I'm devlopping a Java web application with Picketlink and I've managed all the page access with the class HttpSecurityConfiguration.java. So when I log with the administrator login I can access to the "protected" pages which are located in the admin folder while navigating on the website. If I do not log with the administrator login I cannot access to the pages which are in the admin folder. But as user I can directly access to the admin pages by enter the direct URL link into the navigation search. How can I avoid this ?
This is my HttpSecurityConfiguration.java
package fr.esisar.frigolo.portail;
import javax.enterprise.event.Observes;
import org.picketlink.config.SecurityConfigurationBuilder;
import org.picketlink.event.SecurityConfigurationEvent;
public class HttpSecurityConfiguration {
public void onInit(@Observes SecurityConfigurationEvent event) {
SecurityConfigurationBuilder builder = event.getBuilder();
builder
.http()
.forPath("/*.xhtml")
.authenticateWith()
.form()
.authenticationUri("/loginTonic.xhtml")
.loginPage("/loginTonic.xhtml")
.errorPage("/error.xhtml")
.restoreOriginalRequest()
.logout()
.redirectTo("/portail.xhtml"); */
.forPath("/admin/adminPage.xhtml")
.authorizeWith()
.role("administrateur");
}
}
I think I faced the same problem and remember finding a solution.
Can you try
.forPath("/admin/*").authorizeWith()...