[security-dev] How to let the valve ServiceProviderAuthenticator be conditionally bypassed ?
Adam Dong
adamdong at vidder.com
Thu Oct 9 13:30:28 EDT 2014
I'm trying out what you guys suggested (meetings get in the way). Will report back.
Many thanks, really appreciate all the help.
Adam
-----Original Message-----
From: Mike Cirioli [mailto:mcirioli at redhat.com]
Sent: Thursday, October 09, 2014 10:28 AM
To: Pedro Igor Silva; Josef Cacek
Cc: security-dev at lists.jboss.org; Adam Dong
Subject: Re: [security-dev] How to let the valve ServiceProviderAuthenticator be conditionally bypassed ?
Adam -
I agree with Josef and Pedro, it sounds like it might be a security constrain/role issue. I'm online (#iam, #jbossidentity) if you want to ping me this afternoon.
-mike
On 10/09/2014 07:04 AM, Pedro Igor Silva wrote:
> In addition to what Josef said, check your web.xml security-constraints. User must be granted with the roles defined there.
>
> ----- Original Message -----
> From: "Josef Cacek" <jcacek at redhat.com>
> To: "Adam Dong" <adamdong at vidder.com>
> Cc: security-dev at lists.jboss.org
> Sent: Thursday, October 9, 2014 5:32:44 AM
> Subject: Re: [security-dev] How to let the valve ServiceProviderAuthenticator be conditionally bypassed ?
>
> Hi Adam,
>
> the 403 means you are already authenticated but you don't have required roles.
>
> The solution for the bypass condition could look like:
>
> String username = "bypassed";
> List<String> roles = new ArrayList<String>();
> roles.add("AdminOrWhateverIsNeeded");
> Principal principal = new
> GenericPrincipal(request.getContext().getRealm(), username, null,
> roles); request.setUserPrincipal(principal);
> Session session = request.getSessionInternal(true);
> session.setNote(Constants.SESS_USERNAME_NOTE, username);
>
> <disclaimer>Not tested. :)</disclaimer>
>
> -- josef
>
>
> ----- Original Message -----
>> From: "Adam Dong" <adamdong at vidder.com>
>> To: security-dev at lists.jboss.org
>> Cc: "Kevin Dana" <kdana at vidder.com>, "Gabor Lengyel"
>> <glengyel at vidder.com>
>> Sent: Thursday, October 9, 2014 2:42:32 AM
>> Subject: [security-dev] How to let the valve ServiceProviderAuthenticator be conditionally bypassed ?
>>
>> Hi, guys,
>>
>> Thanks to some of your help. I have successfully configured
>> ServiceProviderAuthenticator as an Value (in context.xml) in Tomcat
>> to protect my web app whose web.xml needs to have
>> <security-constraint>, <login-config> (with FORM being auth method)
>> etc, and the whole thing worked as expected against my IDP.
>>
>> Now I have a special need to either let the SAML auth happen or
>> bypass it (not just bypass SAML auth, but bypass the FORM-based auth
>> altogether). Here is what I tried but it didn't work:
>>
>> public class MyServiceProviderAuthenticator extends
>> ServiceProviderAuthenticator {
>> @Override
>> public boolean authenticate(Request req, Response res, LoginConfig
>> loginconfig)
>> throws IOException
>> {
>> if ("true".equals(req.getParamter("bypass"))) { // bypass SAML
>> authentication
>> return true;
>> }
>> return super.authenticate(req, res, loginconfig);
>> }
>> }
>>
>> When that flag was not set, SAML interaction happened, everything worked.
>>
>> When the flag was set, this method simply returned true, then I
>> simply got "HTTP Status 403 - Access to the requested resource has
>> been denied." on the browser.
>>
>> Why the failure ? Is it because I didn't set the principal or didn't
>> satisfy something that FORM-based auth needed.
>>
>> Thanks a lot in advance for any clue.
>>
>> Adam
>>
>> _______________________________________________
>> security-dev mailing list
>> security-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/security-dev
>>
> _______________________________________________
> security-dev mailing list
> security-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/security-dev
> _______________________________________________
> security-dev mailing list
> security-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/security-dev
More information about the security-dev
mailing list