Product SiteDocumentation Site

Chapter 12. Http Security

12.1. Overview

PicketLink provides an easy and simple API to protect your web application resources (eg.: pages and RESTFul endpoints) based on the HTTP protocol and fully integrated with the Java Servlet API.
With PicketLink you can have an additional security layer to filter every single request and apply security policies accordingly for specific resources or paths in your application. The security policies are usually based on the two major areas of application security: authentication and authorization.
Additionally, PicketLink also provides support for the most common HTTP protection mechanisms and against vulnerabilities such as:
  • CORS, Cross Origin Resource Sharing (In Development)
  • CSRF, Cross-Site Request Forgery (In Development)
The configuration is pretty simple and only requires a few lines of code. You'll see in the next sections the configuration in more details, but a simple setup would look like:
public class HttpSecurityConfiguration {

    public void configureHttpSecurity(@Observes SecurityConfigurationEvent event) {
        SecurityConfigurationBuilder builder = event.getBuilder();

        builder
            .http()
                .allPaths()
                    .authenticateWith()
                        .form()
                            .loginPage("/login.html")
                            .errorPage("/loginFailed.html");
    }
}
The example above is enough to enforce authentication to all your application resources and pages using a FORM to ask your users for credentials.