2 Replies Latest reply on Nov 24, 2015 12:55 PM by arthurgregorio

    Authorization for URLs with Login Form

    kmranganathan
    kmranganathan Nov 18, 2015 11:51 PM

      Hi,

      I am developing a regular JSF application. The authentication is working fine with a login form.

      At the same time, I also want to secure the URLs with authorization. For example, an user may bookmark an admin URL and hit it directly in which case I want to show the login form.

       

      I configure the PicketLink security as follows:

              builder.http()
                .allPaths()
                    .authenticateWith()
                        .form()
                            .loginPage("/faces/login.xhtml")
                            .errorPage("/faces/error.xhtml")
                .forPath("/logout")
                    .logout()
                .forPath("/faces/admin/*")
                    .authorizeWith().role("ADMIN")

       

      When I try to load the index page, it shows the login page correctly. However, when I hit the 'admin' URL directly, it doesn't show the login page.

      Instead I get a simple message:

      "The given path [/faces/admin/*] requires authentication."

       

      I am using 2.7.0.FINAL and JEE 7 (WildFly 8.1)

       

      I don't understand why it doesn't show me the login form when I hit the URL directly (and the msg indicates the need for authentication in which case it should have shown the login page).

      Is my configuration not good enough?

       

      Thanks,

      Ranga.

      • 622 Views
      • Tags:
        • 1. Re: Authorization for URLs with Login Form
          arthurgregorio
          arthurgregorio Nov 23, 2015 8:20 AM (in response to kmranganathan)

          Same problem here.

           

          Seems to picketlink not working for URL based security.

           

          My configuration:

           

          public void configureHttpSecurity(@Observes SecurityConfigurationEvent event) {


    final SecurityConfigurationBuilder builder = event.getBuilder();


    builder.http()
            .allPaths()
                .authenticateWith()
                .form()
                    .loginPage("/home.xhtml")
                    .errorPage("/home.xhtml?login-failed=true")
            .forPath("/logout")
                .logout()
                .redirectTo("/home.xhtml?faces-redirect=true")
            .forPath("/javax.faces.resource/*")
                .unprotected()
            .forPath("/portal/bookings/consulting/*")
                .authorizeWith()
                    .role(this.authorization.BOOKING_CONSULT)
            .forPath("/portal/bookings/inclusion/*")
                .authorizeWith()
                    .authorizer(CustomPathAuthorizer.class)
                    .role(this.authorization.BOOKING_ACCESS)
            .forPath("/portal/bookings/myBookings/*")
                .authorizeWith()
                    .role(this.authorization.BOOKING_MY_BOOKINGS)
            .forPath("/portal/controls/arrivalControl/*")
                .authorizeWith()
                    .role(this.authorization.ARRIVAL_CONTROL_ACCESS)
            .forPath("/portal/accreditedAgent/agency/*")
                .authorizeWith()
                    .role(this.authorization.AGENCY_ACCESS)
            .forPath("/portal/accreditedAgent/seller/*")
                .authorizeWith()
                    .role(this.authorization.SELLER_ACCESS)
            .forPath("/portal/tools/group/*")
                .authorizeWith()
                    .role(this.authorization.GROUP_ACCESS)
            .forPath("/portal/tools/user/*")
                .authorizeWith()
                    .role(this.authorization.USER_ACCESS);
}}

           

          But when try to access directly to the "secure" URL, PL don't validate de roles.

           

          I try to write a custom PathAuthorizer but even always returning true, i get http 403 on the client:

           

          11:04:36,077 ERROR [org.picketlink.http] (default task-54) Exception thrown during processing for path [/portal/bookings/inclusion/stepProducts.xhtml]. Sending error with status code [403].: org.picketlink.http.AccessDeniedException: The request for the given path [/portal/bookings/inclusion/*] was forbidden.
  at org.picketlink.http.internal.SecurityFilter.doFilter(SecurityFilter.java:189)

           

          My custom pathAuthorizer for testing purposes

           

          public class CustomPathAuthorizer implements PathAuthorizer {


    @Inject
    private AuthorizationBean authorizationBean;


    /**
    *
    * @param pathConfiguration
    * @param request
    * @param response
    * @return
    */
    @Override
    public boolean authorize(PathConfiguration pathConfiguration,
            HttpServletRequest request, HttpServletResponse response) {


        return true;
    }
}
            • Actions
          • 2. Re: Authorization for URLs with Login Form
            arthurgregorio
            arthurgregorio Nov 24, 2015 12:55 PM (in response to arthurgregorio)

            I made this PR [1] on PL repo.

             

            With this you can write your own method to check if the defined URL is accessible or not by the authenticated user

             

            [1] Custom authorizers and roles by arthurgregorio · Pull Request #499 · picketlink/picketlink · GitHub

              • Actions