JBoss EAP only : IDP does not post to SP after authentication
ndrw_cheung Nov 16, 2012 5:49 PMHi. My IDP works fine in tomcat 6 (using JNDIRealm), but when I modified it to use JBoss EAP 5.2, the IDP doesn't post to the SP application after authentication. Instead it loads the index.jsp page on the IDP side. Any help is appreciated.
-Andrew
------------------------------
My setup, configurations, are as follows:
IDP and SP both on JBoss EAP 5.2.
Picketlink 2.1.4.
JBossWebRealm auditing turned on.
Users are in eDirectory.
Sample users:
dn=cn=johndoe,ou=myLocation,ou=Canada,o=com
objectClass: inetOrgPerson
objectClass: person
objectClass: top
employeetype: sales
cn: johndoe
dn=cn=ssmith,ou=myLocation,ou=Canada,o=com
objectClass: inetOrgPerson
objectClass: person
objectClass: top
employeetype: manager
cn: ssmith
------------
IDP : context.xml :
<Context>
<Valve className="org.picketlink.identity.federation.bindings.tomcat.idp.IDPSAMLDebugValve" />
<Valve className="org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve" ignoreAttributesGeneration="false"/>
</Context>
-------------
IDP : picketlink.xml :
<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">
<PicketLinkIDP xmlns="urn:picketlink:identity-federation:config:2.1" StrictPostBinding="true" AttributeManager="org.jboss.identity.federation.bindings.jboss.attribute.JBossAppServerAttributeManager">
<IdentityURL>http://localhost:8080/IDP/</IdentityURL>
<Trust>
<Domains>localhost,jboss.com,jboss.org,amazonaws.com</Domains>
</Trust>
</PicketLinkIDP>
<Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1">
<Handler
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2IssuerTrustHandler" />
<Handler
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" />
<Handler
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler" />
<Handler
class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" />
<Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AttributeHandler">
<!-- Option Key="ATTRIBUTE_MANAGER" Value="org.picketlink.identity.federation.bindings.tomcat.TomcatAttributeManager"/>
-->
<Option Key="ATTRIBUTE_MANAGER" Value="org.jboss.identity.federation.bindings.jboss.attribute.JBossAppServerAttributeManager"/>
<Option Key="ATTRIBUTE_KEYS" Value="cn,mail,title"/>
</Handler>
</Handlers>
<!--
The configuration bellow defines a token timeout and a clock skew. Both configurations will be used during the SAML Assertion creation.
This configuration is optional. It is defined only to show you how to set the token timeout and clock skew configuration.
-->
<PicketLinkSTS xmlns="urn:picketlink:identity-federation:config:1.0" TokenTimeout="5000" ClockSkew="0">
<TokenProviders>
<TokenProvider
ProviderClass="org.picketlink.identity.federation.core.saml.v1.providers.SAML11AssertionTokenProvider"
TokenType="urn:oasis:names:tc:SAML:1.0:assertion"
TokenElement="Assertion" TokenElementNS="urn:oasis:names:tc:SAML:1.0:assertion" />
<TokenProvider
ProviderClass="org.picketlink.identity.federation.core.saml.v2.providers.SAML20AssertionTokenProvider"
TokenType="urn:oasis:names:tc:SAML:2.0:assertion"
TokenElement="Assertion" TokenElementNS="urn:oasis:names:tc:SAML:2.0:assertion" />
</TokenProviders>
</PicketLinkSTS>
</PicketLink>
----------------------
IDP : web.xml
<?xml version="1.0"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
<description>IDP Web Application for the PicketLink project</description>
<display-name>IDP</display-name>
<listener>
<listener-class>org.picketlink.identity.federation.web.listeners.IDPHttpSessionListener</listener-class>
</listener>
<!-- Define a security constraint that gives unlimted access to images -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Images</web-resource-name>
<url-pattern>/images/*</url-pattern>
</web-resource-collection>
<web-resource-collection>
