0 Replies Latest reply on Nov 14, 2014 5:12 AM by Stefan Biermann

    Picketlink 2.7.0.CR2: Bug in RolePathAuthorizer when using multiple roles for a path

    Stefan Biermann Newbie


      i have a problem when i try to add multiple roles to access to an url of my application.


      I have defined the path and the both roles which should have access to the path.


          public void onInit(@Observes SecurityConfigurationEvent event) {
              SecurityConfigurationBuilder builder = event.getBuilder();
                              .role(ADMIN_ROLE_NAME, USER_ROLE_NAME)


      If only one role is added in .role(...) it works perfect but if i add two or more roles it doesn't work. After debugging i found the problem in the RolePathAuthorizer file. Following shows the method in that file.


          protected boolean doAuthorize(PathConfiguration pathConfiguration, HttpServletRequest request, HttpServletResponse response) {
              AuthorizationConfiguration authorizationConfiguration = pathConfiguration.getAuthorizationConfiguration();
              String[] allowedRoles = authorizationConfiguration.getAllowedRoles();
              if (allowedRoles != null) {
                  Identity identity = getIdentity();
                  for (String roneName : allowedRoles) {
                      if (!hasRole(identity, this.partitionManager, roneName)) {
                          return false;
              return true;



      The line 12 is IMHO wrong, because if you have 2 roles and the user matches only the 2nd role the check returns false for the first role and the 2nd role which matches for the user is never checked.


      I think inverting the if clause and returning false at the end of the method would solve the problem.


      Is this a bug or have i missed something in the configuration?