Why does the PicketLink IDP ignore role based authorization?

Solution In Progress - Updated -

Issue

Why does the PicketLink IDP ignore role based authorization?

For example, configure the PicketLink IDP to require a role ("manager") for all resources ("/*").

<security-constraint>
<web-resource-collection>
<web-resource-name>Manager command</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>manager</role-name>
<role-name>Sales</role-name>
<role-name>Employee</role-name>
</auth-constraint>
</security-constraint>

Then try to access the IDP directly (http://localhost:8080/idp/), log in as user that is not a member of manager, Sales, or Employee roles. The server will return the contents of an index.html.

An authenticated user that is not a member of any of those roles is able view a file located in /hosted/index.jsp or a file specified by the HostedURI in the IDP configuration:

<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">
<PicketLinkIDP xmlns="urn:picketlink:identity-federation:config:2.1"
HostedURI="/test.jsp"
AttributeManager="org.picketlink.identity.federation.bindings.jboss.attribute.JBossAppServerAttributeManager">
...
...

Environment

  • Red Hat Enteprise Application Platform (EAP)
    • 6.x

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In
Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.