0 Replies Latest reply on Nov 16, 2012 5:49 PM by Andrew Cheung

    JBoss EAP only : IDP does not post to SP after authentication

    Andrew Cheung Newbie

      Hi. My IDP works fine in tomcat 6 (using JNDIRealm), but when I modified it to use JBoss EAP 5.2, the IDP doesn't post to the SP application after authentication. Instead it loads the index.jsp page on the IDP side. Any help is appreciated.

       

        -Andrew

       

      ------------------------------

      My setup, configurations, are as follows:

       

      IDP and SP both on JBoss EAP 5.2.

      Picketlink 2.1.4.

      JBossWebRealm auditing turned on.

      Users are in eDirectory.

       

      Sample users:

       

      dn=cn=johndoe,ou=myLocation,ou=Canada,o=com

      objectClass: inetOrgPerson

      objectClass: person

      objectClass: top

      employeetype: sales

      cn: johndoe

       

       

      dn=cn=ssmith,ou=myLocation,ou=Canada,o=com

      objectClass: inetOrgPerson

      objectClass: person

      objectClass: top

      employeetype: manager

      cn: ssmith

       

      ------------

       

      IDP : context.xml :

       

      <Context>

      <Valve className="org.picketlink.identity.federation.bindings.tomcat.idp.IDPSAMLDebugValve" />

      <Valve className="org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve" ignoreAttributesGeneration="false"/>

      </Context>

       

      -------------

       

      IDP : picketlink.xml :

      <PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">

          <PicketLinkIDP xmlns="urn:picketlink:identity-federation:config:2.1" StrictPostBinding="true" AttributeManager="org.jboss.identity.federation.bindings.jboss.attribute.JBossAppServerAttributeManager">

              <IdentityURL>http://localhost:8080/IDP/</IdentityURL>

              <Trust>

                  <Domains>localhost,jboss.com,jboss.org,amazonaws.com</Domains>

              </Trust>

          </PicketLinkIDP>

          <Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1">

              <Handler

                  class="org.picketlink.identity.federation.web.handlers.saml2.SAML2IssuerTrustHandler" />

              <Handler

                  class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" />

              <Handler

                  class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler" />

              <Handler

                  class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" />

          

              <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AttributeHandler">

              <!--  Option Key="ATTRIBUTE_MANAGER" Value="org.picketlink.identity.federation.bindings.tomcat.TomcatAttributeManager"/>

              -->

              <Option Key="ATTRIBUTE_MANAGER" Value="org.jboss.identity.federation.bindings.jboss.attribute.JBossAppServerAttributeManager"/>

                <Option Key="ATTRIBUTE_KEYS" Value="cn,mail,title"/>

              </Handler>

       

          </Handlers>

          <!--

              The configuration bellow defines a token timeout and a clock skew. Both configurations will be used during the SAML Assertion creation.

              This configuration is optional. It is defined only to show you how to set the token timeout and clock skew configuration.

           -->

       

          <PicketLinkSTS xmlns="urn:picketlink:identity-federation:config:1.0" TokenTimeout="5000" ClockSkew="0">

              <TokenProviders>

                  <TokenProvider

                      ProviderClass="org.picketlink.identity.federation.core.saml.v1.providers.SAML11AssertionTokenProvider"

                      TokenType="urn:oasis:names:tc:SAML:1.0:assertion"

                      TokenElement="Assertion" TokenElementNS="urn:oasis:names:tc:SAML:1.0:assertion" />

                  <TokenProvider

                      ProviderClass="org.picketlink.identity.federation.core.saml.v2.providers.SAML20AssertionTokenProvider"

                      TokenType="urn:oasis:names:tc:SAML:2.0:assertion"

                      TokenElement="Assertion" TokenElementNS="urn:oasis:names:tc:SAML:2.0:assertion" />

              </TokenProviders>

      </PicketLinkSTS>

       

      </PicketLink>

       

      ----------------------

       

      IDP : web.xml

       

      <?xml version="1.0"?>

      <web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"