<web-resource-name>CSS</web-resource-name>
<url-pattern>/css/*</url-pattern>
</web-resource-collection>
</security-constraint>
<!-- Define a Security Constraint on this Application -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Manager command</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>sales</role-name>
<role-name>manager</role-name>
</auth-constraint>
</security-constraint>
<!-- Define the Login Configuration for this Application -->
<login-config>
<auth-method>FORM</auth-method>
<realm-name>PicketLink IDP Application</realm-name>
<form-login-config>
<form-login-page>/jsp/login.jsp</form-login-page>
<form-error-page>/jsp/login-error.jsp</form-error-page>
</form-login-config>
</login-config>
<!-- Security roles referenced by this web application in the security constraints above-->
<security-role>
<role-name>sales</role-name>
</security-role>
<security-role>
<role-name>manager</role-name>
</security-role>
</web-app>
-----------------
IDP : jboss-web.xml :
<jboss-web>
<security-domain>idp</security-domain>
</jboss-web>
--------------
SP : context.xml :
<Context>
<Valve className="org.picketlink.identity.federation.bindings.tomcat.sp.ServiceProviderAuthenticator"
/>
</Context>
-------------
SP : picketlink.xml :
<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">
<PicketLinkSP xmlns="urn:picketlink:identity-federation:config:1.0"
BindingType="POST">
<IdentityURL>http://localhost:8080/IDP/</IdentityURL>
<!-- note : If IDP runs on tomcat, the ServiceURL must have a trailing "/" -->
<ServiceURL>http://localhost:8080/TestSP/sales-post/</ServiceURL>
</PicketLinkSP>
<Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1">
<Handler
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" />
<Handler
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler">
<Option Key="DISABLE_ROLE_PICKING" Value="false"/>
<Option Key="NAMEID_FORMAT" Value="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
</Handler>
<Handler
class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" />
<Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AttributeHandler">
<Option Key="ATTRIBUTE_CHOOSE_FRIENDLY_NAME" Value="true"/>
</Handler>
</Handlers>
</PicketLink>
---------------------
SP : web.xml :
<?xml version="1.0" encoding="ISO-8859-1"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
<description>Just a Test SP for Fedbridge Project</description>
<display-name>Fedbridge Test SALES Application</display-name>
<!-- Define a Security Constraint on this Application -->
<security-constraint>
<web-resource-collection>
<web-resource-name>SALES Application</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>sales</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>SALES Application</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>manager</role-name>
</auth-constraint>
</security-constraint>
<!-- Define a security constraint that gives unlimted access to freezone -->
<security-constraint>
<web-resource-collection>
<web-resource-name>freezone</web-resource-name>
<url-pattern>/freezone/*</url-pattern>
</web-resource-collection>
<web-resource-collection>
<web-resource-name>images</web-resource-name>
<url-pattern>/images/*</url-pattern>
</web-resource-collection>
<web-resource-collection>
<web-resource-name>css</web-resource-name>
<url-pattern>/css/*</url-pattern>
</web-resource-collection>
</security-constraint>
<!-- Define the Login Configuration for this Application -->
<login-config>
<auth-method>FORM</auth-method>
<realm-name>Tomcat SALES Application</realm-name>
<form-login-config>
<form-login-page>/jsp/login.jsp</form-login-page>
<form-error-page>/jsp/loginerror.jsp</form-error-page>
</form-login-config>
</login-config>
<!-- Security roles referenced by this web application -->
<security-role>
