[security-dev] How to let the valve ServiceProviderAuthenticator be conditionally bypassed ?

Mike Cirioli mcirioli at redhat.com
Thu Oct 9 13:28:01 EDT 2014 

Adam -
I agree with Josef and Pedro, it sounds like it might be a security 
constrain/role issue.  I'm online (#iam, #jbossidentity) if you want to 
ping me this afternoon.

-mike

On 10/09/2014 07:04 AM, Pedro Igor Silva wrote:
> In addition to what Josef said, check your web.xml security-constraints. User must be granted with the roles defined there.
>
> ----- Original Message -----
> From: "Josef Cacek" <jcacek at redhat.com>
> To: "Adam Dong" <adamdong at vidder.com>
> Cc: security-dev at lists.jboss.org
> Sent: Thursday, October 9, 2014 5:32:44 AM
> Subject: Re: [security-dev] How to let the valve ServiceProviderAuthenticator be conditionally bypassed ?
>
> Hi Adam,
>
> the 403 means you are already authenticated but you don't have required roles.
>
> The solution for the bypass condition could look like:
>
> String username = "bypassed";
> List<String> roles = new ArrayList<String>();
> roles.add("AdminOrWhateverIsNeeded");
> Principal principal = new GenericPrincipal(request.getContext().getRealm(), username, null, roles);
> request.setUserPrincipal(principal);
> Session session = request.getSessionInternal(true);
> session.setNote(Constants.SESS_USERNAME_NOTE, username);
>
> <disclaimer>Not tested. :)</disclaimer>
>
> -- josef
>
>
> ----- Original Message -----
>> From: "Adam Dong" <adamdong at vidder.com>
>> To: security-dev at lists.jboss.org
>> Cc: "Kevin Dana" <kdana at vidder.com>, "Gabor Lengyel" <glengyel at vidder.com>
>> Sent: Thursday, October 9, 2014 2:42:32 AM
>> Subject: [security-dev] How to let the valve ServiceProviderAuthenticator be conditionally bypassed ?
>>
>> Hi, guys,
>>
>> Thanks to some of your help. I have successfully configured
>> ServiceProviderAuthenticator as an Value (in context.xml) in Tomcat to
>> protect my web app whose web.xml needs to have  <security-constraint>,
>> <login-config> (with FORM being auth method) etc, and the whole thing worked
>> as expected against my IDP.
>>
>> Now I have a special need to either let the SAML  auth happen or bypass it
>> (not just bypass SAML auth, but bypass the FORM-based auth altogether). Here
>> is what I tried but it didn't work:
>>
>> public class MyServiceProviderAuthenticator extends
>> ServiceProviderAuthenticator
>> {
>>      @Override
>>      public boolean authenticate(Request req, Response res, LoginConfig
>>      loginconfig)
>>          throws IOException
>>      {
>>             if ("true".equals(req.getParamter("bypass")))  {  // bypass SAML
>>             authentication
>>                 return true;
>>             }
>>             return super.authenticate(req, res, loginconfig);
>>      }
>> }
>>
>> When that flag was not set, SAML interaction happened, everything worked.
>>
>> When the flag was set, this method simply returned true, then I simply got
>> "HTTP Status 403 - Access to the requested resource has been denied." on the
>> browser.
>>
>> Why the failure ? Is it because I didn't set the principal or didn't satisfy
>> something that FORM-based auth needed.
>>
>> Thanks a lot in advance for any clue.
>>
>> Adam
>>
>> _______________________________________________
>> security-dev mailing list
>> security-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/security-dev
>>
> _______________________________________________
> security-dev mailing list
> security-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/security-dev
> _______________________________________________
> security-dev mailing list
> security-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/security-dev

More information about the security-dev mailing list