      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">

      <description>IDP Web Application for the PicketLink project</description>

      <display-name>IDP</display-name>

      <listener>

        <listener-class>org.picketlink.identity.federation.web.listeners.IDPHttpSessionListener</listener-class>

      </listener>

      <!-- Define a security constraint that gives unlimted access to images -->

      <security-constraint>

        <web-resource-collection>

         <web-resource-name>Images</web-resource-name>

         <url-pattern>/images/*</url-pattern>

        </web-resource-collection>

        <web-resource-collection>

         <web-resource-name>CSS</web-resource-name>

         <url-pattern>/css/*</url-pattern>

        </web-resource-collection>

      </security-constraint>

      <!-- Define a Security Constraint on this Application -->

      <security-constraint>

        <web-resource-collection>

         <web-resource-name>Manager command</web-resource-name>

         <url-pattern>/*</url-pattern>

        </web-resource-collection>

        <auth-constraint>

         <role-name>sales</role-name>

         <role-name>manager</role-name>

       

        </auth-constraint>

      </security-constraint>

      <!-- Define the Login Configuration for this Application -->

      <login-config>

        <auth-method>FORM</auth-method>

        <realm-name>PicketLink IDP Application</realm-name>

        <form-login-config>

         <form-login-page>/jsp/login.jsp</form-login-page>

         <form-error-page>/jsp/login-error.jsp</form-error-page>

        </form-login-config>

      </login-config>

      <!-- Security roles referenced by this web application in the security constraints above-->

      <security-role>

        <role-name>sales</role-name>

      </security-role>

      <security-role>

        <role-name>manager</role-name>

      </security-role>

       

      </web-app>

       

      -----------------

       

      IDP : jboss-web.xml :

       

      <jboss-web>

         <security-domain>idp</security-domain>

      </jboss-web>

       

       

       

      --------------

       

      SP : context.xml :

       

      <Context>

        <Valve className="org.picketlink.identity.federation.bindings.tomcat.sp.ServiceProviderAuthenticator"

        />

      </Context>

       

      -------------

       

      SP : picketlink.xml :

       

      <PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">

          <PicketLinkSP xmlns="urn:picketlink:identity-federation:config:1.0"

               BindingType="POST">

              <IdentityURL>http://localhost:8080/IDP/</IdentityURL>

              <!--  note : If IDP runs on tomcat, the ServiceURL must have a trailing "/" -->

              <ServiceURL>http://localhost:8080/TestSP/sales-post/</ServiceURL>

          </PicketLinkSP>

          <Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1">

              <Handler

                  class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" />

              <Handler

                  class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler">

                  <Option Key="DISABLE_ROLE_PICKING" Value="false"/>

                   <Option Key="NAMEID_FORMAT" Value="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>

                  </Handler>

              <Handler

                  class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" />

                 

                  <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AttributeHandler">

               <Option Key="ATTRIBUTE_CHOOSE_FRIENDLY_NAME" Value="true"/>

               </Handler>

          </Handlers>

      </PicketLink>

       

       

      ---------------------

       

      SP : web.xml :

       

      <?xml version="1.0" encoding="ISO-8859-1"?>

      <web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"