<description>The role that is required to log in to this Application</description>
<role-name>sales</role-name>
</security-role>
<security-role>
<description>The role that is required to log in to this Application</description>
<role-name>manager</role-name>
</security-role>
</web-app>
------------------
SP : jboss-web.xml :
<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
<security-domain>sp</security-domain>
<context-root>TestSP/sales-post</context-root>
</jboss-web>
---------------------
conf/login-config.xml :
<application-policy name="sp">
<authentication>
<login-module
code = "org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule" />
</authentication>
</application-policy>
<application-policy name="idp">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
<module-option name="debug">true</module-option>
<module-option name="java.naming.provider.url">ldap://localhost:389</module-option>
<module-option name="bindDN">cn=mygenericuser,ou=Canada,o=com</module-option>
<module-option name="bindCredential">hello123</module-option>
<module-option name="baseCtxDN">ou=Canada,o=com</module-option>
<module-option name="baseFilter">(cn={0})</module-option>
<module-option name="rolesCtxDN">ou=Canada,o=com</module-option>
<module-option name="roleFilter">(cn={0})</module-option>
<module-option name="roleAttributeID">employeetype</module-option>
<module-option name="roleAttributeIsDN">false</module-option>
<module-option name="roleRecursion">-1</module-option>
<module-option name="searchTimeLimit">10000</module-option>
<module-option name="searchScope">SUBTREE_SCOPE</module-option>
<module-option name="allowEmptyPasswords">false</module-option>
</login-module>
</authentication>
<mapping>
<mapping-module code="org.jboss.security.mapping.providers.attribute.LdapAttributeMappingProvider" type="attribute">
<module-option name="bindDN">cn=jbossuser,ou=Canada,o=com</module-option>
<module-option name="bindCredential">hello123</module-option>
<module-option name="baseFilter">(cn={0})</module-option>
<module-option name="java.naming.provider.url">ldap://localhost:389</module-option>
<module-option name="baseCtxDN">ou=Canada,o=com</module-option>
<module-option name="attributeList">cn,mail,title</module-option>
</mapping-module>
</mapping>
</application-policy>
--------------------------
server.log:
2012-11-16 17:29:06,980 DEBUG [org.apache.catalina.connector.CoyoteAdapter] (http-127.0.0.1-8080-2) Requested cookie session id is C4A6DE0A81CEF55213D4B35394D9F3E4
2012-11-16 17:29:06,980 TRACE [org.jboss.security.SecurityRolesAssociation] (http-127.0.0.1-8080-2) Setting threadlocal:{}
2012-11-16 17:29:06,980 TRACE [org.jboss.web.tomcat.security.JaccContextValve] (http-127.0.0.1-8080-2) MetaData:org.jboss.metadata.web.jboss.JBossWebMetaData@1f:principalToRoleSetMap{}
2012-11-16 17:29:06,981 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http-127.0.0.1-8080-2) Security checking request POST /IDP/j_security_check
2012-11-16 17:29:06,981 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] (http-127.0.0.1-8080-2) Authenticating username 'johndoe'
2012-11-16 17:29:06,982 TRACE [org.jboss.web.tomcat.security.JBossWebRealm] (http-127.0.0.1-8080-2) Begin authenticate, username=johndoe
2012-11-16 17:29:06,996 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.idp] (http-127.0.0.1-8080-2) Begin isValid, principal:johndoe, cache info: null
2012-11-16 17:29:06,996 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.idp] (http-127.0.0.1-8080-2) defaultLogin, principal=johndoe
2012-11-16 17:29:06,996 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (http-127.0.0.1-8080-2) Begin getAppConfigurationEntry(idp), size=15
2012-11-16 17:29:06,997 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (http-127.0.0.1-8080-2) End getAppConfigurationEntry(idp), authInfo=AppConfigurationEntry[]:
