I have PicketLink installed and running on my web application, but it seems like I cannot protect resources like folders by group or role. The PicketLink AuthenticationFilter (org.picketlink.authentication.web.AuthenticationFilter) does not provide any way to say which url-pattern belongs to which group or role. How would I protect the admin directory so that only users in the admin group can access it? Right now, if you are logged in you can access everything.
web.xml file:
<filter>
<filter-name>PicketLinkAuthenticationFilter</filter-name>
<filter-class>org.picketlink.authentication.web.AuthenticationFilter</filter-class>
<init-param>
<param-name>authType</param-name>
<param-value>FORM</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>PicketLinkAuthenticationFilter</filter-name>
<url-pattern>/admin/*</url-pattern>
<url-pattern>/standarduser/*</url-pattern>
</filter-mapping>
I tried to create my own custom AuthenticationFilter but I couldn't. I would really wish that I could do something like in Spring. Something like this or using the IDM functions like hasRole or isMember:
<intercept-url pattern="/admin/*" access="ADMIN" />
<intercept-url pattern="/member/*" access="ADMIN,STANDARDUSER" />
Unless I completely misunderstand what you're trying to do, I think you can do what you want via the programmatic configuration interface. See the docs section 12.2
public class HttpSecurityConfiguration {
public void configureHttpSecurity(@Observes SecurityConfigurationEvent event) {
SecurityConfigurationBuilder builder = event.getBuilder();
builder
.http()
.forPath("/*.jsf")
.authenticateWith()
.form()
.loginPage("/login.jsf")
.errorPage("/loginFailed.jsf")
.forPath("/admin/*")
.authorizeWith()
.role("Administrator");
}
}