1 Reply Latest reply on Dec 26, 2016 9:50 AM by Ranganathan Kaliyur Mannar

    Custom Authorizer does not work

    Ranganathan Kaliyur Mannar Newbie

      Hi,

      I use one of the PL quickstarts - picketlink-authentication-jsf - and then add a custom authorizer. As the authentication in this example does not use any IDM, I want to do the same for authorization.

       

      My config is like this:

      SecurityConfigurationBuilder builder = event.getBuilder();
      builder.http()
        .forPath("/admin/*")
        .authorizeWith().role("ADMIN").authorizer(CustomPathAuthorizer.class)
        ;
      

       

      And then, my custom path authorize method is a trivial one:

      if(((User)(identity.getAccount())).getLoginName().contains("admin")) {
        return true;
      }
      return false;
      

       

      No matter which user I logon to (jsmith or another user named admin1), I get a forbidden to the admin page. I have added a sysout and can see that, the authorize method returns true (and my admin.xhtml is placed inside the admin folder).

       

      Please do provide me with some pointers, thanks.

       

      (note: there is a similar thread done last year, but doesn't answer my question: Authorization for URLs with Login Form )