[security-dev] How to let the valve ServiceProviderAuthenticator be conditionally bypassed ?

Adam Dong adamdong at vidder.com
Wed Oct 8 21:21:47 EDT 2014 

Mike,

Thanks for the quick reply.  I tried to make it simple in my previous email, in my real code, I have logging line right before "return true", so I was sure that it followed that branch.

Adam

-----Original Message-----
From: Michael Cirioli [mailto:mcirioli at redhat.com] 
Sent: Wednesday, October 08, 2014 6:16 PM
To: Adam Dong
Cc: Kevin Dana; Gabor Lengyel; security-dev at lists.jboss.org
Subject: Re: [security-dev] How to let the valve ServiceProviderAuthenticator be conditionally bypassed ?

Adam
My guess is that the flag is not really being set (even though you may be passing it in the URL) - have you verified this is happening in your authenticate method either using a debugger or logging? 

If the flag value is not what you expect let me know, I have implemented something similar to what you are attempting and may be able to help you work around it.

-mike

On Oct 8, 2014 8:43 PM, Adam Dong <adamdong at vidder.com> wrote:
>
> Hi, guys,
>
> Thanks to some of your help. I have successfully configured 
> ServiceProviderAuthenticator asHi, guys,

Thanks to some of your help. I have successfully configured ServiceProviderAuthenticator as an Value (in context.xml) in Tomcat to protect my web app whose web.xml needs to have  <security-constraint>, <login-config> (with FORM being auth method) etc, and the whole thing worked as expected against my IDP.

Now I have a special need to either let the SAML  auth happen or bypass it (not just bypass SAML auth, but bypass the FORM-based auth altogether). Here is what I tried but it didn't work:

public class MyServiceProviderAuthenticator extends ServiceProviderAuthenticator {
    @Override
    public boolean authenticate(Request req, Response res, LoginConfig loginconfig)
        throws IOException
    {
           if ("true".equals(req.getParamter("bypass")))  {  // bypass SAML authentication
               return true;
           }
           return super.authenticate(req, res, loginconfig);
    }
}

When that flag was not set, SAML interaction happened, everything worked.

When the flag was set, this method simply returned true, then I simply got "HTTP Status 403 - Access to the requested resource has been denied." on the browser. 

Why the failure ? Is it because I didn't set the principal or didn't satisfy something that FORM-based auth needed.

Thanks a lot in advance for any clue.

Adam               

_______________________________________________
security-dev mailing list
security-dev at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/security-dev

More information about the security-dev mailing list