      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">

      <description>Just a Test SP for Fedbridge Project</description>

      <display-name>Fedbridge Test SALES Application</display-name>

      <!-- Define a Security Constraint on this Application -->

      <security-constraint>

        <web-resource-collection>

         <web-resource-name>SALES Application</web-resource-name>

         <url-pattern>/*</url-pattern>

        </web-resource-collection>

        <auth-constraint>

         <role-name>sales</role-name>

        </auth-constraint>

      </security-constraint>

      <security-constraint>

        <web-resource-collection>

         <web-resource-name>SALES Application</web-resource-name>

         <url-pattern>/*</url-pattern>

        </web-resource-collection>

        <auth-constraint>

         <role-name>manager</role-name>

        </auth-constraint>

      </security-constraint>

      <!-- Define a security constraint that gives unlimted access to freezone -->

      <security-constraint>

        <web-resource-collection>

         <web-resource-name>freezone</web-resource-name>

         <url-pattern>/freezone/*</url-pattern>

        </web-resource-collection>

        <web-resource-collection>

         <web-resource-name>images</web-resource-name>

         <url-pattern>/images/*</url-pattern>

        </web-resource-collection>

        <web-resource-collection>

         <web-resource-name>css</web-resource-name>

         <url-pattern>/css/*</url-pattern>

        </web-resource-collection>

      </security-constraint>

      <!-- Define the Login Configuration for this Application -->

      <login-config>

        <auth-method>FORM</auth-method>

        <realm-name>Tomcat SALES Application</realm-name>

        <form-login-config>

         <form-login-page>/jsp/login.jsp</form-login-page>

         <form-error-page>/jsp/loginerror.jsp</form-error-page>

        </form-login-config>

      </login-config>

      <!-- Security roles referenced by this web application -->

      <security-role>

        <description>The role that is required to log in to this Application</description>

        <role-name>sales</role-name>

      </security-role>

      <security-role>

        <description>The role that is required to log in to this Application</description>

        <role-name>manager</role-name>

      </security-role>

      </web-app>

       

       

      ------------------

       

      SP : jboss-web.xml :

       

       

      <?xml version="1.0" encoding="UTF-8"?>

      <jboss-web>

         <security-domain>sp</security-domain>

         <context-root>TestSP/sales-post</context-root>

       

      </jboss-web>

       

       

      ---------------------

      conf/login-config.xml :

       

       

      <application-policy name="sp">

      <authentication>

      <login-module

      code = "org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule" />

      </authentication>

      </application-policy>

      <application-policy name="idp">

      <authentication>

        <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >

        <module-option name="debug">true</module-option>

                     <module-option name="java.naming.provider.url">ldap://localhost:389</module-option>

                    <module-option name="bindDN">cn=mygenericuser,ou=Canada,o=com</module-option>

                     <module-option name="bindCredential">hello123</module-option>

                     <module-option name="baseCtxDN">ou=Canada,o=com</module-option>

                     <module-option name="baseFilter">(cn={0})</module-option>

                     <module-option name="rolesCtxDN">ou=Canada,o=com</module-option>

                     <module-option name="roleFilter">(cn={0})</module-option>

                     <module-option name="roleAttributeID">employeetype</module-option>

                     

                     <module-option name="roleAttributeIsDN">false</module-option>

                     <module-option name="roleRecursion">-1</module-option>

                     <module-option name="searchTimeLimit">10000</module-option>

                     <module-option name="searchScope">SUBTREE_SCOPE</module-option>

                     <module-option name="allowEmptyPasswords">false</module-option>

       

       

                </login-module>

      </authentication>

       

      <mapping>

         <mapping-module code="org.jboss.security.mapping.providers.attribute.LdapAttributeMappingProvider" type="attribute">

       

           <module-option name="bindDN">cn=jbossuser,ou=Canada,o=com</module-option>

           <module-option name="bindCredential">hello123</module-option>

           <module-option name="baseFilter">(cn={0})</module-option>

           <module-option name="java.naming.provider.url">ldap://localhost:389</module-option>

           <module-option name="baseCtxDN">ou=Canada,o=com</module-option>

       

           <module-option name="attributeList">cn,mail,title</module-option>

       

         </mapping-module>

      </mapping>

       

       

      </application-policy>

       

      --------------------------

       

      server.log:

       

       

      2012-11-16 17:29:06,980 DEBUG [org.apache.catalina.connector.CoyoteAdapter] (http-127.0.0.1-8080-2)  Requested cookie session id is C4A6DE0A81CEF55213D4B35394D9F3E4

      2012-11-16 17:29:06,980 TRACE [org.jboss.security.SecurityRolesAssociation] (http-127.0.0.1-8080-2) Setting threadlocal:{}

      2012-11-16 17:29:06,980 TRACE [org.jboss.web.tomcat.security.JaccContextValve] (http-127.0.0.1-8080-2) MetaData:org.jboss.metadata.web.jboss.JBossWebMetaData@1f:principalToRoleSetMap{}

      2012-11-16 17:29:06,981 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http-127.0.0.1-8080-2) Security checking request POST /IDP/j_security_check

