I've used to securing rest api with spring security + spring session. This way allows me to auth client and generate his own session token which includes in every further request in header or cookie instead of login and password. I want to use this approach for ratpack + pac4j but I can't find any examples or documentation. Can anyone help me?
See official docs on pac4j integration (unfortunately, it's scanty). Also you can use official example project on Github.
More precisely, use CookieClient for cookie-based auth and HeaderClient for header-based auth from pac4j-http module. Example project doesn't show usage of this clients, but their use is similar to other client from http module, like FormClient.