# PAC4J for JaxRs Whiteboards This bundle enables PAC4J security for JaxRs Whiteboards. See [https://www.pac4j.org/](https://www.pac4j.org/). PAC4J provides a lot of different Authentication Methods. Right now only OpenID Connect is configurable in two flavors by this bundle. Baerer ID Token and the usual login and callback process. ## General The feature is always configured with a client.id property. In order to secure a Jax-Rs Resource the Resource or the methods MUST be annotated with ```@Pac4JSecurity(clients = "my.client.id")``` the clients must name at least one of the configured client.ids. ## Login The following configuration will configure a security client, that uses OpenIDConnect. The Pac4J Feature needs to know about the Client. If no clients.target is given, the features knows about all security clients and will support all of them. In our case we specifically inject only the one client that is configured as well. The Pac4JFeature is a JaxRs Feature and can have whiteboard target and/or application select filter properties. ``` { ":configurator:resource-version": 1, "Pac4JFeature~login": { "clients.target" : "(client.id=login)", }, "KeycloackOidcClient": { "oid.baseUri" : "http://localhost:8080/auth", "oid.realm" : "test", "oid.clientId" : "keycloak_login", "oid.secret" : "d75fd8f0-193d-47ab-825b-96458f5fc74f", "client.id" : "login", "client.callbackUrl" : "http://localhost:8185/login/callback" } } ``` Example for a Login Resource: ```java @Component(service = LoginResource.class, scope = ServiceScope.PROTOTYPE) @JaxrsResource @Consumes(MediaType.WILDCARD) @Produces(MediaType.WILDCARD) @Path("/") public class LoginResource { /* * The Method is secured by a Pac4J Client with the client.id login. If an unauthenticated uses comes by, he will * be redirected the the configured OIDC Server, where he needs to login. He then will be redirected to the callback endpoint. */ @GET @Path("login") @Pac4JSecurity(clients = "login") public Response login(@Pac4JProfile CommonProfile profile) { return Response.ok("Welcome " + profile.getFirstName() + " " + profile.getFamilyName()).build(); } /* * The Annotation shows this to be the callback endpoint. This is just a marker, because the method body is actually never called. * The user will be forwarded to its orginal requested resource, when he returns from the login page. */ @GET @Pac4JCallback() @Path("callback") public Response callback () { return Response.ok("Thx").build(); } } ``` ## Bearer Token Login This example configures a client, that expects a Authorization HTTP header that carries a bearer token. At the moment this token needs to be the JWT id token, so a backend can impersonate the caller. In order to use the id token, that will be passed, the client must be the same OpenIDConnect client id, the user logged in to. Configuration: ``` { ":configurator:resource-version": 1, "Pac4JFeature~bearer": { "clients.target" : "(client.id=bearer)", }, "BearerTokenClient": { "oid.baseUri" : "http://localhost:8080/auth", "oid.realm" : "test", "oid.clientId" : "keycloak_login", "oid.secret" : "8c38714d-4879-4013-b464-cc50a4002e5c", "client.id" : "bearer" } } ``` The Secured Resource: ```java @Component(service = BarerTestResource.class, scope = ServiceScope.PROTOTYPE) @JaxrsResource @Consumes(MediaType.WILDCARD) @Produces(MediaType.WILDCARD) @Path("/") public class BarerTestResource { @GET @Path("backend") @Pac4JSecurity(clients = "bearer") public Response doSomething(@Pac4JProfile CommonProfile profile) { return Response.ok("Returend " + profile.getFirstName() + " " + profile.getFamilyName()).build(); } } ``` For details look into the org.gecko.util.rest.pac4j.feature.test bundle. This configures a full test cases with both cases. ## How to use different methods of authentication? Pac4J has all of its logic in the security clients. If another implementation like LDAP, Facebook or whatever is needed, register a fully configured org.pac4j.core.client.Client under this interface and modify your clients.target for the feature if needed.