pac4j is an easy and powerful security engine for Java to authenticate users, get their profiles and manage authorizations in order to secure web applications and web services.

It provides a comprehensive set of concepts and components. It is based on Java 8 and available under the Apache 2 license. It is available for most frameworks/tools and supports most authentication/authorization mechanisms.

Available implementations (Get started by clicking on your framework):

Spring Web MVC (Spring Boot) • JEE • Apache Shiro • Spring Security (Spring Boot) • Play 2.x • Vertx

Spark Java • Javalin • Ratpack • Pippo • Undertow • Jooby

CAS server • JAX-RS • Dropwizard • Lagom • Akka HTTP • Apache Knox

Authentication mechanisms:

OAuth (Facebook, Twitter, Google...) - SAML - CAS - OpenID Connect - HTTP - OpenID - Google App Engine - Kerberos (SPNEGO/Negotiate)

LDAP - SQL - JWT - MongoDB - CouchDB - IP address - REST API

Authorization mechanisms:

Roles/permissions - Anonymous/remember-me/(fully) authenticated - Profile type, attribute

CORS - CSRF - Security headers - IP address, HTTP method

---

Versions

The latest released version is the , available in the Maven central repository. The next version is under development.

Read the documentation for more information.

Need help?

If you need commercial support (premium support or new/specific features), contact us at info@pac4j.org.

If you have any questions, want to contribute or be notified about the new releases and security fixes, please subscribe to the following mailing lists:

• pac4j-users
• pac4j-developers
• pac4j-announce
• pac4j-security

Supported by

The CAS and pac4j consulting company

Third-party extensions

There exist extensions to pac4j developed by third parties. The extensions provide features not available in the core pac4j distribution. At the moment, the following extension are known:

• IDC Extensions to PAC4J, developed internally by IDC and published as open source.