Hi, Given the latest security vulnerabilities ( https://www.pac4j.org/blog/security-advisory-pac4j-jwt-jwtauthenticator.html + https://www.pac4j.org/blog/security-advisory-pac4j-core-and-ldap.html), I am increasingly inclined to minimize the attack surface and ultimately remove the pac4j-config module in version 6.5.0... Thanks. Best regards, Jérôme
Le lun. 23 mars 2026 à 08:52, Jérôme LELEU <[email protected]> a écrit : > Hi, > > I'm Jérôme LELEU, the creator of pac4j, the framework you use for security. > > At the beginning of April, I will release the new version 6.4.0 which > supports the OpenID Federation protocol. It brings many more configuration > options which won't be available via properties. In addition, the > `pac4j-config` module is deprecated as pac4j configurations should be > defined programmatically (more comprehensive and easier configuration). > > In your case, it means that the existing properties should be replaced by > a new one to define the configuration factory class whole role is to build > the pac4j configuration: > https://github.com/pac4j/pac4j/blob/master/pac4j-core/src/main/java/org/pac4j/core/config/ConfigFactory.java > > What do you think? > > Thanks. > Best regards, > Jérôme > >