[0]
LoginModule Class: org.jboss.security.auth.spi.LdapExtLoginModule
ControlFlag: LoginModuleControlFlag: required
Options:
name=baseFilter, value=(cn={0})
name=bindDN, value=cn=mygenericuser,ou=Canada,o=com
name=rolesCtxDN, value=ou=Canada,o=com
name=debug, value=true
name=baseCtxDN, value=ou=Canada,o=com
name=roleRecursion, value=-1
name=allowEmptyPasswords, value=false
name=roleFilter, value=(cn={0})
name=java.naming.provider.url, value=ldap://localhost:389
name=bindCredential, value=****
name=searchTimeLimit, value=10000
name=roleAttributeIsDN, value=false
name=searchScope, value=SUBTREE_SCOPE
name=roleAttributeID, value=employeetype
2012-11-16 17:29:07,025 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-127.0.0.1-8080-2) initialize
2012-11-16 17:29:07,025 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-127.0.0.1-8080-2) Security domain: idp
2012-11-16 17:29:07,025 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-127.0.0.1-8080-2) login
2012-11-16 17:29:07,025 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-127.0.0.1-8080-2) Logging into LDAP server, env={searchTimeLimit=10000, baseFilter=(cn={0}), allowEmptyPasswords=false, java.naming.security.credentials=***, jboss.security.security_domain=idp, java.naming.security.authentication=simple, baseCtxDN=ou=Canada,o=com, roleAttributeIsDN=false, rolesCtxDN=ou=Canada,o=com, java.naming.security.principal=cn=mygenericuser,ou=Canada,o=com, debug=true, searchScope=SUBTREE_SCOPE, roleRecursion=-1, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, roleFilter=(cn={0}), java.naming.provider.url=ldap://localhost:389, roleAttributeID=employeetype, bindDN=cn=mygenericuser,ou=Canada,o=com, bindCredential=hello123}
2012-11-16 17:29:07,212 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-127.0.0.1-8080-2) Logging into LDAP server, env={searchTimeLimit=10000, baseFilter=(cn={0}), allowEmptyPasswords=false, java.naming.security.credentials=***, jboss.security.security_domain=idp, java.naming.security.authentication=simple, baseCtxDN=ou=Canada,o=com, roleAttributeIsDN=false, rolesCtxDN=ou=Canada,o=com, java.naming.security.principal=cn=johndoe,ou=myLocation,ou=Canada,o=com, debug=true, searchScope=SUBTREE_SCOPE, roleRecursion=-1, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, roleFilter=(cn={0}), java.naming.provider.url=ldap://localhost:389, roleAttributeID=employeetype, bindDN=cn=mygenericuser,ou=Canada,o=com, bindCredential=hello123}
2012-11-16 17:29:07,233 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-127.0.0.1-8080-2) Assign user to role sales
2012-11-16 17:29:07,234 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-127.0.0.1-8080-2) User 'johndoe' authenticated, loginOk=true
2012-11-16 17:29:07,234 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-127.0.0.1-8080-2) commit, loginOk=true
2012-11-16 17:29:07,234 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.idp] (http-127.0.0.1-8080-2) defaultLogin, lc=javax.security.auth.login.LoginContext@6e841513, subject=Subject(562285332).principals=org.jboss.security.SimplePrincipal@1401131500(johndoe)org.jboss.security.SimpleGroup@1658931145(Roles(members:6))
2012-11-16 17:29:07,234 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.idp] (http-127.0.0.1-8080-2) updateCache, inputSubject=Subject(562285332).principals=org.jboss.security.SimplePrincipal@1401131500(johndoe)org.jboss.security.SimpleGroup@1658931145(Roles(members:sales)), cacheSubject=Subject(1401528124).principals=org.jboss.security.SimplePrincipal@1401131500(johndoe)org.jboss.security.SimpleGroup@1658931145(Roles(members:sales))
