Hi. My IDP works fine in tomcat 6 (using JNDIRealm), but when I modified it to use JBoss EAP 5.2, the IDP doesn't post to the SP application after authentication. Instead it loads the index.jsp page on the IDP side. Any help is appreciated.

  -Andrew

------------------------------

My setup, configurations, are as follows:

IDP and SP both on JBoss EAP 5.2.

Picketlink 2.1.4.

JBossWebRealm auditing turned on.

Users are in eDirectory.

Sample users:

dn=cn=johndoe,ou=myLocation,ou=Canada,o=com

objectClass: inetOrgPerson

objectClass: person

objectClass: top

employeetype: sales

cn: johndoe

dn=cn=ssmith,ou=myLocation,ou=Canada,o=com

objectClass: inetOrgPerson

objectClass: person

objectClass: top

employeetype: manager

cn: ssmith

------------

IDP : context.xml :

<Context>

<Valve className="org.picketlink.identity.federation.bindings.tomcat.idp.IDPSAMLDebugValve" />

<Valve className="org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve" ignoreAttributesGeneration="false"/>

</Context>

-------------

IDP : picketlink.xml :

<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">

    <PicketLinkIDP xmlns="urn:picketlink:identity-federation:config:2.1" StrictPostBinding="true" AttributeManager="org.jboss.identity.federation.bindings.jboss.attribute.JBossAppServerAttributeManager">

        <IdentityURL>http://localhost:8080/IDP/</IdentityURL>

        <Trust>

            <Domains>localhost,jboss.com,jboss.org,amazonaws.com</Domains>

        </Trust>

    </PicketLinkIDP>

    <Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1">

        <Handler

            class="org.picketlink.identity.federation.web.handlers.saml2.SAML2IssuerTrustHandler" />

        <Handler

            class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" />

        <Handler

            class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler" />

        <Handler

            class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" />

        <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AttributeHandler">

        <!--  Option Key="ATTRIBUTE_MANAGER" Value="org.picketlink.identity.federation.bindings.tomcat.TomcatAttributeManager"/>

        -->

        <Option Key="ATTRIBUTE_MANAGER" Value="org.jboss.identity.federation.bindings.jboss.attribute.JBossAppServerAttributeManager"/>

          <Option Key="ATTRIBUTE_KEYS" Value="cn,mail,title"/>

        </Handler>

    </Handlers>

    <!--

        The configuration bellow defines a token timeout and a clock skew. Both configurations will be used during the SAML Assertion creation.

        This configuration is optional. It is defined only to show you how to set the token timeout and clock skew configuration.

     -->

    <PicketLinkSTS xmlns="urn:picketlink:identity-federation:config:1.0" TokenTimeout="5000" ClockSkew="0">

        <TokenProviders>

            <TokenProvider

                ProviderClass="org.picketlink.identity.federation.core.saml.v1.providers.SAML11AssertionTokenProvider"

                TokenType="urn:oasis:names:tc:SAML:1.0:assertion"

                TokenElement="Assertion" TokenElementNS="urn:oasis:names:tc:SAML:1.0:assertion" />

            <TokenProvider

                ProviderClass="org.picketlink.identity.federation.core.saml.v2.providers.SAML20AssertionTokenProvider"

                TokenType="urn:oasis:names:tc:SAML:2.0:assertion"

                TokenElement="Assertion" TokenElementNS="urn:oasis:names:tc:SAML:2.0:assertion" />

        </TokenProviders>

</PicketLinkSTS>

</PicketLink>

----------------------

IDP : web.xml

<?xml version="1.0"?>

<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">

<description>IDP Web Application for the PicketLink project</description>

<display-name>IDP</display-name>

<listener>

  <listener-class>org.picketlink.identity.federation.web.listeners.IDPHttpSessionListener</listener-class>

