Security engine for Java (authentication, authorization, multi frameworks): OAuth, CAS, SAML, OpenID Connect, LDAP, JWT...
pac4j is an easy and powerful security framework for Java to authenticate users, get their profiles and manage authorizations in order to secure web applications and web services.
It provides a comprehensive set of concepts and components.
It is available for most frameworks/tools and supports most authentication/authorization mechanisms.
It is licensed under the Apache 2 license.
| JDK | pac4j | Usage of Lombok |
|---|---|---|
| 17 | v6.x | Yes |
| 11 | v5.x | No |
| 8 | v4.x | No |
Available implementations (Get started by clicking on your framework):
JEE
• Spring Web MVC (Spring Boot)
• Spring Webflux (Spring Boot)
• Apache Shiro
• Spring Security (Spring Boot)
CAS server
• Syncope
• Apache Knox
Play 2.x
• Vertx
• Spark Java
• Ratpack
• JAX-RS
• Dropwizard
Javalin
• Pippo
• Undertow
• Lagom
• Akka HTTP
• Jooby
Authentication mechanisms:
OAuth (Facebook, Twitter, Google…) - SAML - CAS - OpenID Connect - HTTP - Google App Engine - Kerberos (SPNEGO/Negotiate)
LDAP - SQL - JWT - MongoDB - CouchDB - IP address - REST API
Authorization mechanisms:
Roles - Anonymous/remember-me/(fully) authenticated - Profile type, attribute
CORS - CSRF - Security headers - IP address, HTTP method
Versions
The latest released version is the 
, available in the Maven central repository.
The next version is under development.
Read the documentation for more information.
Need help?
You can use the mailing lists or the commercial support.
Supported by
The CAS and pac4j consulting company