2012-11-16 17:29:07,234 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.idp] (http-127.0.0.1-8080-2) Inserted cache info: org.jboss.security.plugins.auth.JaasSecurityManagerBase$DomainInfo@703546fc[Subject(1401528124).principals=org.jboss.security.SimplePrincipal@1401131500(johndoe)org.jboss.security.SimpleGroup@1658931145(Roles(members:sales)),credential.class=java.lang.String@1932925246,expirationTime=1353106741047]
2012-11-16 17:29:07,235 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.idp] (http-127.0.0.1-8080-2) End isValid, true
2012-11-16 17:29:07,235 TRACE [org.jboss.web.tomcat.security.JBossWebRealm] (http-127.0.0.1-8080-2) User: johndoe is authenticated
2012-11-16 17:29:07,242 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.idp] (http-127.0.0.1-8080-2) getPrincipal, cache info: org.jboss.security.plugins.auth.JaasSecurityManagerBase$DomainInfo@703546fc[Subject(1401528124).principals=org.jboss.security.SimplePrincipal@1401131500(johndoe)org.jboss.security.SimpleGroup@1658931145(Roles(members:sales)),credential.class=java.lang.String@1932925246,expirationTime=1353106741047]
2012-11-16 17:29:07,242 TRACE [org.jboss.web.tomcat.security.JBossWebRealm] (http-127.0.0.1-8080-2) Mapped from input principal: johndoeto: johndoe
2012-11-16 17:29:07,374 TRACE [org.jboss.security.audit.providers.LogAuditProvider] (http-127.0.0.1-8080-2) [Success]Source=org.jboss.web.tomcat.security.JBossWebRealm;CallerPrincipal=johndoe;principal=GenericPrincipal[johndoe(sales,)];request=[/IDP:cookies=[Ljavax.servlet.http.Cookie;@7a7fa6be:headers=host=localhost:8080,user-agent=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0,accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8,accept-language=en-US,en;q=0.5,accept-encoding=gzip, deflate,connection=keep-alive,referer=http://localhost:8080/IDP/,cookie=JSESSIONID=C4A6DE0A81CEF55213D4B35394D9F3E4,content-type=application/x-www-form-urlencoded,content-length=48,][parameters=johndoe::,mypassword::,Login::,][attributes=];
2012-11-16 17:29:07,374 TRACE [org.jboss.web.tomcat.security.JBossWebRealm] (http-127.0.0.1-8080-2) End authenticate, principal=GenericPrincipal[johndoe(6,)]
2012-11-16 17:29:07,374 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] (http-127.0.0.1-8080-2) Authentication of 'johndoe' was successful
2012-11-16 17:29:07,374 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] (http-127.0.0.1-8080-2) Redirecting to original '/IDP/'
2012-11-16 17:29:07,375 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http-127.0.0.1-8080-2) Failed authenticate() test ??/IDP/j_security_check
2012-11-16 17:29:07,375 TRACE [org.jboss.security.SecurityAssociation] (http-127.0.0.1-8080-2) clear, server=true
2012-11-16 17:29:07,375 TRACE [org.jboss.security.SecurityRolesAssociation] (http-127.0.0.1-8080-2) Setting threadlocal:null
2012-11-16 17:29:07,375 TRACE [org.jboss.security.SecurityRolesAssociation] (http-127.0.0.1-8080-2) Setting threadlocal:null
2012-11-16 17:29:07,380 DEBUG [org.apache.catalina.connector.CoyoteAdapter] (http-127.0.0.1-8080-2) Requested cookie session id is C4A6DE0A81CEF55213D4B35394D9F3E4
2012-11-16 17:29:07,380 TRACE [org.jboss.security.SecurityRolesAssociation] (http-127.0.0.1-8080-2) Setting threadlocal:{}
2012-11-16 17:29:07,380 TRACE [org.jboss.web.tomcat.security.JaccContextValve] (http-127.0.0.1-8080-2) MetaData:org.jboss.metadata.web.jboss.JBossWebMetaData@1f:principalToRoleSetMap{}
2012-11-16 17:29:07,380 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http-127.0.0.1-8080-2) Security checking request GET /IDP/
2012-11-16 17:29:07,380 DEBUG [org.apache.catalina.realm.RealmBase] (http-127.0.0.1-8080-2) Checking constraint 'SecurityConstraint[Images, CSS]' against GET /index.jsp --> false
2012-11-16 17:29:07,380 DEBUG [org.apache.catalina.realm.RealmBase] (http-127.0.0.1-8080-2) Checking constraint 'SecurityConstraint[Manager command]' against GET /index.jsp --> true
