicates 4.0.0-SNAPSHOT for the javalin-pac4j dependency. It looks like 5.0.0 is the latest and greatest. Does this need updated?

Provide Module Name

I would really like to use your library in my modularized application.
Sadly you do not provide a module-info.java nor a Automatic-Module-Name in the manifest of your jar.

I suggest to make this ideally a real java module like

module javalin-pac4j {
  exports org.pac4j.javalin;
  requires transitive pac4j.core;
  requires pac4j.oidc;  // maybe?
}

Action Required: Fix Renovate Configuration

There is an error with this repository's Renovate configuration that needs to be fixed. As a precaution, Renovate will stop PRs until it is resolved.

Error type: Cannot find preset's package (github>whitesource/merge-confidence:beta)

Dependency Dashboard

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Ignored or Blocked

These are blocked by an existing closed PR and will not be recreated unless you click a checkbox below.

Update javalin.version to v6 (major) (io.javalin:javalin-rendering, io.javalin:javalin)

Detected dependencies

github-actions

.github/workflows/ci.yml

actions/checkout v4

actions/setup-java v4

actions/cache v4

actions/checkout v4

actions/setup-java v4

maven

pom.xml

org.sonatype.oss:oss-parent 9

io.javalin:javalin 5.6.3

org.pac4j:pac4j-jakartaee 6.0.1

io.javalin:javalin-rendering 5.6.3

org.apache.velocity:velocity-engine-core 2.3

org.pac4j:pac4j-oauth 6.0.1

org.pac4j:pac4j-saml 6.0.1

org.pac4j:pac4j-cas 6.0.1

org.pac4j:pac4j-http 6.0.1

org.pac4j:pac4j-oidc 6.0.1

org.pac4j:pac4j-jwt 6.0.1

org.pac4j:pac4j-sql 6.0.1

org.pac4j:pac4j-ldap 6.0.1

org.pac4j:pac4j-mongo 6.0.1

org.pac4j:pac4j-kerberos 6.0.1

org.pac4j:pac4j-couch 6.0.1

ch.qos.logback:logback-classic 1.5.0

org.junit.jupiter:junit-jupiter 5.10.2

org.assertj:assertj-core 3.25.3

org.mockito:mockito-core 5.10.0

org.apache.maven.plugins:maven-compiler-plugin 3.12.1

org.apache.maven.plugins:maven-source-plugin 3.3.0

org.apache.maven.plugins:maven-javadoc-plugin 3.6.3

com.github.spotbugs:spotbugs-maven-plugin 4.8.3.1

org.apache.maven.plugins:maven-pmd-plugin 3.21.2

org.apache.maven.plugins:maven-surefire-plugin 3.2.5

org.apache.maven.plugins:maven-jar-plugin 3.3.0

org.apache.maven.plugins:maven-gpg-plugin 3.1.0

Check this box to trigger a request for Renovate to run again on this repository

Using CSRF consumes POST body returning null for ctx.formParam()

Unfortunately I don't have a full blown example (it's a bit convoluted in the existing code), but I'll try to explain my problem. When using the CsrfAuthorizer this is called in the code

    public boolean isAuthorized(final WebContext context, final List<UserProfile> profiles) {
        final boolean checkRequest = checkAllRequests || isPost(context) || isPut(context) || isPatch(context) || isDelete(context);
        if (checkRequest) {
            final String parameterToken = context.getRequestParameter(parameterName).orElse(null);
            final String headerToken = context.getRequestHeader(headerName).orElse(null);
            final Optional<String> sessionToken = (Optional<String>) context.getSessionStore().get(context, Pac4jConstants.CSRF_TOKEN);
            return sessionToken.isPresent() && (sessionToken.get().equals(parameterToken) || sessionToken.get().equals(headerToken));
        } else {
            return true;
        }
    }

It seems to me as if the context.getRequestParameter() consumes the whole body inputstream, so that a call to

ctx.formParam("status")

returns null, because the body has already been consumed, when issuing a POST request. Could this be possible?

Using Javalin 3.12.0 and javalin-pac4j 3.0.0 and pac4j-oauth 4.2.0 if that helps anything.

