Announcement Announcement Module
No announcement yet.
New CAS/OAuth/OpenID/HTTP client library for Spring Security Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • New CAS/OAuth/OpenID/HTTP client library for Spring Security


    Some times ago, I proposed a library for Spring Security to support OAuth protocol on client side : spring-security-oauth-client.

    It was built on my own scribe-up library. I have completely rebuilt this library into a new pac4j component : Profile and Authentication Client for Java. Please see : and

    So I have also completely rebuilt a new library : spring-security-pac4j to support CAS/OAuth/OpenID/HTTP protocols from client side in Spring Security :

    1) For OAuth support, you also need the pac4j-oauth dependency : DropBox, Facebook, Github, Google, LinkedIn, Twitter, Windows Live, WordPress, Yahoo and CAS server with OAuth wrapper are supported providers
    2) For CAS support, you also need the pac4j-cas dependency : the CAS protocol is fully supported with :
    - CAS 1.0, CAS 2.0, SAML ticket validation, proxy ticket validation
    - CAS proxification
    - logout request
    3) For OpenID, you also need the pac4j-openid dependency : is the only provider supported.
    4) For HTTP, you also need the pac4j-http dependency : (local) form and basic authentications are supported.

    To get started, a demo is available :

    Any feedback will be appreciated.

    Best regards,

  • #2
    Thanks for this hard work Jrme! I'm eager to see the results


    • #3

      I haven't had time to dig into all the details, but off hand this library looks pretty slick

      One small improvement you might consider. I first deployed this application within Eclipse and it was deployed with the default context root of /spring-security-pac4j-demo. When trying to authenticate (at least with Twitter) it failed. I updated the context root to be / and everything worked. It might be nice if the configuration did not depend on the selected context root.

      I will have to spend some more time looking into the integration within the coming weeks (things have been rather busy as of late).


      • #4

        Excellent demo! Great work! I had it up & running in 15 minutes or so!

        I mostly understand the demo, but I have a few questions ( 3 to be precise) re the demo & am wondering what's the appropriate forum etc?

        For example, in security.xml
        <security:http pattern="/cas/**" entry-point-ref="casEntryPoint">
            <security:custom-filter after="CAS_FILTER" ref="clientFilter" />
            <security:intercept-url pattern="/cas/**" access="IS_AUTHENTICATED_FULLY" />
        What does
        do? Is this a CAS specific question?

        Also I don't quite understand the callback config. Callback is referenced in two places in security.xml. Is this the CAS callback or a PAC4J callback ( it it exists!)?

        If you could point me to the right place that would be excellent,
        thanks in advance,


        • #5

          I don't remember exactly why I chose after="CAS_FILTER" : there is nothing related to CAS here. Just a good place for the clientFilter to work...
          I just have one filter so it doesn't matter. pac4j is generally meant to be used as the only filter as it handles CAS, basic auth, form...

          There is the general concept of callback in pac4j : after being authenticated at a provider, the user is always redirected to the application on the callback url (here : /callback). So after a CAS authentication, the pac4j callback is a CAS callback; after a Facebook authentication, the pac4j callback is a Facebook callback...

          I created a user mailing-list for pac4j users :
          It's the best place for questions / suggestions.
          Best regards,


          • #6
            Thanks Jérôme ... I'll continue thread on google pac4j-user forum.