2012-11-16 17:29:07,380 DEBUG [org.apache.catalina.realm.RealmBase] (http-127.0.0.1-8080-2) Checking constraint 'SecurityConstraint[Images, CSS]' against GET /index.jsp --> false
2012-11-16 17:29:07,380 DEBUG [org.apache.catalina.realm.RealmBase] (http-127.0.0.1-8080-2) Checking constraint 'SecurityConstraint[Manager command]' against GET /index.jsp --> true
2012-11-16 17:29:07,380 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http-127.0.0.1-8080-2) Calling hasUserDataPermission()
2012-11-16 17:29:07,380 DEBUG [org.apache.catalina.realm.RealmBase] (http-127.0.0.1-8080-2) User data constraint has no restrictions
2012-11-16 17:29:07,381 TRACE [org.jboss.security.plugins.authorization.JBossAuthorizationContext] (http-127.0.0.1-8080-2) Control flag for entry:org.jboss.security.authorization.config.AuthorizationModuleEntry{org.jboss.security.authorization.modules.DelegatingAuthorizationModule:{}REQUIRED}is:[REQUIRED]
2012-11-16 17:29:07,381 TRACE [org.jboss.security.audit.providers.LogAuditProvider] (http-127.0.0.1-8080-2) [Success]Source=org.jboss.security.plugins.javaee.WebAuthorizationHelper;Exception:=;userDataPermissionCheck=true;securityConstraints=SecurityConstraint[Manager command];Resource:=[org.jboss.security.authorization.resources.WebResource:contextMap={userDataPermissionCheck=true, securityConstraints=[Lorg.apache.catalina.deploy.SecurityConstraint;@32fe8c46, policyRegistration=org.jboss.security.plugins.JBossPolicyRegistration@4ef0916c},canonicalRequestURI=null,request=[/IDP],CodeSource=null];policyRegistration=org.jboss.security.plugins.JBossPolicyRegistration@4ef0916c;
2012-11-16 17:29:07,381 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http-127.0.0.1-8080-2) Calling authenticate()
2012-11-16 17:29:07,381 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] (http-127.0.0.1-8080-2) Restore request from session 'C4A6DE0A81CEF55213D4B35394D9F3E4'
2012-11-16 17:29:07,381 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http-127.0.0.1-8080-2) Authenticated 'johndoe' with type 'FORM'
2012-11-16 17:29:07,385 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] (http-127.0.0.1-8080-2) Proceed to restored request
2012-11-16 17:29:07,385 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http-127.0.0.1-8080-2) Calling accessControl()
2012-11-16 17:29:07,385 DEBUG [org.apache.catalina.realm.RealmBase] (http-127.0.0.1-8080-2) Checking roles GenericPrincipal[johndoe(6,)]
2012-11-16 17:29:07,386 TRACE [org.jboss.web.tomcat.security.JBossWebRealm] (http-127.0.0.1-8080-2) [getServletName:servletmappings=[Ljava.lang.String;@681a4e9e:servlet.getName()=jsp]
2012-11-16 17:29:07,386 DEBUG [org.apache.catalina.realm.RealmBase] (http-127.0.0.1-8080-2) Username johndoe has role sales
2012-11-16 17:29:07,393 TRACE [org.jboss.security.plugins.authorization.JBossAuthorizationContext] (http-127.0.0.1-8080-2) Control flag for entry:org.jboss.security.authorization.config.AuthorizationModuleEntry{org.jboss.security.authorization.modules.DelegatingAuthorizationModule:{}REQUIRED}is:[REQUIRED]
2012-11-16 17:29:07,394 TRACE [org.jboss.security.audit.providers.LogAuditProvider] (http-127.0.0.1-8080-2) [Success]Source=org.jboss.security.plugins.javaee.WebAuthorizationHelper;roleRefPermissionCheck=true;principal.roles=6;Exception:=;roleName=6;Resource:=[org.jboss.security.authorization.resources.WebResource:contextMap={roleRefPermissionCheck=true, principal.roles=[sales], roleName=sales, policyRegistration=org.jboss.security.plugins.JBossPolicyRegistration@4ef0916c},canonicalRequestURI=null,request= ,CodeSource=null];policyRegistration=org.jboss.security.plugins.JBossPolicyRegistration@4ef0916c;
2012-11-16 17:29:07,394 TRACE [org.jboss.web.tomcat.security.JBossWebRealm] (http-127.0.0.1-8080-2) hasRole:RealmBase says:true::Authz framework says:true:final=true
2012-11-16 17:29:07,394 DEBUG [org.apache.catalina.realm.RealmBase] (http-127.0.0.1-8080-2) Role found: sales
