Why does the PicketLink IDP ignore role based authorization?

Solution In Progress - Updated -

Issue

Why does the PicketLink IDP ignore role based authorization?

For example, configure the PicketLink IDP to require a role ("manager") for all resources ("/*").

<security-constraint>
<web-resource-collection>
<web-resource-name>Manager command</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>manager</role-name>
<role-name>Sales</role-name>
<role-name>Employee</role-name>
</auth-constraint>
</security-constraint>

Then try to access the IDP directly (http://localhost:8080/idp/), log in as user that is not a member of manager, Sales, or Employee roles. The server will return the contents of an index.html.

An authenticated user that is not a member of any of those roles is able view a file located in /hosted/index.jsp or a file specified by the HostedURI in the IDP configuration:

<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">
<PicketLinkIDP xmlns="urn:picketlink:identity-federation:config:2.1"
HostedURI="/test.jsp"
AttributeManager="org.picketlink.identity.federation.bindings.jboss.attribute.JBossAppServerAttributeManager">
...
...

Environment

  • Red Hat Enteprise Application Platform (EAP)
    • 6.x

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content