Re: [security-dev] How to let the valve ServiceProviderAuthenticator be conditionally bypassed ?

In addition to what Josef said, check your web.xml security-constraints. User must be granted with the roles defined there. ----- Original Message ----- From: "Josef Cacek" <jcacek(a)redhat.com&gt; To: "Adam Dong" <adamdong(a)vidder.com&gt; Cc: security-dev(a)lists.jboss.org Sent: Thursday, October 9, 2014 5:32:44 AM Subject: Re: [security-dev] How to let the valve ServiceProviderAuthenticator be conditionally bypassed ? Hi Adam, the 403 means you are already authenticated but you don't have required roles. The solution for the bypass condition could look like: String username = "bypassed"; List<String> roles = new ArrayList<String>(); roles.add("AdminOrWhateverIsNeeded"); Principal principal = new GenericPrincipal(request.getContext().getRealm(), username, null, roles); request.setUserPrincipal(principal); Session session = request.getSessionInternal(true); session.setNote(Constants.SESS_USERNAME_NOTE, username); <disclaimer>Not tested. :)</disclaimer> -- josef ----- Original Message ----- > From: "Adam Dong" <adamdong(a)vidder.com&gt; > To: security-dev(a)lists.jboss.org > Cc: "Kevin Dana" <kdana(a)vidder.com&gt;, "Gabor Lengyel" > <glengyel(a)vidder.com&gt; > Sent: Thursday, October 9, 2014 2:42:32 AM > Subject: [security-dev] How to let the valve ServiceProviderAuthenticator be conditionally bypassed ? > > Hi, guys, > > Thanks to some of your help. I have successfully configured > ServiceProviderAuthenticator as an Value (in context.xml) in Tomcat > to protect my web app whose web.xml needs to have > <security-constraint>, <login-config> (with FORM being auth method) > etc, and the whole thing worked as expected against my IDP. > > Now I have a special need to either let the SAML auth happen or > bypass it (not just bypass SAML auth, but bypass the FORM-based auth > altogether). Here is what I tried but it didn't work: > > public class MyServiceProviderAuthenticator extends > ServiceProviderAuthenticator { > @Override > public boolean authenticate(Request req, Response res, LoginConfig > loginconfig) > throws IOException > { > if ("true".equals(req.getParamter("bypass"))) { // bypass SAML > authentication > return true; > } > return super.authenticate(req, res, loginconfig); > } > } > > When that flag was not set, SAML interaction happened, everything worked. > > When the flag was set, this method simply returned true, then I > simply got "HTTP Status 403 - Access to the requested resource has > been denied." on the browser. > > Why the failure ? Is it because I didn't set the principal or didn't > satisfy something that FORM-based auth needed. > > Thanks a lot in advance for any clue. > > Adam > > _______________________________________________ > security-dev mailing list > security-dev(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/security-dev > _______________________________________________ security-dev mailing list security-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/security-dev _______________________________________________ security-dev mailing list security-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/security-dev