2012-11-16 17:29:07,394 TRACE [org.jboss.web.tomcat.security.JBossWebRealm] (http-127.0.0.1-8080-2) [getServletName:servletmappings=[Ljava.lang.String;@2fc9ba33:servlet.getName()=jsp]
2012-11-16 17:29:07,394 DEBUG [org.apache.catalina.realm.RealmBase] (http-127.0.0.1-8080-2) Username johndoe does NOT have role manager
2012-11-16 17:29:07,394 TRACE [org.jboss.web.tomcat.security.JBossWebRealm] (http-127.0.0.1-8080-2) hasRole:RealmBase says:false::Authz framework says:false:final=false
2012-11-16 17:29:07,394 DEBUG [org.apache.catalina.realm.RealmBase] (http-127.0.0.1-8080-2) No role found: manager
2012-11-16 17:29:07,394 TRACE [org.jboss.web.tomcat.security.JBossWebRealm] (http-127.0.0.1-8080-2) Restoring principal info from cache
2012-11-16 17:29:07,395 TRACE [org.jboss.security.plugins.authorization.JBossAuthorizationContext] (http-127.0.0.1-8080-2) Control flag for entry:org.jboss.security.authorization.config.AuthorizationModuleEntry{org.jboss.security.authorization.modules.DelegatingAuthorizationModule:{}REQUIRED}is:[REQUIRED]
2012-11-16 17:29:07,395 TRACE [org.jboss.security.audit.providers.LogAuditProvider] (http-127.0.0.1-8080-2) [Success]Source=org.jboss.security.plugins.javaee.WebAuthorizationHelper;resourcePermissionCheck=true;Exception:=;securityConstraints=SecurityConstraint[Manager command];Resource:=[org.jboss.security.authorization.resources.WebResource:contextMap={resourcePermissionCheck=true, securityConstraints=[Lorg.apache.catalina.deploy.SecurityConstraint;@32fe8c46, policyRegistration=org.jboss.security.plugins.JBossPolicyRegistration@4ef0916c},canonicalRequestURI=/index.jsp,request=[/IDP],CodeSource=null];policyRegistration=org.jboss.security.plugins.JBossPolicyRegistration@4ef0916c;
2012-11-16 17:29:07,395 TRACE [org.jboss.web.tomcat.security.JBossWebRealm] (http-127.0.0.1-8080-2) hasResourcePerm:RealmBase says:true::Authz framework says:true:final=true
2012-11-16 17:29:07,395 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http-127.0.0.1-8080-2) Successfully passed all security constraints
2012-11-16 17:29:07,395 TRACE [org.jboss.web.tomcat.security.SecurityAssociationValve] (http-127.0.0.1-8080-2) Begin invoke, caller=GenericPrincipal[johndoe(sales,)]
2012-11-16 17:29:07,395 TRACE [org.jboss.web.tomcat.security.SecurityAssociationValve] (http-127.0.0.1-8080-2) Restoring principal info from cache
2012-11-16 17:29:07,396 TRACE [org.jboss.web.tomcat.security.RunAsListener] (http-127.0.0.1-8080-2) jsp, runAs: null
2012-11-16 17:29:07,396 TRACE [org.jboss.web.tomcat.security.RunAsListener] (http-127.0.0.1-8080-2) jsp, runAs: null
2012-11-16 17:29:07,442 TRACE [org.jboss.web.tomcat.security.RunAsListener] (http-127.0.0.1-8080-2) jsp, runAs: null
2012-11-16 17:29:07,442 TRACE [org.jboss.web.tomcat.security.RunAsListener] (http-127.0.0.1-8080-2) jsp, runAs: null
2012-11-16 17:29:07,442 TRACE [org.jboss.web.tomcat.security.SecurityAssociationValve] (http-127.0.0.1-8080-2) End invoke, caller=GenericPrincipal[johndoe(sales,)]
2012-11-16 17:29:07,442 TRACE [org.jboss.security.SecurityAssociation] (http-127.0.0.1-8080-2) clear, server=true
2012-11-16 17:29:07,442 TRACE [org.jboss.security.SecurityRolesAssociation] (http-127.0.0.1-8080-2) Setting threadlocal:null
2012-11-16 17:29:07,442 TRACE [org.jboss.security.SecurityRolesAssociation] (http-127.0.0.1-8080-2) Setting threadlocal:null
2012-11-16 17:29:13,445 DEBUG [org.apache.catalina.session.ManagerBase] (ContainerBackgroundProcessor[StandardEngine[jboss.web]]) Start expire sessions StandardManager at 1353104953445 sessioncount 0
2012-11-16 17:29:13,461 DEBUG [org.apache.catalina.session.ManagerBase] (ContainerBackgroundProcessor[StandardEngine[jboss.web]]) End expire sessions StandardManager processingTime 16 expired sessions: 0