[security-dev] How to let the valve ServiceProviderAuthenticator be conditionally bypassed ?

Pedro Igor Silva psilva at redhat.com
Thu Oct 9 07:04:36 EDT 2014


In addition to what Josef said, check your web.xml security-constraints. User must be granted with the roles defined there.

----- Original Message -----
From: "Josef Cacek" <jcacek at redhat.com>
To: "Adam Dong" <adamdong at vidder.com>
Cc: security-dev at lists.jboss.org
Sent: Thursday, October 9, 2014 5:32:44 AM
Subject: Re: [security-dev] How to let the valve ServiceProviderAuthenticator be conditionally bypassed ?

Hi Adam,

the 403 means you are already authenticated but you don't have required roles.

The solution for the bypass condition could look like:

String username = "bypassed";
List<String> roles = new ArrayList<String>();
roles.add("AdminOrWhateverIsNeeded");
Principal principal = new GenericPrincipal(request.getContext().getRealm(), username, null, roles);
request.setUserPrincipal(principal);
Session session = request.getSessionInternal(true);
session.setNote(Constants.SESS_USERNAME_NOTE, username);

<disclaimer>Not tested. :)</disclaimer>

-- josef


----- Original Message -----
> From: "Adam Dong" <adamdong at vidder.com>
> To: security-dev at lists.jboss.org
> Cc: "Kevin Dana" <kdana at vidder.com>, "Gabor Lengyel" <glengyel at vidder.com>
> Sent: Thursday, October 9, 2014 2:42:32 AM
> Subject: [security-dev] How to let the valve ServiceProviderAuthenticator be conditionally bypassed ?
> 
> Hi, guys,
> 
> Thanks to some of your help. I have successfully configured
> ServiceProviderAuthenticator as an Value (in context.xml) in Tomcat to
> protect my web app whose web.xml needs to have  <security-constraint>,
> <login-config> (with FORM being auth method) etc, and the whole thing worked
> as expected against my IDP.
> 
> Now I have a special need to either let the SAML  auth happen or bypass it
> (not just bypass SAML auth, but bypass the FORM-based auth altogether). Here
> is what I tried but it didn't work:
> 
> public class MyServiceProviderAuthenticator extends
> ServiceProviderAuthenticator
> {
>     @Override
>     public boolean authenticate(Request req, Response res, LoginConfig
>     loginconfig)
>         throws IOException
>     {
>            if ("true".equals(req.getParamter("bypass")))  {  // bypass SAML
>            authentication
>                return true;
>            }
>            return super.authenticate(req, res, loginconfig);
>     }
> }
> 
> When that flag was not set, SAML interaction happened, everything worked.
> 
> When the flag was set, this method simply returned true, then I simply got
> "HTTP Status 403 - Access to the requested resource has been denied." on the
> browser.
> 
> Why the failure ? Is it because I didn't set the principal or didn't satisfy
> something that FORM-based auth needed.
> 
> Thanks a lot in advance for any clue.
> 
> Adam
> 
> _______________________________________________
> security-dev mailing list
> security-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/security-dev
> 
_______________________________________________
security-dev mailing list
security-dev at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/security-dev


More information about the security-dev mailing list