Re: [security-dev] How to let the valve ServiceProviderAuthenticator be conditionally bypassed ?

From: "Adam Dong" <adamdong(a)vidder.com&gt; To: security-dev(a)lists.jboss.org Cc: "Kevin Dana" <kdana(a)vidder.com&gt;, "Gabor Lengyel" <glengyel(a)vidder.com&gt; Sent: Thursday, October 9, 2014 2:42:32 AM Subject: [security-dev] How to let the valve ServiceProviderAuthenticator be conditionally bypassed ? Hi, guys, Thanks to some of your help. I have successfully configured ServiceProviderAuthenticator as an Value (in context.xml) in Tomcat to protect my web app whose web.xml needs to have <security-constraint>, <login-config> (with FORM being auth method) etc, and the whole thing worked as expected against my IDP. Now I have a special need to either let the SAML auth happen or bypass it (not just bypass SAML auth, but bypass the FORM-based auth altogether). Here is what I tried but it didn't work: public class MyServiceProviderAuthenticator extends ServiceProviderAuthenticator { @Override public boolean authenticate(Request req, Response res, LoginConfig loginconfig) throws IOException { if ("true".equals(req.getParamter("bypass"))) { // bypass SAML authentication return true; } return super.authenticate(req, res, loginconfig); } } When that flag was not set, SAML interaction happened, everything worked. When the flag was set, this method simply returned true, then I simply got "HTTP Status 403 - Access to the requested resource has been denied." on the browser. Why the failure ? Is it because I didn't set the principal or didn't satisfy something that FORM-based auth needed. Thanks a lot in advance for any clue. Adam _______________________________________________ security-dev mailing list security-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/security-dev