[security-dev] How to let the valve ServiceProviderAuthenticator be conditionally bypassed ?
Pedro Igor Silva
psilva at redhat.com
Thu Oct 9 07:04:36 EDT 2014
In addition to what Josef said, check your web.xml security-constraints. User must be granted with the roles defined there.
----- Original Message -----
From: "Josef Cacek" <jcacek at redhat.com>
To: "Adam Dong" <adamdong at vidder.com>
Cc: security-dev at lists.jboss.org
Sent: Thursday, October 9, 2014 5:32:44 AM
Subject: Re: [security-dev] How to let the valve ServiceProviderAuthenticator be conditionally bypassed ?
Hi Adam,
the 403 means you are already authenticated but you don't have required roles.
The solution for the bypass condition could look like:
String username = "bypassed";
List<String> roles = new ArrayList<String>();
roles.add("AdminOrWhateverIsNeeded");
Principal principal = new GenericPrincipal(request.getContext().getRealm(), username, null, roles);
request.setUserPrincipal(principal);
Session session = request.getSessionInternal(true);
session.setNote(Constants.SESS_USERNAME_NOTE, username);
<disclaimer>Not tested. :)</disclaimer>
-- josef
----- Original Message -----
> From: "Adam Dong" <adamdong at vidder.com>
> To: security-dev at lists.jboss.org
> Cc: "Kevin Dana" <kdana at vidder.com>, "Gabor Lengyel" <glengyel at vidder.com>
> Sent: Thursday, October 9, 2014 2:42:32 AM
> Subject: [security-dev] How to let the valve ServiceProviderAuthenticator be conditionally bypassed ?
>
> Hi, guys,
>
> Thanks to some of your help. I have successfully configured
> ServiceProviderAuthenticator as an Value (in context.xml) in Tomcat to
> protect my web app whose web.xml needs to have <security-constraint>,
> <login-config> (with FORM being auth method) etc, and the whole thing worked
> as expected against my IDP.
>
> Now I have a special need to either let the SAML auth happen or bypass it
> (not just bypass SAML auth, but bypass the FORM-based auth altogether). Here
> is what I tried but it didn't work:
>
> public class MyServiceProviderAuthenticator extends
> ServiceProviderAuthenticator
> {
> @Override
> public boolean authenticate(Request req, Response res, LoginConfig
> loginconfig)
> throws IOException
> {
> if ("true".equals(req.getParamter("bypass"))) { // bypass SAML
> authentication
> return true;
> }
> return super.authenticate(req, res, loginconfig);
> }
> }
>
> When that flag was not set, SAML interaction happened, everything worked.
>
> When the flag was set, this method simply returned true, then I simply got
> "HTTP Status 403 - Access to the requested resource has been denied." on the
> browser.
>
> Why the failure ? Is it because I didn't set the principal or didn't satisfy
> something that FORM-based auth needed.
>
> Thanks a lot in advance for any clue.
>
> Adam
>
> _______________________________________________
> security-dev mailing list
> security-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/security-dev
>
_______________________________________________
security-dev mailing list
security-dev at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/security-dev
More information about the security-dev
mailing list