FindBest runtime error

This is code from ExampleConfigFactory.java.
I have integrated this in my project.

import org.pac4j.core.credentials.TokenCredentials;
//..
HeaderClient headerClient = new HeaderClient("Authorization", (Authenticator) (ctx, credentials) -> {
String token = ((TokenCredentials) credentials).getToken();
if (CommonHelper.isNotBlank(token)) {
CommonProfile profile = new CommonProfile();
profile.setId(token);
credentials.setUserProfile(profile); <----- cannot find symbol error locally
return Optional.of(credentials);
}
return Optional.empty();
});

I get above build time error,
with these dependencies:

     <dependency>
        <groupId>io.javalin</groupId>
        <artifactId>javalin</artifactId>
        <version>5.6.3</version>
     </dependency>
    <dependency>
        <groupId>org.pac4j</groupId>
        <artifactId>javalin-pac4j</artifactId>
        <version>6.0.0</version>
    </dependency>
    <dependency>
        <groupId>org.pac4j</groupId>
        <artifactId>pac4j-http</artifactId>
        <version>5.7.0</version>
    </dependency>
    <dependency>
        <groupId>org.pac4j</groupId>
        <artifactId>pac4j-jwt</artifactId>
        <version>5.7.0</version>
    </dependency>
    <dependency>
        <groupId>org.pac4j</groupId>
        <artifactId>pac4j-core</artifactId>
        <version>5.7.0</version>
    </dependency>

Same with replacing 5.7.0 with 5.7.1 (in above 3 places), as proposed in README
https://github.com/pac4j/javalin-pac4j

Tried replacing 5.7.0 with 6.0.0-RC1 until 6.0.0-RC4 (in above 3 places) -> Same error

Now trying same with 6.0.0-RC5 up to 6.0.0-RC9. Builds and starts up. But when I call an endpoint, I get the FindBest error:

java.lang.NoClassDefFoundError: org/pac4j/core/util/FindBest
at org.pac4j.javalin.SecurityHandler.handle(SecurityHandler.java:43)
at io.javalin.routing.HandlerEntry.handle(HandlerEntry.kt:19)
at io.javalin.http.servlet.DefaultTasks.BEFORE$lambda$2$lambda$1$lambda$0(DefaultTasks.kt:19)
at io.javalin.http.servlet.JavalinServlet.handleTask(JavalinServlet.kt:88)
at io.javalin.http.servlet.JavalinServlet.handleSync(JavalinServlet.kt:53)
at io.javalin.http.servlet.JavalinServlet.service(JavalinServlet.kt:41)
at jakarta.servlet.http.HttpServlet.service(HttpServlet.java:587)
at io.javalin.jetty.JavalinJettyServlet.service(JavalinJettyServlet.kt:58)
at jakarta.servlet.http.HttpServlet.service(HttpServlet.java:587)
at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:764)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:529)
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:221)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1570)
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:221)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1381)
at io.javalin.jetty.JettyServer$start$wsAndHttpHandler$1.doHandle(JettyServer.kt:61)
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:176)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:484)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1543)
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:174)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1303)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:129)
at org.eclipse.jetty.server.handler.StatisticsHandler.handle(StatisticsHandler.java:173)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:122)
at org.eclipse.jetty.server.Server.handle(Server.java:563)
at org.eclipse.jetty.server.HttpChannel$RequestDispatchable.dispatch(HttpChannel.java:1598)
at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:753)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:501)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:287)
at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:314)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100)
at org.eclipse.jetty.io.SelectableChannelEndPoint$1.run(SelectableChannelEndPoint.java:53)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:969)
at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.doRunJob(QueuedThreadPool.java:1194)
at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1149)
at java.base/java.lang.Thread.run(Thread.java:1623)
Caused by: java.lang.ClassNotFoundException: org.pac4j.core.util.FindBest
at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:641)
at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:188)
at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:521)
... 36 more

All above happen also with Javalin 5.6.2

[Help] Validating different roles / security requirements per endpoint

Hi,

I can't seem to find the best way to do this in the documentation and I would appreciate any/all pointers if I've missed it!

