[security-dev] How to let the valve ServiceProviderAuthenticator be conditionally bypassed ?

Adam Dong adamdong at vidder.com
Thu Oct 9 13:30:28 EDT 2014


I'm trying out what you guys suggested (meetings get in the way). Will report back. 

Many thanks, really appreciate all the help.

Adam

-----Original Message-----
From: Mike Cirioli [mailto:mcirioli at redhat.com] 
Sent: Thursday, October 09, 2014 10:28 AM
To: Pedro Igor Silva; Josef Cacek
Cc: security-dev at lists.jboss.org; Adam Dong
Subject: Re: [security-dev] How to let the valve ServiceProviderAuthenticator be conditionally bypassed ?

Adam -
I agree with Josef and Pedro, it sounds like it might be a security constrain/role issue.  I'm online (#iam, #jbossidentity) if you want to ping me this afternoon.

-mike

On 10/09/2014 07:04 AM, Pedro Igor Silva wrote:
> In addition to what Josef said, check your web.xml security-constraints. User must be granted with the roles defined there.
>
> ----- Original Message -----
> From: "Josef Cacek" <jcacek at redhat.com>
> To: "Adam Dong" <adamdong at vidder.com>
> Cc: security-dev at lists.jboss.org
> Sent: Thursday, October 9, 2014 5:32:44 AM
> Subject: Re: [security-dev] How to let the valve ServiceProviderAuthenticator be conditionally bypassed ?
>
> Hi Adam,
>
> the 403 means you are already authenticated but you don't have required roles.
>
> The solution for the bypass condition could look like:
>
> String username = "bypassed";
> List<String> roles = new ArrayList<String>(); 
> roles.add("AdminOrWhateverIsNeeded");
> Principal principal = new 
> GenericPrincipal(request.getContext().getRealm(), username, null, 
> roles); request.setUserPrincipal(principal);
> Session session = request.getSessionInternal(true); 
> session.setNote(Constants.SESS_USERNAME_NOTE, username);
>
> <disclaimer>Not tested. :)</disclaimer>
>
> -- josef
>
>
> ----- Original Message -----
>> From: "Adam Dong" <adamdong at vidder.com>
>> To: security-dev at lists.jboss.org
>> Cc: "Kevin Dana" <kdana at vidder.com>, "Gabor Lengyel" 
>> <glengyel at vidder.com>
>> Sent: Thursday, October 9, 2014 2:42:32 AM
>> Subject: [security-dev] How to let the valve ServiceProviderAuthenticator be conditionally bypassed ?
>>
>> Hi, guys,
>>
>> Thanks to some of your help. I have successfully configured 
>> ServiceProviderAuthenticator as an Value (in context.xml) in Tomcat 
>> to protect my web app whose web.xml needs to have  
>> <security-constraint>, <login-config> (with FORM being auth method) 
>> etc, and the whole thing worked as expected against my IDP.
>>
>> Now I have a special need to either let the SAML  auth happen or 
>> bypass it (not just bypass SAML auth, but bypass the FORM-based auth 
>> altogether). Here is what I tried but it didn't work:
>>
>> public class MyServiceProviderAuthenticator extends 
>> ServiceProviderAuthenticator {
>>      @Override
>>      public boolean authenticate(Request req, Response res, LoginConfig
>>      loginconfig)
>>          throws IOException
>>      {
>>             if ("true".equals(req.getParamter("bypass")))  {  // bypass SAML
>>             authentication
>>                 return true;
>>             }
>>             return super.authenticate(req, res, loginconfig);
>>      }
>> }
>>
>> When that flag was not set, SAML interaction happened, everything worked.
>>
>> When the flag was set, this method simply returned true, then I 
>> simply got "HTTP Status 403 - Access to the requested resource has 
>> been denied." on the browser.
>>
>> Why the failure ? Is it because I didn't set the principal or didn't 
>> satisfy something that FORM-based auth needed.
>>
>> Thanks a lot in advance for any clue.
>>
>> Adam
>>
>> _______________________________________________
>> security-dev mailing list
>> security-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/security-dev
>>
> _______________________________________________
> security-dev mailing list
> security-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/security-dev
> _______________________________________________
> security-dev mailing list
> security-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/security-dev




More information about the security-dev mailing list