Why does the PicketLink IDP ignore role based authorization?
Issue
Why does the PicketLink IDP ignore role based authorization?
For example, configure the PicketLink IDP to require a role ("manager") for all resources ("/*").
<security-constraint>
<web-resource-collection>
<web-resource-name>Manager command</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>manager</role-name>
<role-name>Sales</role-name>
<role-name>Employee</role-name>
</auth-constraint>
</security-constraint>
Then try to access the IDP directly (http://localhost:8080/idp/), log in as user that is not a member of manager, Sales, or Employee roles. The server will return the contents of an index.html.
An authenticated user that is not a member of any of those roles is able view a file located in /hosted/index.jsp or a file specified by the HostedURI in the IDP configuration:
<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">
<PicketLinkIDP xmlns="urn:picketlink:identity-federation:config:2.1"
HostedURI="/test.jsp"
AttributeManager="org.picketlink.identity.federation.bindings.jboss.attribute.JBossAppServerAttributeManager">
...
...
Environment
- Red Hat Enteprise Application Platform (EAP)
- 6.x
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
