2 Replies Latest reply on Nov 24, 2015 12:55 PM by Arthur Gregório

    Authorization for URLs with Login Form

    Ranganathan Kaliyur Mannar Newbie

      Hi,

      I am developing a regular JSF application. The authentication is working fine with a login form.

      At the same time, I also want to secure the URLs with authorization. For example, an user may bookmark an admin URL and hit it directly in which case I want to show the login form.

       

      I configure the PicketLink security as follows:

              builder.http()
                      .allPaths()
                          .authenticateWith()
                              .form()
                                  .loginPage("/faces/login.xhtml")
                                  .errorPage("/faces/error.xhtml")
                      .forPath("/logout")
                          .logout()
                      .forPath("/faces/admin/*")
                          .authorizeWith().role("ADMIN")
      
      

       

      When I try to load the index page, it shows the login page correctly. However, when I hit the 'admin' URL directly, it doesn't show the login page.

      Instead I get a simple message:

      "The given path [/faces/admin/*] requires authentication."

       

      I am using 2.7.0.FINAL and JEE 7 (WildFly 8.1)

       

      I don't understand why it doesn't show me the login form when I hit the URL directly (and the msg indicates the need for authentication in which case it should have shown the login page).

      Is my configuration not good enough?

       

      Thanks,

      Ranga.

        • 1. Re: Authorization for URLs with Login Form
          Arthur Gregório Newbie

          Same problem here.

           

          Seems to picketlink not working for URL based security.

           

          My configuration:

           

          public void configureHttpSecurity(@Observes SecurityConfigurationEvent event) {
          
          
              final SecurityConfigurationBuilder builder = event.getBuilder();
          
          
              builder.http()
                      .allPaths()
                          .authenticateWith()
                          .form()
                              .loginPage("/home.xhtml")
                              .errorPage("/home.xhtml?login-failed=true")
                      .forPath("/logout")
                          .logout()
                          .redirectTo("/home.xhtml?faces-redirect=true")
                      .forPath("/javax.faces.resource/*")
                          .unprotected()
                      .forPath("/portal/bookings/consulting/*")
                          .authorizeWith()
                              .role(this.authorization.BOOKING_CONSULT)
                      .forPath("/portal/bookings/inclusion/*")
                          .authorizeWith()
                              .authorizer(CustomPathAuthorizer.class)
                              .role(this.authorization.BOOKING_ACCESS)
                      .forPath("/portal/bookings/myBookings/*")
                          .authorizeWith()
                              .role(this.authorization.BOOKING_MY_BOOKINGS)
                      .forPath("/portal/controls/arrivalControl/*")
                          .authorizeWith()
                              .role(this.authorization.ARRIVAL_CONTROL_ACCESS)
                      .forPath("/portal/accreditedAgent/agency/*")
                          .authorizeWith()
                              .role(this.authorization.AGENCY_ACCESS)
                      .forPath("/portal/accreditedAgent/seller/*")
                          .authorizeWith()
                              .role(this.authorization.SELLER_ACCESS)
                      .forPath("/portal/tools/group/*")
                          .authorizeWith()
                              .role(this.authorization.GROUP_ACCESS)
                      .forPath("/portal/tools/user/*")
                          .authorizeWith()
                              .role(this.authorization.USER_ACCESS);
          }}
          

           

          But when try to access directly to the "secure" URL, PL don't validate de roles.

           

          I try to write a custom PathAuthorizer but even always returning true, i get http 403 on the client:

           

          11:04:36,077 ERROR [org.picketlink.http] (default task-54) Exception thrown during processing for path [/portal/bookings/inclusion/stepProducts.xhtml]. Sending error with status code [403].: org.picketlink.http.AccessDeniedException: The request for the given path [/portal/bookings/inclusion/*] was forbidden.
            at org.picketlink.http.internal.SecurityFilter.doFilter(SecurityFilter.java:189)
          

           

          My custom pathAuthorizer for testing purposes

           

          public class CustomPathAuthorizer implements PathAuthorizer {
          
          
              @Inject
              private AuthorizationBean authorizationBean;
          
          
              /**
              *
              * @param pathConfiguration
              * @param request
              * @param response
              * @return
              */
              @Override
              public boolean authorize(PathConfiguration pathConfiguration,
                      HttpServletRequest request, HttpServletResponse response) {
          
          
                  return true;
              }
          }
          
          • 2. Re: Authorization for URLs with Login Form
            Arthur Gregório Newbie

            I made this PR [1] on PL repo.

             

            With this you can write your own method to check if the defined URL is accessible or not by the authenticated user

             

            [1] Custom authorizers and roles by arthurgregorio · Pull Request #499 · picketlink/picketlink · GitHub