Apply security

You can protect (authentication + authorization) the URLs of web application/services by using the SecurityFilter.

>> Read the documentation to understand its behavior and the available options.

The available options can be set via setters and servlet parameters. Yet, there is no config servlet parameter, the configFactory servlet parameter may be used instead to define a configuration.

1) web.xml

The SecurityFilter can be defined in the web.xml file:

<filter>
  <filter-name>FacebookAdminFilter</filter-name>
  <filter-class>org.pac4j.jee.filter.SecurityFilter</filter-class>
  <init-param>
    <param-name>configFactory</param-name>
    <param-value>org.pac4j.demo.j2e.DemoConfigFactory</param-value>
  </init-param>
  <init-param>
    <param-name>clients</param-name>
    <param-value>FacebookClient</param-value>
  </init-param>
  <init-param>
    <param-name>authorizers</param-name>
    <param-value>isAuthenticated</param-value>
  </init-param>
</filter>
<filter-mapping>
  <filter-name>FacebookAdminFilter</filter-name>
  <url-pattern>/facebook/*</url-pattern>
</filter-mapping>

2) CDI

or using CDI and the org.pac4j.jee.util.FilterHelper:

@Named
@ApplicationScoped
public class WebConfig {

    @Inject
    private Config config;

    public void build(@Observes @Initialized(ApplicationScoped.class) ServletContext servletContext) {

        final FilterHelper filterHelper = new FilterHelper(servletContext);

        ...

        final SecurityFilter facebookAdminFilter = new SecurityFilter(config, "FacebookClient", "admin,securityHeaders");
        filterHelper.addFilterMapping("facebookAdminFilter", facebookAdminFilter, "/facebookadmin/*");

        ...
    }
}

3) Shiro

Or it can be defined in a shiro.ini file:

[main]
saml2SecurityFilter = org.pac4j.jee.filter.SecurityFilter
saml2SecurityFilter.config = $config
saml2SecurityFilter.clients = SAML2Client

[urls]
/saml2/** = saml2SecurityFilter

The default internal components of the SecurityFilter are: JEESessionStore.INSTANCE, JEEHttpActionAdapter.INSTANCE, DefaultSecurityLogic.INSTANCE and JEEContextFactory.INSTANCE.