pac4j / spark-pac4j Goto Github PK
View Code? Open in Web Editor NEWSecurity library for Sparkjava: OAuth, CAS, SAML, OpenID Connect, LDAP, JWT...
Home Page: http://www.pac4j.org
Security library for Sparkjava: OAuth, CAS, SAML, OpenID Connect, LDAP, JWT...
Home Page: http://www.pac4j.org
I noticed that the security filter uses SecurityGrantedAccessException to decide whether authorization
is granted. Is there any reason why such "good" result is indicated by an exception?
And maybe remove the getStatus
(and getBody
) method by the way.
Whenever SecurityFilter is established (with indirect client configured) before an URL which is used, for example, to upload/put/post data it wipes request body after redirection loop is done (with FormClient).
Hello, I'm Actually using Spark-Java with pac4j as a module on a module based application. Because the module does not have an own ClassLoader, the Class org.pac4j.core.profile.CommonProfile will not be found. Why? The Class is actually shaded into the module.
On the spark-pa4j README, it is stated that you can leave away the clientName
parameter on the RequiresAuthenticationFilter
:
clientName (optional): the list of client names (separated by commas) used for authentication. If the user is not authenticated, direct clients are tried successively then if the user is still not authenticated and if the first client is an indirect one, this client is used to start the authentication. Otherwise, a 401 HTTP error is returned. If the client_name request parameter is provided, only the matching client is selected
This is not how it is implemented: If you leave the clientName empty, all requests are prevented. This is due to the condition in the DefaultClientFinder.find
which is called from RequiresAuthenticationFilter
which will return an empty client-list if no client-name is specified.
Could someone clarify if this is
a) A documentation bug
b) An implementation bug
I'm currently searching for the feature to require an authentication without explicitly specifying a client and haven't found it.
The Spark-Pac4J library regarding SAML doesn't' seem to register correctly the callback URL when receiving the SAML Response.
The error I get is:
ERROR org.opensaml.common.binding.decoding.BaseSAMLMessageDecoder - SAML message intended destination endpoint 'https://localhost/callback?client_name=Saml2Client' did not match the recipient endpoint 'https://localhost/callback'
As described here: Pac4J-GoogleGroups.
Whenever I add a SecurityFilter to a path, the Request#body becomes blank. In fact, the entire Request object becomes uninitialized, and you have to use Request#raw to get the underlying HttpServletRequest.
Code:
HeaderClient headerClient = new HeaderClient("Authorization", jwtAuthenticator);
Clients clients = new Clients(headerClient);
Config config = new Config(clients);
config.setHttpActionAdapter(new DefaultHttpActionAdapter());
config.addAuthorizer("admin", new RequireAnyRoleAuthorizer<>("ROLE_ADMIN");
before(((request, response) -> log.trace("Received API Call: {} {}", request.requestMethod(), request.contextPath())));
before("/api/users/*", new SecurityFilter(config, "HeaderClient", "admin"));
post("/api/users", (request, response) -> {
log.debug("Request body: {}", request.body()); // will show up as blank
// ... do something
});
Do we already have DIGEST authentication mechanism for SparkJava?
if so, can you share us some samples?
I had a question on handling authn failures with the LoginForm.
For anyone else, I was using the request.params() rather than the correct request.queryParams( "error" ) method to retrieve the authn failure (which you can then use in the template rendering)
SAML protocol not redirecting to the idp.
As described here: https://groups.google.com/forum/?fromgroups=#!topic/pac4j-users/iaOL56dDfN0
This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.
These are blocked by an existing closed PR and will not be recreated unless you click a checkbox below.
.github/workflows/ci.yml
actions/checkout v4
actions/setup-java v4
actions/cache v4
actions/checkout v4
actions/setup-java v4
pom.xml
org.sonatype.oss:oss-parent 9
com.sparkjava:spark-core 2.9.4
org.pac4j:pac4j-javaee 5.7.6
org.apache.maven.plugins:maven-compiler-plugin 3.13.0
org.apache.maven.plugins:maven-source-plugin 3.3.1
org.apache.maven.plugins:maven-javadoc-plugin 3.8.0
com.github.spotbugs:spotbugs-maven-plugin 4.2.3
org.apache.maven.plugins:maven-pmd-plugin 3.24.0
org.apache.maven.plugins:maven-gpg-plugin 3.2.4
and all dependencies, Java 8...
Rename RequiresAuthenticationFilter
as SecurityFilter
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.