My problem is the following:

I want to secure separate REST endpoints in the same javalin-pac4j application with different requirements.
I need to check for certain UserProfile claims in some cases (e.g. 'editor') but only check isAuthenticated for other endpoints.
Do I need to create separate SecurityConfig with separate handlers and add these to the Javalin Route configuration or is there way to use the same SecurityConfig and access several separate handlers at method/API route level?

A lot of the configuration is else reusable, the user will be submitting the same tokens, so it would be nice to avoid re-duplicating the security configs.

Best regards

Is library available in maven central?

UncaughtException with Javalin PAC4J version 6

Actual behavior (the bug)
SseClient keeps adding "clients" - not sure of the cause but it results in a leak as the clients use keepalive

The java logs show

JettyServerThreadPool-124] WARN io.javalin.Javalin - Uncaught exception
java.util.concurrent.CancellationException
at java. Base/java.util.concurrent.CompletableFuture.cancel(CompletableFuture.java:2478)
at io.javalin.http.servlet.JavalinServlet$handleUserFuture$1.invoke(JavalinServlet.kt:65)
at io.javalin.http.servlet.JavalinServlet$handleUserFuture$1.invoke(JavalinServlet.kt:65)
at io.javalin.http.util.AsyncUtil$addListener$5$1.onTimeout(AsyncUtil.kt:46)
at org.eclipse.jetty.server.HttpChannelState$2.run(HttpChannelState.java:660)
at org.eclipse.jetty.server.handler.ContextHandler.handle(ContextHandler.java:1465)
at org.eclipse.jetty.server.HttpChannelState.runInContext(HttpChannelState.java:1208)
at org.eclipse.jetty.server.HttpChannelState.onTimeout(HttpChannelState.java:679)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:518)
at org.eclipse.jetty.server.HttpChannel.run(HttpChannel.java:457)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:934)
at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1078)
at java. Base/java.lang.Thread.run(Thread.java:833)

Additionally the SecurityHandler appears to be built against an incorrect dependency as it uses FindBest which was removed ( noted in Release notes )

I suspect these are all linked

i am using the following versions
<io.javalin.version>5.3.2</io.javalin.version>
<io.javalin.openapi.version>4.6.7</io.javalin.openapi.version>
<io.javalin.community.ssl.version>5.3.2</io.javalin.community.ssl.version>
<javalin-pac4j.version>6.0.0</javalin-pac4j.version>
<pac4j.version>6.0.0-RC5</pac4j.version>

This issue affects the SSE side on the browser which now fails to receive some events

Error for FindBest

[JettyServerThreadPool-57] ERROR io.javalin.Javalin - Exception occurred while servicing http-request
java.lang.NoClassDefFoundError: org/pac4j/core/util/FindBest
at org.pac4j.javalin.SecurityHandler.handle(SecurityHandler.java:43)
at io.javalin.routing.HandlerEntry.handle(HandlerEntry.kt:19)
at io.javalin.http.servlet.DefaultTasks.BEFORE$lambda-2$lambda-1$lambda-0(DefaultTasks.kt:19)
at io.javalin.http.servlet.JavalinServlet.handleTask(JavalinServlet.kt:86)
at io.javalin.http.servlet.JavalinServlet.handleSync(JavalinServlet.kt:53)
at io.javalin.http.servlet.JavalinServlet.service(JavalinServlet.kt:41)
at jakarta.servlet.http.HttpServlet.service(HttpServlet.java:587)
at io.javalin.jetty.JavalinJettyServlet.service(JavalinJettyServlet.kt:58)
at jakarta.servlet.http.HttpServlet.service(HttpServlet.java:587)
at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:764)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:529)
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:221)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1570)
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:221)
at io.javalin.jetty.JettyServer$start$wsAndHttpHandler$1.doHandle(JettyServer.kt:57)
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:176)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:484)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1543)
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:174)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1302)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:129)
at org.eclipse.jetty.server.handler.StatisticsHandler.handle(StatisticsHandler.java:173)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:122)
at org.eclipse.jetty.server.Server.handle(Server.java:563)
at org.eclipse.jetty.server.HttpChannel.lambda$handle$0(HttpChannel.java:505)
at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:762)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:497)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:282)
at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:314)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100)
at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:558)
at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:379)
at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:146)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100)
at org.eclipse.jetty.io.SelectableChannelEndPoint$1.run(SelectableChannelEndPoint.java:53)
at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.runTask(AdaptiveExecutionStrategy.java:416)
at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.consumeTask(AdaptiveExecutionStrategy.java:385)
at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.tryProduce(AdaptiveExecutionStrategy.java:272)
at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.lambda$new$0(AdaptiveExecutionStrategy.java:140)
at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:411)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:934)
at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1078)
at java.base/java.lang.Thread.run(Thread.java:833)

