2 Replies Latest reply on Nov 24, 2015 12:55 PM by Arthur Gregório

    Authorization for URLs with Login Form

    Ranganathan Kaliyur Mannar Newbie


      I am developing a regular JSF application. The authentication is working fine with a login form.

      At the same time, I also want to secure the URLs with authorization. For example, an user may bookmark an admin URL and hit it directly in which case I want to show the login form.


      I configure the PicketLink security as follows:



      When I try to load the index page, it shows the login page correctly. However, when I hit the 'admin' URL directly, it doesn't show the login page.

      Instead I get a simple message:

      "The given path [/faces/admin/*] requires authentication."


      I am using 2.7.0.FINAL and JEE 7 (WildFly 8.1)


      I don't understand why it doesn't show me the login form when I hit the URL directly (and the msg indicates the need for authentication in which case it should have shown the login page).

      Is my configuration not good enough?




        • 1. Re: Authorization for URLs with Login Form
          Arthur Gregório Newbie

          Same problem here.


          Seems to picketlink not working for URL based security.


          My configuration:


          public void configureHttpSecurity(@Observes SecurityConfigurationEvent event) {
              final SecurityConfigurationBuilder builder = event.getBuilder();


          But when try to access directly to the "secure" URL, PL don't validate de roles.


          I try to write a custom PathAuthorizer but even always returning true, i get http 403 on the client:


          11:04:36,077 ERROR [org.picketlink.http] (default task-54) Exception thrown during processing for path [/portal/bookings/inclusion/stepProducts.xhtml]. Sending error with status code [403].: org.picketlink.http.AccessDeniedException: The request for the given path [/portal/bookings/inclusion/*] was forbidden.
            at org.picketlink.http.internal.SecurityFilter.doFilter(SecurityFilter.java:189)


          My custom pathAuthorizer for testing purposes


          public class CustomPathAuthorizer implements PathAuthorizer {
              private AuthorizationBean authorizationBean;
              * @param pathConfiguration
              * @param request
              * @param response
              * @return
              public boolean authorize(PathConfiguration pathConfiguration,
                      HttpServletRequest request, HttpServletResponse response) {
                  return true;
          • 2. Re: Authorization for URLs with Login Form
            Arthur Gregório Newbie

            I made this PR [1] on PL repo.


            With this you can write your own method to check if the defined URL is accessible or not by the authenticated user


            [1] Custom authorizers and roles by arthurgregorio · Pull Request #499 · picketlink/picketlink · GitHub