[security-dev] How to let the valve ServiceProviderAuthenticator be conditionally bypassed ?

Josef Cacek jcacek at redhat.com
Thu Oct 9 04:32:44 EDT 2014 

Hi Adam,

the 403 means you are already authenticated but you don't have required roles.

The solution for the bypass condition could look like:

String username = "bypassed";
List<String> roles = new ArrayList<String>();
roles.add("AdminOrWhateverIsNeeded");
Principal principal = new GenericPrincipal(request.getContext().getRealm(), username, null, roles);
request.setUserPrincipal(principal);
Session session = request.getSessionInternal(true);
session.setNote(Constants.SESS_USERNAME_NOTE, username);

<disclaimer>Not tested. :)</disclaimer>

-- josef


----- Original Message -----
> From: "Adam Dong" <adamdong at vidder.com>
> To: security-dev at lists.jboss.org
> Cc: "Kevin Dana" <kdana at vidder.com>, "Gabor Lengyel" <glengyel at vidder.com>
> Sent: Thursday, October 9, 2014 2:42:32 AM
> Subject: [security-dev] How to let the valve ServiceProviderAuthenticator be conditionally bypassed ?
> 
> Hi, guys,
> 
> Thanks to some of your help. I have successfully configured
> ServiceProviderAuthenticator as an Value (in context.xml) in Tomcat to
> protect my web app whose web.xml needs to have  <security-constraint>,
> <login-config> (with FORM being auth method) etc, and the whole thing worked
> as expected against my IDP.
> 
> Now I have a special need to either let the SAML  auth happen or bypass it
> (not just bypass SAML auth, but bypass the FORM-based auth altogether). Here
> is what I tried but it didn't work:
> 
> public class MyServiceProviderAuthenticator extends
> ServiceProviderAuthenticator
> {
>     @Override
>     public boolean authenticate(Request req, Response res, LoginConfig
>     loginconfig)
>         throws IOException
>     {
>            if ("true".equals(req.getParamter("bypass")))  {  // bypass SAML
>            authentication
>                return true;
>            }
>            return super.authenticate(req, res, loginconfig);
>     }
> }
> 
> When that flag was not set, SAML interaction happened, everything worked.
> 
> When the flag was set, this method simply returned true, then I simply got
> "HTTP Status 403 - Access to the requested resource has been denied." on the
> browser.
> 
> Why the failure ? Is it because I didn't set the principal or didn't satisfy
> something that FORM-based auth needed.
> 
> Thanks a lot in advance for any clue.
> 
> Adam
> 
> _______________________________________________
> security-dev mailing list
> security-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/security-dev
>

More information about the security-dev mailing list