Throwing UnauthorizedResponse when redirecting to login page

In SecurityHandler, there is the following code:

if (result != "AUTH_GRANTED") {
    throw new UnauthorizedResponse();
}

When navigating to a page in the browser, you typically want to be redirected to the login page via 302. When hitting an API end-point, you typically want to receive a 401. There's code built into PAC4J that detects whether it is an AJAX call or not and takes the appropriate action. This check prevents this out-of-the-box behavior provided by PAC4J.

I basically stole the code from inside SecurityHandler and made something as simple as this:

        SessionStore sessionStore = FindBest.sessionStore(null, this.config, JEESessionStore.INSTANCE);
        HttpActionAdapter adapter = FindBest.httpActionAdapter(null, this.config, JavalinHttpActionAdapter.INSTANCE);
        SecurityLogic bestLogic = FindBest.securityLogic(null, this.config, DefaultSecurityLogic.INSTANCE);

        JavalinWebContext context = new JavalinWebContext((Context) httpContext.getHandle());
        Object result = bestLogic.perform(
            context,
            sessionStore,
            this.config,
            (ctx, store, profiles, parameters) -> new Object(),
            adapter,
            "FormClient",
            null,
            null);
        return result != null;

I am just hard-coding the last three arguments in my example. I am okay using my code for now, but thought I should report this since it seems like it might impact other people.

Javalin 5.0.0 context.req is now private. NoSuchFieldError

Hi,

I'm new to (javalin-)pac4j and I can't see to get authentication to work. Every time I make a request and call...
before(new SecurityHandler(config, "DirectBasicAuthClient,ParameterClient"));

I get the following stack trace

java.lang.NoSuchFieldError: req
	at org.pac4j.javalin.JavalinWebContext.<init>(JavalinWebContext.java:14)
	at org.pac4j.javalin.SecurityHandler.handle(SecurityHandler.java:47)
	at io.javalin.routing.HandlerEntry.handle(HandlerEntry.kt:19)
	at io.javalin.http.servlet.DefaultTasks.BEFORE$lambda-2$lambda-1$lambda-0(DefaultTasks.kt:17)
	at io.javalin.http.servlet.JavalinServlet.handleTask(JavalinServlet.kt:79)
	at io.javalin.http.servlet.JavalinServlet.handleSync(JavalinServlet.kt:46)
	at io.javalin.http.servlet.JavalinServlet.service(JavalinServlet.kt:34)
	at jakarta.servlet.http.HttpServlet.service(HttpServlet.java:587)
	at io.javalin.jetty.JavalinJettyServlet.service(JavalinJettyServlet.kt:58)
	at jakarta.servlet.http.HttpServlet.service(HttpServlet.java:587)
	at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:764)
	at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:529)
	at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:221)
	at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1571)
	at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:221)
	at io.javalin.jetty.JettyServer$start$wsAndHttpHandler$1.doHandle(JettyServer.kt:56)
	at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:176)
	at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:484)
	at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1544)
	at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:174)
	at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1297)
	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:129)
	at org.eclipse.jetty.server.handler.StatisticsHandler.handle(StatisticsHandler.java:173)
	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:122)
	at org.eclipse.jetty.server.Server.handle(Server.java:562)
	at org.eclipse.jetty.server.HttpChannel.lambda$handle$0(HttpChannel.java:505)
	at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:762)
	at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:497)
	at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:282)
	at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:319)
	at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100)
	at org.eclipse.jetty.io.SelectableChannelEndPoint$1.run(SelectableChannelEndPoint.java:53)

Weird thing is if I debug the handler I can see javalinctx.req is present but the class can't get it.
I'm using a Config based of the example from this repo. Here is a pastebin link for my build method https://pastebin.com/88ULjH4v

Is there something im missing?