      2012-11-16 17:29:06,981 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] (http-127.0.0.1-8080-2) Authenticating username 'johndoe'

      2012-11-16 17:29:06,982 TRACE [org.jboss.web.tomcat.security.JBossWebRealm] (http-127.0.0.1-8080-2) Begin authenticate, username=johndoe

      2012-11-16 17:29:06,996 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.idp] (http-127.0.0.1-8080-2) Begin isValid, principal:johndoe, cache info: null

      2012-11-16 17:29:06,996 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.idp] (http-127.0.0.1-8080-2) defaultLogin, principal=johndoe

      2012-11-16 17:29:06,996 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (http-127.0.0.1-8080-2) Begin getAppConfigurationEntry(idp), size=15

      2012-11-16 17:29:06,997 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (http-127.0.0.1-8080-2) End getAppConfigurationEntry(idp), authInfo=AppConfigurationEntry[]:

      [0]

      LoginModule Class: org.jboss.security.auth.spi.LdapExtLoginModule

      ControlFlag: LoginModuleControlFlag: required

      Options:

      name=baseFilter, value=(cn={0})

      name=bindDN, value=cn=mygenericuser,ou=Canada,o=com

      name=rolesCtxDN, value=ou=Canada,o=com

      name=debug, value=true

      name=baseCtxDN, value=ou=Canada,o=com

      name=roleRecursion, value=-1

      name=allowEmptyPasswords, value=false

      name=roleFilter, value=(cn={0})

      name=java.naming.provider.url, value=ldap://localhost:389

      name=bindCredential, value=****

      name=searchTimeLimit, value=10000

      name=roleAttributeIsDN, value=false

      name=searchScope, value=SUBTREE_SCOPE

      name=roleAttributeID, value=employeetype

       

      2012-11-16 17:29:07,025 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-127.0.0.1-8080-2) initialize

      2012-11-16 17:29:07,025 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-127.0.0.1-8080-2) Security domain: idp

      2012-11-16 17:29:07,025 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-127.0.0.1-8080-2) login

      2012-11-16 17:29:07,025 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-127.0.0.1-8080-2) Logging into LDAP server, env={searchTimeLimit=10000, baseFilter=(cn={0}), allowEmptyPasswords=false, java.naming.security.credentials=***, jboss.security.security_domain=idp, java.naming.security.authentication=simple, baseCtxDN=ou=Canada,o=com, roleAttributeIsDN=false, rolesCtxDN=ou=Canada,o=com, java.naming.security.principal=cn=mygenericuser,ou=Canada,o=com, debug=true, searchScope=SUBTREE_SCOPE, roleRecursion=-1, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, roleFilter=(cn={0}), java.naming.provider.url=ldap://localhost:389, roleAttributeID=employeetype, bindDN=cn=mygenericuser,ou=Canada,o=com, bindCredential=hello123}

      2012-11-16 17:29:07,212 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-127.0.0.1-8080-2) Logging into LDAP server, env={searchTimeLimit=10000, baseFilter=(cn={0}), allowEmptyPasswords=false, java.naming.security.credentials=***, jboss.security.security_domain=idp, java.naming.security.authentication=simple, baseCtxDN=ou=Canada,o=com, roleAttributeIsDN=false, rolesCtxDN=ou=Canada,o=com, java.naming.security.principal=cn=johndoe,ou=myLocation,ou=Canada,o=com, debug=true, searchScope=SUBTREE_SCOPE, roleRecursion=-1, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, roleFilter=(cn={0}), java.naming.provider.url=ldap://localhost:389, roleAttributeID=employeetype, bindDN=cn=mygenericuser,ou=Canada,o=com, bindCredential=hello123}

      2012-11-16 17:29:07,233 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-127.0.0.1-8080-2) Assign user to role sales

      2012-11-16 17:29:07,234 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-127.0.0.1-8080-2) User 'johndoe' authenticated, loginOk=true

      2012-11-16 17:29:07,234 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http-127.0.0.1-8080-2) commit, loginOk=true

