Product SiteDocumentation Site

12.2.5. Permissive vs Restrictive

By default PicketLink will not enforce security for paths not explicity defined in the configuration. This is what we call the permissive behavior. It helps to get a more simple configuration and avoids you to specify every single path you want to protect or not.
But PicketLink also allows you to change this behavior and enforce that all your paths, regardless if they were defined in the configuration or not, should be protected. In this case, you should specify all paths you want to protect and specially those you don't want to enforce security such as CSS, JS and images files. We call this behavior as restrictive.
To enable the restrictive behavior you just need to provide the following configuration:
httpBuilder
    .restrictive()