Hi,

I assume that I am missing something very obvious here, but I've spend about 4 hours searching and trying and couldn't come to a solution, so maybe there is some help.

I was following this guide: https://docs.jboss.org/author/display/PLINK/Standalone+Web+Applications%28All+Servlet+Containers%29

I was able to connect my SP and my IDP and perform a login. I can see a user principal in the session. However, as soon as I add tomcat security, to protect some part of the application as in the above example it doesn't work.

Here are the relevant parts of the web.xml

    <filter>

        <description>

            The SP Filter intersects all requests at the SP and sees if there is a need to contact the IDP.

        </description>

        <filter-name>SPFilter</filter-name>

        <filter-class>org.picketlink.identity.federation.web.filters.SPFilter</filter-class>

        <init-param>

            <param-name>ROLES</param-name>

            <param-value>sales,manager</param-value>

        </init-param>

        <init-param>

            <param-name>IGNORE_SIGNATURES</param-name>

            <param-value>true</param-value>

        </init-param>

    </filter>

    <filter-mapping>

        <filter-name>SPFilter</filter-name>

        <url-pattern>/login</url-pattern>

    </filter-mapping>

    <!-- Processes application requests -->

    <servlet>

        <servlet-name>appServlet</servlet-name>

        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>

        <init-param>

            <param-name>contextConfigLocation</param-name>

            <param-value>/WEB-INF/servlet-context.xml</param-value>

        </init-param>

        <load-on-startup>1</load-on-startup>

    </servlet>

    <servlet-mapping>

        <servlet-name>appServlet</servlet-name>

        <url-pattern>*.html</url-pattern>

    </servlet-mapping>

    <security-constraint>

        <web-resource-collection>

            <web-resource-name>Manager command</web-resource-name>

            <url-pattern>/loginarea/*</url-pattern>

        </web-resource-collection>

        <auth-constraint>

            <role-name>manager</role-name>

        </auth-constraint>

    </security-constraint>

    <security-role>

        <description>

            The role that is required to log in to the Manager Application

        </description>

        <role-name>manager</role-name>

    </security-role>

Whenever I am trying to access something under /loginarea/ I get a 403 without even coming through to the SPFilter or my code. However, from my code under other urls I can read the user principal, and it contains the tomcat user (from the quickstart examples). Interestingly, if I am trying to read the roles, it always returns null:

Principal userPrincipal = (Principal) request.getSession().getAttribute(GeneralConstants.PRINCIPAL_ID); <-- returns the principal with correct user name

List<String> roles = (List<String>) request.getSession().getAttribute(GeneralConstants.ROLES_ID); <- null

If I remove the security-constraint I can access the app and the controller without any problems. I am using basic redirect idp from examples.

regards

Leon