</listener>

<!-- Define a security constraint that gives unlimted access to images -->

<security-constraint>

  <web-resource-collection>

   <web-resource-name>Images</web-resource-name>

   <url-pattern>/images/*</url-pattern>

  </web-resource-collection>

  <web-resource-collection>

   <web-resource-name>CSS</web-resource-name>

   <url-pattern>/css/*</url-pattern>

  </web-resource-collection>

</security-constraint>

<!-- Define a Security Constraint on this Application -->

<security-constraint>

  <web-resource-collection>

   <web-resource-name>Manager command</web-resource-name>

   <url-pattern>/*</url-pattern>

  </web-resource-collection>

  <auth-constraint>

   <role-name>sales</role-name>

   <role-name>manager</role-name>

  </auth-constraint>

</security-constraint>

<!-- Define the Login Configuration for this Application -->

<login-config>

  <auth-method>FORM</auth-method>

  <realm-name>PicketLink IDP Application</realm-name>

  <form-login-config>

   <form-login-page>/jsp/login.jsp</form-login-page>

   <form-error-page>/jsp/login-error.jsp</form-error-page>

  </form-login-config>

</login-config>

<!-- Security roles referenced by this web application in the security constraints above-->

<security-role>

  <role-name>sales</role-name>

</security-role>

<security-role>

  <role-name>manager</role-name>

</security-role>

</web-app>

-----------------

IDP : jboss-web.xml :

<jboss-web>

   <security-domain>idp</security-domain>

</jboss-web>

--------------

SP : context.xml :

<Context>

  <Valve className="org.picketlink.identity.federation.bindings.tomcat.sp.ServiceProviderAuthenticator"

  />

</Context>

-------------

SP : picketlink.xml :

<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">

    <PicketLinkSP xmlns="urn:picketlink:identity-federation:config:1.0"

         BindingType="POST">

        <IdentityURL>http://localhost:8080/IDP/</IdentityURL>

        <!--  note : If IDP runs on tomcat, the ServiceURL must have a trailing "/" -->

        <ServiceURL>http://localhost:8080/TestSP/sales-post/</ServiceURL>

    </PicketLinkSP>

    <Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1">

        <Handler

            class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" />

        <Handler

            class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler">

            <Option Key="DISABLE_ROLE_PICKING" Value="false"/>

             <Option Key="NAMEID_FORMAT" Value="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>

            </Handler>

        <Handler

            class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" />

            <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AttributeHandler">

         <Option Key="ATTRIBUTE_CHOOSE_FRIENDLY_NAME" Value="true"/>

         </Handler>

    </Handlers>

</PicketLink>

---------------------

SP : web.xml :

<?xml version="1.0" encoding="ISO-8859-1"?>

<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">

<description>Just a Test SP for Fedbridge Project</description>

<display-name>Fedbridge Test SALES Application</display-name>

<!-- Define a Security Constraint on this Application -->

<security-constraint>

  <web-resource-collection>

   <web-resource-name>SALES Application</web-resource-name>

   <url-pattern>/*</url-pattern>

  </web-resource-collection>

  <auth-constraint>

   <role-name>sales</role-name>

  </auth-constraint>

</security-constraint>

<security-constraint>

  <web-resource-collection>

   <web-resource-name>SALES Application</web-resource-name>

   <url-pattern>/*</url-pattern>

  </web-resource-collection>

  <auth-constraint>

   <role-name>manager</role-name>

  </auth-constraint>

</security-constraint>

<!-- Define a security constraint that gives unlimted access to freezone -->

<security-constraint>

  <web-resource-collection>

   <web-resource-name>freezone</web-resource-name>

   <url-pattern>/freezone/*</url-pattern>

  </web-resource-collection>

  <web-resource-collection>

   <web-resource-name>images</web-resource-name>

   <url-pattern>/images/*</url-pattern>

  </web-resource-collection>

  <web-resource-collection>

   <web-resource-name>css</web-resource-name>

   <url-pattern>/css/*</url-pattern>

  </web-resource-collection>

</security-constraint>

<!-- Define the Login Configuration for this Application -->

<login-config>

  <auth-method>FORM</auth-method>

  <realm-name>Tomcat SALES Application</realm-name>

  <form-login-config>

   <form-login-page>/jsp/login.jsp</form-login-page>

   <form-error-page>/jsp/loginerror.jsp</form-error-page>

  </form-login-config>

</login-config>

<!-- Security roles referenced by this web application -->

<security-role>

  <description>The role that is required to log in to this Application</description>

  <role-name>sales</role-name>

</security-role>

<security-role>

  <description>The role that is required to log in to this Application</description>

  <role-name>manager</role-name>

</security-role>

</web-app>

------------------

SP : jboss-web.xml :

