Migration guide - pac4j/spring-security-pac4j GitHub Wiki

-> 10.x

Version 6 of pac4j is now required.

-> 9.x

Spring framework 6 and JDK 17 are now required.

-> 8.x

The JEE filters (org.pac4j.springframework.security.web.*Filter) have been removed and the security components of the pac4j security library (for example: javaee-pac4j ands its org.pac4j.jee.filter.*Filter) must be used instead.

The callback and logout endpoints must be explicitly defined on specific paths.

-> 7.x

The pac4j-javaee artifact is pulled instead of the pac4j-jee artifact: JEE components are now in the org.pac4j.jee package.

-> 6.1+

The pac4j-jee artifact is pulled instead of the pac4j-core artifact.

5.x -> 6.x

Version 5.x of pac4j is now required. JDK 11 is required too.

The multiProfile and saveInSession options are now removed from the filters and handled at the Client level.

4.x -> 5.x

Version 4.x of pac4j is now required.

3.x -> 4.x

Version 3.x of pac4j is now required.

2.1 -> 3.0

Version 2.x of pac4j is now required.

You can use the pac4j LogoutFilter to handle both local (application) and remote (identity server) logout processes.

2.0 -> 2.1

The CallbackFilter only applies on /callback by default so if you need a different callback endpoint (another value) or to apply it globally (empty value), this needs to be changed with the setSuffix method.

The Pac4jEntryPoint can be defined with the config and clientName parameters to redirect to an identity provider for login.

1.4 - > 2.0

The spring-security-pac4j library has strongly changed in version 2:

  • the ClientAuthenticationProvider has been removed as the authentication happens in the SecurityFilter (for direct clients) or in the CallbackFilter (for indirect clients)
  • the ClientAuthenticationEntryPoint is replaced by the Pac4jEntryPoint which should never be called
  • the ClientAuthenticationToken is replaced by the Pac4jAuthenticationToken and Pac4jRememberMeAuthenticationToken (depending on the use case)
  • the security is ensured by the SecurityFilter (as usually in the pac4j world)
  • the CallbackFilter finishes the login process for indirect clients (as usually in the pac4j world) and replaces the ClientAuthenticationFilter.