12.3. Authentication

Prev
PicketLink Reference Documentation
Next

⁠12.3. Authentication

PicketLink supports different authentication schemes, they are:

HTTP BASIC
HTTP DIGEST
HTTP X.509 or CLIENT-CERT
FORM
Token-Based
Write Your Own Method

When you configure the authentication policies to a specific path you just need to provide any of the available authentication schemes available from the authenticateWith() method provided by the HttpSecurityBuilder.

httpBuilder
    .forPath("/rest/*")
        .authenticateWith()
            .basic()

Some authentication schemes provide additional configuration to configure a specific behavior. In the next sections we'll cover each of them in more details.

Report a bug

⁠12.3.1. Form Authentication

This authentication scheme allows you to authenticate your users using a HTML Form element to capture user's credentials. If you're already familiar with the Java JEE FORM authentication method, you'll find this very similar.

To configure this authentication scheme for a specific path just do:

httpBuilder
    .forPath("/faces/*.xhtml")
        .authenticateWith()
            .form()
                .loginPage("/faces/login.xhtml")
                .errorPage("/faces/loginFailed.xhtml");

You will also need a login page with a HTML Form just like that:

<form method="POST" action="j_security_check">
    <input type="text" name="j_username"/>
    <input type="password" name="j_password"/>
    <input type="submit" name="login" value="Login"/>
</form>

By default, once the user is authenticated, PicketLink will always redirect the authenticated user to your application's context path. But sometimes you may want to restore the original request, the one used to start the authentication process. In this case, PicketLink will redirect the user to the original request once the authentication finishes. To enable this behavior just do:

httpBuilder
    .forPath("/faces/*.xhtml")
        .authenticateWith()
            .form()
                .loginPage("/faces/login.xhtml")
                .errorPage("/faces/loginFailed.xhtml")
                .restoreOriginalRequest();

Here, we used the restoreOriginalRequest() to enable this behavior.

Some times you may also want to change the default authentication URI, which defaults to /j_security_check. This is specially useful if you are using a JSF-based form as follows:

 <h:form method="POST" prependId="false">
    <h:inputText id="j_username" />
    <h:inputSecret id="j_password"/>
    <h:commandButton id="login" value="Login" action="#{identity.login()}"/>
</h:form>

Note

Please notice that you still need to send j_username and j_password as request parameters. For that, change the id attribute of both fields accordingly and make sure your form is set with prependId="false"

In this case, instead of passing credentials as request parameters, you are authenticating directly using the Identity bean login() method:

<h:commandButton id="login" value="Login" action="#{identity.login()}"/>

When you submit the form above, JSF will usually post form data to the page itself and you need to tell PicketLink that this should be the authentication URI:

httpBuilder
    .forPath("/faces/*.xhtml")
        .authenticateWith()
            .form()
                .authenticationUri("/faces/login.xhtml")
                .loginPage("/faces/login.xhtml")
                .errorPage("/faces/loginFailed.xhtml")
                .restoreOriginalRequest();

Report a bug