<?xml version="1.0" encoding="UTF-8"?>

<jboss-web>

   <security-domain>sp</security-domain>

   <context-root>TestSP/sales-post</context-root>

</jboss-web>

---------------------

conf/login-config.xml :

<application-policy name="sp">

<authentication>

<login-module

code = "org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule" />

</authentication>

</application-policy>

<application-policy name="idp">

<authentication>

  <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >

  <module-option name="debug">true</module-option>

               <module-option name="java.naming.provider.url">ldap://localhost:389</module-option>

              <module-option name="bindDN">cn=mygenericuser,ou=Canada,o=com</module-option>

               <module-option name="bindCredential">hello123</module-option>

               <module-option name="baseCtxDN">ou=Canada,o=com</module-option>

               <module-option name="baseFilter">(cn={0})</module-option>

               <module-option name="rolesCtxDN">ou=Canada,o=com</module-option>

               <module-option name="roleFilter">(cn={0})</module-option>

               <module-option name="roleAttributeID">employeetype</module-option>

               <module-option name="roleAttributeIsDN">false</module-option>

               <module-option name="roleRecursion">-1</module-option>

               <module-option name="searchTimeLimit">10000</module-option>

               <module-option name="searchScope">SUBTREE_SCOPE</module-option>

               <module-option name="allowEmptyPasswords">false</module-option>

          </login-module>

</authentication>

<mapping>

   <mapping-module code="org.jboss.security.mapping.providers.attribute.LdapAttributeMappingProvider" type="attribute">

     <module-option name="bindDN">cn=jbossuser,ou=Canada,o=com</module-option>

     <module-option name="bindCredential">hello123</module-option>

     <module-option name="baseFilter">(cn={0})</module-option>

     <module-option name="java.naming.provider.url">ldap://localhost:389</module-option>

     <module-option name="baseCtxDN">ou=Canada,o=com</module-option>

     <module-option name="attributeList">cn,mail,title</module-option>

   </mapping-module>

</mapping>

</application-policy>

--------------------------

server.log:

2012-11-16 17:29:06,980 DEBUG [org.apache.catalina.connector.CoyoteAdapter] (http-127.0.0.1-8080-2)  Requested cookie session id is C4A6DE0A81CEF55213D4B35394D9F3E4

2012-11-16 17:29:06,980 TRACE [org.jboss.security.SecurityRolesAssociation] (http-127.0.0.1-8080-2) Setting threadlocal:{}

2012-11-16 17:29:06,980 TRACE [org.jboss.web.tomcat.security.JaccContextValve] (http-127.0.0.1-8080-2) MetaData:org.jboss.metadata.web.jboss.JBossWebMetaData@1f:principalToRoleSetMap{}

2012-11-16 17:29:06,981 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http-127.0.0.1-8080-2) Security checking request POST /IDP/j_security_check

2012-11-16 17:29:06,981 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] (http-127.0.0.1-8080-2) Authenticating username 'johndoe'

2012-11-16 17:29:06,982 TRACE [org.jboss.web.tomcat.security.JBossWebRealm] (http-127.0.0.1-8080-2) Begin authenticate, username=johndoe

2012-11-16 17:29:06,996 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.idp] (http-127.0.0.1-8080-2) Begin isValid, principal:johndoe, cache info: null

2012-11-16 17:29:06,996 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.idp] (http-127.0.0.1-8080-2) defaultLogin, principal=johndoe

2012-11-16 17:29:06,996 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (http-127.0.0.1-8080-2) Begin getAppConfigurationEntry(idp), size=15

2012-11-16 17:29:06,997 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (http-127.0.0.1-8080-2) End getAppConfigurationEntry(idp), authInfo=AppConfigurationEntry[]:

[0]

LoginModule Class: org.jboss.security.auth.spi.LdapExtLoginModule

ControlFlag: LoginModuleControlFlag: required

Options:

name=baseFilter, value=(cn={0})

name=bindDN, value=cn=mygenericuser,ou=Canada,o=com

name=rolesCtxDN, value=ou=Canada,o=com

name=debug, value=true

name=baseCtxDN, value=ou=Canada,o=com

name=roleRecursion, value=-1

name=allowEmptyPasswords, value=false

name=roleFilter, value=(cn={0})

name=java.naming.provider.url, value=ldap://localhost:389

name=bindCredential, value=****

name=searchTimeLimit, value=10000

name=roleAttributeIsDN, value=false

name=searchScope, value=SUBTREE_SCOPE

name=roleAttributeID, value=employeetype

2012-11-16 17:29:07,025 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-127.0.0.1-8080-2) initialize

