On Wed, Dec 24, 2025 at 07:57:42AM +0100, Jean-Baptiste Onofré wrote:
> Hi Chaz,
>
> As far as I know, no one has tried using pac4j in Karaf yet.
>
> I can take a look at this after Christmas, as it likely requires some
> wrapping and integration logic. Perhaps we could work on this together?
>
> Regards,
> JB
>
> On Tue, Dec 23, 2025 at 4:11 PM Chaz Kettleson via dev <[email protected]>
> wrote:
>
> > Hello,
> >
> > Has anyone used pac4j successfully in karaf? Currently I use JAX-RS
> > Whiteboard through the Apache Aries implementation. I also use the
> > integration with Apache Shiro. I was looking to either replace Shiro
> > with pac4j (I need to do a lot of OIDC related things) or potentially
> > integrate them. After spending a few days with this it appears
> > non-trivial (or at least for me).
> >
> > --
> > Chaz
> >
Hi JB,
Yes, I'd love to help. Here is a list of some of the goals:
1. Add pac4j integration with Aries
- Bundle feature aries-jax-rs-whiteboard-pac4j
- Look at pac4j current integration with JAX-RS
- Make Authenticators / Authorizers components that are discovered.
Similar to how Realm in Shiro is discovered.
2. Implement a JAAS Authenticator/Authorizer
- Map UserProfile->JAAS Subject
- Allow re-using local karaf accounts
3. Karaf service guard integration
- Bundle feature
- CXF interceptor to invoke via Subject.do/callAs
- Allows centralization of permissions via ACL
4. OIDC flows for webconsole, hawtio
- Augment existing username/password-based login with OIDC
- Make it easy for default features to make use of this integration
I've done 2/3 equivalent with the Shiro integration. For example
I have a JAASRealm that allows selecting a jaas realm via ConfigAdmin to
perform a login. Similarly I have created interceptors and helper
methods to convert Shiro Subjects to JAAS Subjects so REST interfaces
use the same authorization layer as logged in users via service guard.
Let me know where best to collaborate.
--
Chaz
