Product SiteDocumentation Site

12.4.4. Expression-Based Authorization

This method allows you to perform authorization based on an expression using Java EL .
To configure this method of authorization for a specific path just do:
httpBuilder
    .forPath("/acme/*")
        .authorizeWith()
            .expression("#{identity.account.partition.name == 'Acme'}");
Here, the expression method expects one or more expressions. In this case, we're using the Identity Bean to retrieve the authenticated account and check if it belongs to the Acme partition. Pretty much the same rule we provided when using the Realm-Based Authorization method.
When writing expressions, you are allowed to use any of the available function provided by PicketLink. For a complete list, take a look at Section 11.9, “Using EL-Based Expresions”.
PicketLink provides some basic support for URL rewriting based on EL expressions. You can configure a specific path with a dynamic authorization check using EL expressions. Let's suppose you have the following configuration for a given path:
httpBuilder
    .forPath("/company/{identity.account.partition.name}/{identity.account.id}/*")
        .authorizeWith()
            .expression("#{identity.account.partition.name}", "#{identity.account.id}");
When you send a request to your application using /company/{identity.account.partition.name}/{identity.account.id}/*, PicketLink will automatically evaluate each expression to build the real path.
/company/default_partition/1/*
Once the path is rewritten, PicketLink will check if the authorization expressions matches the path. In this case, if the user tries to access a path using the identifier from another user, PicketLink will block and deny the request.