2012-11-16 17:29:07,025 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-127.0.0.1-8080-2) Security domain: idp

2012-11-16 17:29:07,025 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-127.0.0.1-8080-2) login

2012-11-16 17:29:07,025 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-127.0.0.1-8080-2) Logging into LDAP server, env={searchTimeLimit=10000, baseFilter=(cn={0}), allowEmptyPasswords=false, java.naming.security.credentials=***, jboss.security.security_domain=idp, java.naming.security.authentication=simple, baseCtxDN=ou=Canada,o=com, roleAttributeIsDN=false, rolesCtxDN=ou=Canada,o=com, java.naming.security.principal=cn=mygenericuser,ou=Canada,o=com, debug=true, searchScope=SUBTREE_SCOPE, roleRecursion=-1, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, roleFilter=(cn={0}), java.naming.provider.url=ldap://localhost:389, roleAttributeID=employeetype, bindDN=cn=mygenericuser,ou=Canada,o=com, bindCredential=hello123}

2012-11-16 17:29:07,212 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-127.0.0.1-8080-2) Logging into LDAP server, env={searchTimeLimit=10000, baseFilter=(cn={0}), allowEmptyPasswords=false, java.naming.security.credentials=***, jboss.security.security_domain=idp, java.naming.security.authentication=simple, baseCtxDN=ou=Canada,o=com, roleAttributeIsDN=false, rolesCtxDN=ou=Canada,o=com, java.naming.security.principal=cn=johndoe,ou=myLocation,ou=Canada,o=com, debug=true, searchScope=SUBTREE_SCOPE, roleRecursion=-1, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, roleFilter=(cn={0}), java.naming.provider.url=ldap://localhost:389, roleAttributeID=employeetype, bindDN=cn=mygenericuser,ou=Canada,o=com, bindCredential=hello123}

2012-11-16 17:29:07,233 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-127.0.0.1-8080-2) Assign user to role sales

2012-11-16 17:29:07,234 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-127.0.0.1-8080-2) User 'johndoe' authenticated, loginOk=true

2012-11-16 17:29:07,234 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-127.0.0.1-8080-2) commit, loginOk=true

2012-11-16 17:29:07,234 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.idp] (http-127.0.0.1-8080-2) defaultLogin, lc=javax.security.auth.login.LoginContext@6e841513, subject=Subject(562285332).principals=org.jboss.security.SimplePrincipal@1401131500(johndoe)org.jboss.security.SimpleGroup@1658931145(Roles(members:6))

2012-11-16 17:29:07,234 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.idp] (http-127.0.0.1-8080-2) updateCache, inputSubject=Subject(562285332).principals=org.jboss.security.SimplePrincipal@1401131500(johndoe)org.jboss.security.SimpleGroup@1658931145(Roles(members:sales)), cacheSubject=Subject(1401528124).principals=org.jboss.security.SimplePrincipal@1401131500(johndoe)org.jboss.security.SimpleGroup@1658931145(Roles(members:sales))

2012-11-16 17:29:07,234 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.idp] (http-127.0.0.1-8080-2) Inserted cache info: org.jboss.security.plugins.auth.JaasSecurityManagerBase$DomainInfo@703546fc[Subject(1401528124).principals=org.jboss.security.SimplePrincipal@1401131500(johndoe)org.jboss.security.SimpleGroup@1658931145(Roles(members:sales)),credential.class=java.lang.String@1932925246,expirationTime=1353106741047]

2012-11-16 17:29:07,235 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.idp] (http-127.0.0.1-8080-2) End isValid, true

2012-11-16 17:29:07,235 TRACE [org.jboss.web.tomcat.security.JBossWebRealm] (http-127.0.0.1-8080-2) User: johndoe is authenticated

2012-11-16 17:29:07,242 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.idp] (http-127.0.0.1-8080-2) getPrincipal, cache info: org.jboss.security.plugins.auth.JaasSecurityManagerBase$DomainInfo@703546fc[Subject(1401528124).principals=org.jboss.security.SimplePrincipal@1401131500(johndoe)org.jboss.security.SimpleGroup@1658931145(Roles(members:sales)),credential.class=java.lang.String@1932925246,expirationTime=1353106741047]