NoClassDefFoundError: org/pac4j/core/util/FindBest

I've seen in previous issue that it's suggested to use Javalin 5.6.2 with javalin-pac4j 6.0.0 (which uses pac4j 5.7.0)

I added above, but I have runtime issue:

[JettyServerThreadPool-61] ERROR io.javalin.Javalin - Fatal error occurred while servicing http-request
java.lang.NoClassDefFoundError: org/pac4j/core/util/FindBest
at org.pac4j.javalin.SecurityHandler.handle(SecurityHandler.java:43)
at io.javalin.routing.HandlerEntry.handle(HandlerEntry.kt:19)
at io.javalin.http.servlet.DefaultTasks.BEFORE$lambda$2$lambda$1$lambda$0(DefaultTasks.kt:19)
at io.javalin.http.servlet.JavalinServlet.handleTask(JavalinServlet.kt:88)
at io.javalin.http.servlet.JavalinServlet.handleSync(JavalinServlet.kt:53)
at io.javalin.http.servlet.JavalinServlet.service(JavalinServlet.kt:41)
at jakarta.servlet.http.HttpServlet.service(HttpServlet.java:587)
at io.javalin.jetty.JavalinJettyServlet.service(JavalinJettyServlet.kt:58)
at jakarta.servlet.http.HttpServlet.service(HttpServlet.java:587)
at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:764)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:529)
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:221)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1570)
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:221)
at io.javalin.jetty.JettyServer$start$wsAndHttpHandler$1.doHandle(JettyServer.kt:61)
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:176)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:484)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1543)
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:174)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1303)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:129)
at org.eclipse.jetty.server.handler.StatisticsHandler.handle(StatisticsHandler.java:173)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:122)
at org.eclipse.jetty.server.Server.handle(Server.java:563)
at org.eclipse.jetty.server.HttpChannel.lambda$handle$0(HttpChannel.java:505)
at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:762)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:497)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:282)
at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:314)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100)
at org.eclipse.jetty.io.SelectableChannelEndPoint$1.run(SelectableChannelEndPoint.java:53)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:969)
at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.doRunJob(QueuedThreadPool.java:1194)
at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1149)
at java.base/java.lang.Thread.run(Thread.java:1623)
Caused by: java.lang.ClassNotFoundException: org.pac4j.core.util.FindBest
at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:641)
at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:188)
at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:521)
... 35 more

My full dependencies are:
javalin: 5.6.2
javalin-pac4j: 6.0.0
pac4j-http 6.0.0-RC6
pac4j-jwt 5.7.0

I added code from https://github.com/pac4j/javalin-pac4j/blob/master/pom.xml, in my project

I have tried some combinations with no effect.

Which version should I use ?

Hello,
I was wondering if you could help me figure out which version I should use.
I'm using javalin 5.6.2

I first tried to pair javalin-pac4j 6.0.0 with pac4j-oidc 6.0.0-RC8 but I got an error because it couldn't find the FindBest class that disappeared in pac4j-core 6.0.0-RC3

I tried pac4j-oidc 6.0.0-RC7 having seen the "Make compatible with pac4j 6.0.0-RC7" merge but still get the same error

with javalin-pac4j 6.0.0 and pac4j-oidc 6.0.0-RC2, I get java.lang.NoSuchMethodError: org.pac4j.core.context.session.SessionStore org.pac4j.core.util.FindBest.sessionStore

I also tried to use javalin-pac4j 5.0.1 and pac4j-oidc 5.5.0 as stated by the README but I get an error "java.lang.NoSuchFieldError: req at org.pac4j.javalin.JavalinWebContext"

Thanks for your help and have a nice day !