How to customize PicketLink AuthenticationFilter?

问题

I have PicketLink installed and running on my web application, but it seems like I cannot protect resources like folders by group or role. The PicketLink AuthenticationFilter (org.picketlink.authentication.web.AuthenticationFilter) does not provide any way to say which url-pattern belongs to which group or role. How would I protect the admin directory so that only users in the admin group can access it? Right now, if you are logged in you can access everything.

web.xml file:

        <filter>
            <filter-name>PicketLinkAuthenticationFilter</filter-name>
            <filter-class>org.picketlink.authentication.web.AuthenticationFilter</filter-class>

            <init-param>
                <param-name>authType</param-name>
                <param-value>FORM</param-value>
            </init-param>
        </filter>

        <filter-mapping>
            <filter-name>PicketLinkAuthenticationFilter</filter-name>
            <url-pattern>/admin/*</url-pattern>
            <url-pattern>/standarduser/*</url-pattern>
        </filter-mapping>

I tried to create my own custom AuthenticationFilter but I couldn't. I would really wish that I could do something like in Spring. Something like this or using the IDM functions like hasRole or isMember:

    <intercept-url pattern="/admin/*" access="ADMIN" />
    <intercept-url pattern="/member/*" access="ADMIN,STANDARDUSER" />

回答1:

Unless I completely misunderstand what you're trying to do, I think you can do what you want via the programmatic configuration interface. See the docs section 12.2

public class HttpSecurityConfiguration {

public void configureHttpSecurity(@Observes SecurityConfigurationEvent event) {
    SecurityConfigurationBuilder builder = event.getBuilder();

    builder
        .http()
            .forPath("/*.jsf")
                .authenticateWith()
                    .form()
                        .loginPage("/login.jsf")
                        .errorPage("/loginFailed.jsf")
            .forPath("/admin/*")
                .authorizeWith()
                    .role("Administrator");
    }
}

回答2:

Like previously said, the AuthenticationFilter is only about authentication.

PicketLink Team is working in a full Servlet Security support, which will provide among other things role and group based authorization for the URIs of your application.

For now, I would suggest you to create your own filter.

来源：https://stackoverflow.com/questions/24657169/how-to-customize-picketlink-authenticationfilter