2012-11-16 17:29:07,242 TRACE [org.jboss.web.tomcat.security.JBossWebRealm] (http-127.0.0.1-8080-2) Mapped from input principal: johndoeto: johndoe

2012-11-16 17:29:07,374 TRACE [org.jboss.security.audit.providers.LogAuditProvider] (http-127.0.0.1-8080-2) [Success]Source=org.jboss.web.tomcat.security.JBossWebRealm;CallerPrincipal=johndoe;principal=GenericPrincipal[johndoe(sales,)];request=[/IDP:cookies=[Ljavax.servlet.http.Cookie;@7a7fa6be:headers=host=localhost:8080,user-agent=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0,accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8,accept-language=en-US,en;q=0.5,accept-encoding=gzip, deflate,connection=keep-alive,referer=http://localhost:8080/IDP/,cookie=JSESSIONID=C4A6DE0A81CEF55213D4B35394D9F3E4,content-type=application/x-www-form-urlencoded,content-length=48,][parameters=johndoe::,mypassword::,Login::,][attributes=];

2012-11-16 17:29:07,374 TRACE [org.jboss.web.tomcat.security.JBossWebRealm] (http-127.0.0.1-8080-2) End authenticate, principal=GenericPrincipal[johndoe(6,)]

2012-11-16 17:29:07,374 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] (http-127.0.0.1-8080-2) Authentication of 'johndoe' was successful

2012-11-16 17:29:07,374 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] (http-127.0.0.1-8080-2) Redirecting to original '/IDP/'

2012-11-16 17:29:07,375 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http-127.0.0.1-8080-2)  Failed authenticate() test ??/IDP/j_security_check

2012-11-16 17:29:07,375 TRACE [org.jboss.security.SecurityAssociation] (http-127.0.0.1-8080-2) clear, server=true

2012-11-16 17:29:07,375 TRACE [org.jboss.security.SecurityRolesAssociation] (http-127.0.0.1-8080-2) Setting threadlocal:null

2012-11-16 17:29:07,375 TRACE [org.jboss.security.SecurityRolesAssociation] (http-127.0.0.1-8080-2) Setting threadlocal:null

2012-11-16 17:29:07,380 DEBUG [org.apache.catalina.connector.CoyoteAdapter] (http-127.0.0.1-8080-2)  Requested cookie session id is C4A6DE0A81CEF55213D4B35394D9F3E4

2012-11-16 17:29:07,380 TRACE [org.jboss.security.SecurityRolesAssociation] (http-127.0.0.1-8080-2) Setting threadlocal:{}

2012-11-16 17:29:07,380 TRACE [org.jboss.web.tomcat.security.JaccContextValve] (http-127.0.0.1-8080-2) MetaData:org.jboss.metadata.web.jboss.JBossWebMetaData@1f:principalToRoleSetMap{}

2012-11-16 17:29:07,380 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http-127.0.0.1-8080-2) Security checking request GET /IDP/

2012-11-16 17:29:07,380 DEBUG [org.apache.catalina.realm.RealmBase] (http-127.0.0.1-8080-2)   Checking constraint 'SecurityConstraint[Images, CSS]' against GET /index.jsp --> false

2012-11-16 17:29:07,380 DEBUG [org.apache.catalina.realm.RealmBase] (http-127.0.0.1-8080-2)   Checking constraint 'SecurityConstraint[Manager command]' against GET /index.jsp --> true

2012-11-16 17:29:07,380 DEBUG [org.apache.catalina.realm.RealmBase] (http-127.0.0.1-8080-2)   Checking constraint 'SecurityConstraint[Images, CSS]' against GET /index.jsp --> false

2012-11-16 17:29:07,380 DEBUG [org.apache.catalina.realm.RealmBase] (http-127.0.0.1-8080-2)   Checking constraint 'SecurityConstraint[Manager command]' against GET /index.jsp --> true

2012-11-16 17:29:07,380 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http-127.0.0.1-8080-2)  Calling hasUserDataPermission()

2012-11-16 17:29:07,380 DEBUG [org.apache.catalina.realm.RealmBase] (http-127.0.0.1-8080-2)   User data constraint has no restrictions

