Reputation: 927
In which order are pac4j client used
I have an application using pac4j and use multiple authentication clients to secure my routes (both direct and indirect) like this: Secure("AnonymousClient", "FacebookClient", "JWTClient").
I don't really understand in which order the clients are used though. It seems to be from right to left and 401 is returned if none of the clients could build a profile. Am I right?
Is it the same order for the authorizers?
Upvotes: 0
Views: 320
Answers (1)
Reputation: 927
Seems to be much more complicated than that. From the comments in DefaultSecurityLogic.java:
First, if the user is not authenticated (no profile) and if some clients have been defined in the clients parameter, a login is tried for the direct clients.
Then, if the user has profile, authorizations are checked according to the authorizers configuration. If the authorizations are valid, the user is granted access. Otherwise, a 403 error page is displayed.
Finally, if the user is still not authenticated (no profile), he is redirected to the appropriate identity provider if the first defined client is an indirect one in the clients configuration. Otherwise, a 401 error page is displayed.
Upvotes: 1
Related Questions
- what Jar's are needed for and ActiveMQ client, application
- Paho client for java generating folder like paho101658642587966-tcp1270011883. what is the importance of this?
- ActiveMQ CLIENT on Java 1.4
- What does 4j mean?
- OpenJpa and JNDI
- what role each jar in JRE System Library
- When OpenJPA query executes and what is order
- Designing java client
- Java client/server architecture
- What is the PAC file?