Is there a way to use pac4j AnonymousClient as fallback with other direct clients?

Question

I have an app using pac4j with a JWT client (i.e. a direct) and I would like to use AnonymousClient as fallback. How can I make sure AnonymousClient will be called AFTER JwtClient? Is DefaultSecurityLogic respecting the order the clients are provided?

I also had a look at setProfileFactoryWhenNotAuthenticated, but in the doc they only mention it's use with indirect clients (and I tried with my JwtClient and it didn't work).

To make it even more spicy I actually use an indirect client and I would like AnonymousClient to be used as a fallback for the whole chain of clients. Using setProfileFactoryWhenNotAuthenticated to my indirect client would not work as I want AnonymousCLient to be used even when the direct client is discarded because the request is AJAX.

To sum-up what I am trying to do is:

• If AJAX: direct clients > Anonymous
• If not AJAX: direct clients > indirect client > Anonymous

Any idea?

Answer 1

The question is not recent but I was trying to do something similar and found how to do it.

The Anonymous part here is described as Silent Login in: https://www.pac4j.org/docs/clients.html#8-silent-login

Example:

myClient.setProfileFactoryWhenNotAuthenticated(p -> AnonymousProfile.INSTANCE);

1. direct clients > Anonymous

I suppose you need to list all your direct clients and call the above method on the last client on the list.

2. direct clients > indirect client > Anonymous

This one is counter-intuitive because you need to put the indirect client first in your client list and then the direct clients. But I guess it's the same as above, you need to call the setProfileFactoryWhenNotAuthenticated method on the last direct client.

From the DefaultSecurityLogic documentation (emphasis is mine):

• First, if the user is not authenticated (no profile) and if some clients have been defined in the clients parameter, a login is tried for the direct clients.

• Then, if the user has profile, authorizations are checked according to the authorizers configuration. If the authorizations are valid, the user is granted access. Otherwise, a 403 error page is displayed.

• Finally, if the user is not authenticated (no profile), he is redirected to the appropriate identity provider if the first defined client is an indirect one in the clients configuration. Otherwise, a 401 error page is displayed.