2012-11-16 17:29:07,381 TRACE [org.jboss.security.plugins.authorization.JBossAuthorizationContext] (http-127.0.0.1-8080-2) Control flag for entry:org.jboss.security.authorization.config.AuthorizationModuleEntry{org.jboss.security.authorization.modules.DelegatingAuthorizationModule:{}REQUIRED}is:[REQUIRED]

2012-11-16 17:29:07,381 TRACE [org.jboss.security.audit.providers.LogAuditProvider] (http-127.0.0.1-8080-2) [Success]Source=org.jboss.security.plugins.javaee.WebAuthorizationHelper;Exception:=;userDataPermissionCheck=true;securityConstraints=SecurityConstraint[Manager command];Resource:=[org.jboss.security.authorization.resources.WebResource:contextMap={userDataPermissionCheck=true, securityConstraints=[Lorg.apache.catalina.deploy.SecurityConstraint;@32fe8c46, policyRegistration=org.jboss.security.plugins.JBossPolicyRegistration@4ef0916c},canonicalRequestURI=null,request=[/IDP],CodeSource=null];policyRegistration=org.jboss.security.plugins.JBossPolicyRegistration@4ef0916c;

2012-11-16 17:29:07,381 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http-127.0.0.1-8080-2)  Calling authenticate()

2012-11-16 17:29:07,381 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] (http-127.0.0.1-8080-2) Restore request from session 'C4A6DE0A81CEF55213D4B35394D9F3E4'

2012-11-16 17:29:07,381 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http-127.0.0.1-8080-2) Authenticated 'johndoe' with type 'FORM'

2012-11-16 17:29:07,385 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] (http-127.0.0.1-8080-2) Proceed to restored request

2012-11-16 17:29:07,385 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http-127.0.0.1-8080-2)  Calling accessControl()

2012-11-16 17:29:07,385 DEBUG [org.apache.catalina.realm.RealmBase] (http-127.0.0.1-8080-2)   Checking roles GenericPrincipal[johndoe(6,)]

2012-11-16 17:29:07,386 TRACE [org.jboss.web.tomcat.security.JBossWebRealm] (http-127.0.0.1-8080-2) [getServletName:servletmappings=[Ljava.lang.String;@681a4e9e:servlet.getName()=jsp]

2012-11-16 17:29:07,386 DEBUG [org.apache.catalina.realm.RealmBase] (http-127.0.0.1-8080-2) Username johndoe has role sales

2012-11-16 17:29:07,393 TRACE [org.jboss.security.plugins.authorization.JBossAuthorizationContext] (http-127.0.0.1-8080-2) Control flag for entry:org.jboss.security.authorization.config.AuthorizationModuleEntry{org.jboss.security.authorization.modules.DelegatingAuthorizationModule:{}REQUIRED}is:[REQUIRED]

2012-11-16 17:29:07,394 TRACE [org.jboss.security.audit.providers.LogAuditProvider] (http-127.0.0.1-8080-2) [Success]Source=org.jboss.security.plugins.javaee.WebAuthorizationHelper;roleRefPermissionCheck=true;principal.roles=6;Exception:=;roleName=6;Resource:=[org.jboss.security.authorization.resources.WebResource:contextMap={roleRefPermissionCheck=true, principal.roles=[sales], roleName=sales, policyRegistration=org.jboss.security.plugins.JBossPolicyRegistration@4ef0916c},canonicalRequestURI=null,request= ,CodeSource=null];policyRegistration=org.jboss.security.plugins.JBossPolicyRegistration@4ef0916c;

2012-11-16 17:29:07,394 TRACE [org.jboss.web.tomcat.security.JBossWebRealm] (http-127.0.0.1-8080-2) hasRole:RealmBase says:true::Authz framework says:true:final=true

2012-11-16 17:29:07,394 DEBUG [org.apache.catalina.realm.RealmBase] (http-127.0.0.1-8080-2) Role found:  sales

2012-11-16 17:29:07,394 TRACE [org.jboss.web.tomcat.security.JBossWebRealm] (http-127.0.0.1-8080-2) [getServletName:servletmappings=[Ljava.lang.String;@2fc9ba33:servlet.getName()=jsp]

2012-11-16 17:29:07,394 DEBUG [org.apache.catalina.realm.RealmBase] (http-127.0.0.1-8080-2) Username johndoe does NOT have role manager

