-
Notifications
You must be signed in to change notification settings - Fork 122
Migration guide
Version 6 of pac4j is now required.
Permissions are now handled via pac4j user attributes. profile.addPermission("PERM1");
is replaced by profile.addAttribute(Pac4jRealm.SHIRO_PERMISSIONS, Arrays.asList("PERM1"));
.
The JEE filters (io.buji.pac4j.filter.*Filter
) have been removed and the security components of the pac4j security library (for example: javaee-pac4j ands its org.pac4j.jee.filter.*Filter
) must be used instead.
The callback endpoint must be explicitly defined in your shiro.ini
configuration.
The pac4j-javaee
artifact is pulled instead of the pac4j-jee
artifact: JEE components are now in the org.pac4j.jee
package.
The pac4j-jee
artifact is pulled instead of the pac4j-core
artifact.
Version 5.x of pac4j is now required. JDK 11 is required too.
The multiProfile
and saveInSession
options are now removed from the filters and handled at the Client
level.
Version 4.x of pac4j is now required.
Version 3.x of pac4j is now required.
Version 2.x of pac4j is now required.
Instead of using the shiro-cas
module, you need to use the buji-pac4j
library and the pac4j-cas
module. Though, the way both implementations work is close.
The CasFilter
is replaced by the CallbackFilter
which has the same role (receiving callbacks from identity providers), but not only for CAS.
The CasRealm
is replaced by the Pac4jRealm
and the CasSubjectFactory
by the Pac4jsubjectFactory
.
Finally, you must use the SecurityFilter
to secure an url, in addition of the default Shiro filters (like roles
).
The config
, clients
, pac4jRealm
, pac4jSubjectFactory
and callbackFilter
components are available by default (they are automatically loaded thanks to the Pac4jIniEnvironment
component).
The buji-pac4j
library strongly changes in version 2:
- the
core
andservlet
modules are merged back into one main module - the
ClientRealm
is replaced by thePac4jRealm
and theClientToken
by thePac4jToken
- the
ClientUserFilter
,ClientPermissionsAuthorizationFilter
andClientRolesAuthorizationFilter.java
are removed, more generally replaced by theSecurityFilter
which ensures the url security (as usually in the pac4j world) - the
CallbackFilter
replaces theClientFilter
to finish the login process for indirect clients (as usually in the pac4j world).