2012-11-16 17:29:07,394 TRACE [org.jboss.web.tomcat.security.JBossWebRealm] (http-127.0.0.1-8080-2) hasRole:RealmBase says:false::Authz framework says:false:final=false

2012-11-16 17:29:07,394 DEBUG [org.apache.catalina.realm.RealmBase] (http-127.0.0.1-8080-2) No role found:  manager

2012-11-16 17:29:07,394 TRACE [org.jboss.web.tomcat.security.JBossWebRealm] (http-127.0.0.1-8080-2) Restoring principal info from cache

2012-11-16 17:29:07,395 TRACE [org.jboss.security.plugins.authorization.JBossAuthorizationContext] (http-127.0.0.1-8080-2) Control flag for entry:org.jboss.security.authorization.config.AuthorizationModuleEntry{org.jboss.security.authorization.modules.DelegatingAuthorizationModule:{}REQUIRED}is:[REQUIRED]

2012-11-16 17:29:07,395 TRACE [org.jboss.security.audit.providers.LogAuditProvider] (http-127.0.0.1-8080-2) [Success]Source=org.jboss.security.plugins.javaee.WebAuthorizationHelper;resourcePermissionCheck=true;Exception:=;securityConstraints=SecurityConstraint[Manager command];Resource:=[org.jboss.security.authorization.resources.WebResource:contextMap={resourcePermissionCheck=true, securityConstraints=[Lorg.apache.catalina.deploy.SecurityConstraint;@32fe8c46, policyRegistration=org.jboss.security.plugins.JBossPolicyRegistration@4ef0916c},canonicalRequestURI=/index.jsp,request=[/IDP],CodeSource=null];policyRegistration=org.jboss.security.plugins.JBossPolicyRegistration@4ef0916c;

2012-11-16 17:29:07,395 TRACE [org.jboss.web.tomcat.security.JBossWebRealm] (http-127.0.0.1-8080-2) hasResourcePerm:RealmBase says:true::Authz framework says:true:final=true

2012-11-16 17:29:07,395 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http-127.0.0.1-8080-2)  Successfully passed all security constraints

2012-11-16 17:29:07,395 TRACE [org.jboss.web.tomcat.security.SecurityAssociationValve] (http-127.0.0.1-8080-2) Begin invoke, caller=GenericPrincipal[johndoe(sales,)]

2012-11-16 17:29:07,395 TRACE [org.jboss.web.tomcat.security.SecurityAssociationValve] (http-127.0.0.1-8080-2) Restoring principal info from cache

2012-11-16 17:29:07,396 TRACE [org.jboss.web.tomcat.security.RunAsListener] (http-127.0.0.1-8080-2) jsp, runAs: null

2012-11-16 17:29:07,396 TRACE [org.jboss.web.tomcat.security.RunAsListener] (http-127.0.0.1-8080-2) jsp, runAs: null

2012-11-16 17:29:07,442 TRACE [org.jboss.web.tomcat.security.RunAsListener] (http-127.0.0.1-8080-2) jsp, runAs: null

2012-11-16 17:29:07,442 TRACE [org.jboss.web.tomcat.security.RunAsListener] (http-127.0.0.1-8080-2) jsp, runAs: null

2012-11-16 17:29:07,442 TRACE [org.jboss.web.tomcat.security.SecurityAssociationValve] (http-127.0.0.1-8080-2) End invoke, caller=GenericPrincipal[johndoe(sales,)]

2012-11-16 17:29:07,442 TRACE [org.jboss.security.SecurityAssociation] (http-127.0.0.1-8080-2) clear, server=true

2012-11-16 17:29:07,442 TRACE [org.jboss.security.SecurityRolesAssociation] (http-127.0.0.1-8080-2) Setting threadlocal:null

2012-11-16 17:29:07,442 TRACE [org.jboss.security.SecurityRolesAssociation] (http-127.0.0.1-8080-2) Setting threadlocal:null

2012-11-16 17:29:13,445 DEBUG [org.apache.catalina.session.ManagerBase] (ContainerBackgroundProcessor[StandardEngine[jboss.web]]) Start expire sessions StandardManager at 1353104953445 sessioncount 0

2012-11-16 17:29:13,461 DEBUG [org.apache.catalina.session.ManagerBase] (ContainerBackgroundProcessor[StandardEngine[jboss.web]]) End expire sessions StandardManager processingTime 16 expired sessions: 0