      2012-11-16 17:29:07,234 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.idp] (http-127.0.0.1-8080-2) defaultLogin, lc=javax.security.auth.login.LoginContext@6e841513, subject=Subject(562285332).principals=org.jboss.security.SimplePrincipal@1401131500(johndoe)org.jboss.security.SimpleGroup@1658931145(Roles(members:6))

      2012-11-16 17:29:07,234 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.idp] (http-127.0.0.1-8080-2) updateCache, inputSubject=Subject(562285332).principals=org.jboss.security.SimplePrincipal@1401131500(johndoe)org.jboss.security.SimpleGroup@1658931145(Roles(members:sales)), cacheSubject=Subject(1401528124).principals=org.jboss.security.SimplePrincipal@1401131500(johndoe)org.jboss.security.SimpleGroup@1658931145(Roles(members:sales))

      2012-11-16 17:29:07,234 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.idp] (http-127.0.0.1-8080-2) Inserted cache info: org.jboss.security.plugins.auth.JaasSecurityManagerBase$DomainInfo@703546fc[Subject(1401528124).principals=org.jboss.security.SimplePrincipal@1401131500(johndoe)org.jboss.security.SimpleGroup@1658931145(Roles(members:sales)),credential.class=java.lang.String@1932925246,expirationTime=1353106741047]

      2012-11-16 17:29:07,235 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.idp] (http-127.0.0.1-8080-2) End isValid, true

      2012-11-16 17:29:07,235 TRACE [org.jboss.web.tomcat.security.JBossWebRealm] (http-127.0.0.1-8080-2) User: johndoe is authenticated

      2012-11-16 17:29:07,242 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.idp] (http-127.0.0.1-8080-2) getPrincipal, cache info: org.jboss.security.plugins.auth.JaasSecurityManagerBase$DomainInfo@703546fc[Subject(1401528124).principals=org.jboss.security.SimplePrincipal@1401131500(johndoe)org.jboss.security.SimpleGroup@1658931145(Roles(members:sales)),credential.class=java.lang.String@1932925246,expirationTime=1353106741047]

      2012-11-16 17:29:07,242 TRACE [org.jboss.web.tomcat.security.JBossWebRealm] (http-127.0.0.1-8080-2) Mapped from input principal: johndoeto: johndoe

      2012-11-16 17:29:07,374 TRACE [org.jboss.security.audit.providers.LogAuditProvider] (http-127.0.0.1-8080-2) [Success]Source=org.jboss.web.tomcat.security.JBossWebRealm;CallerPrincipal=johndoe;principal=GenericPrincipal[johndoe(sales,)];request=[/IDP:cookies=[Ljavax.servlet.http.Cookie;@7a7fa6be:headers=host=localhost:8080,user-agent=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0,accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8,accept-language=en-US,en;q=0.5,accept-encoding=gzip, deflate,connection=keep-alive,referer=http://localhost:8080/IDP/,cookie=JSESSIONID=C4A6DE0A81CEF55213D4B35394D9F3E4,content-type=application/x-www-form-urlencoded,content-length=48,][parameters=johndoe::,mypassword::,Login::,][attributes=];

      2012-11-16 17:29:07,374 TRACE [org.jboss.web.tomcat.security.JBossWebRealm] (http-127.0.0.1-8080-2) End authenticate, principal=GenericPrincipal[johndoe(6,)]

      2012-11-16 17:29:07,374 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] (http-127.0.0.1-8080-2) Authentication of 'johndoe' was successful

      2012-11-16 17:29:07,374 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] (http-127.0.0.1-8080-2) Redirecting to original '/IDP/'

      2012-11-16 17:29:07,375 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http-127.0.0.1-8080-2)  Failed authenticate() test ??/IDP/j_security_check

      2012-11-16 17:29:07,375 TRACE [org.jboss.security.SecurityAssociation] (http-127.0.0.1-8080-2) clear, server=true

      2012-11-16 17:29:07,375 TRACE [org.jboss.security.SecurityRolesAssociation] (http-127.0.0.1-8080-2) Setting threadlocal:null

      2012-11-16 17:29:07,375 TRACE [org.jboss.security.SecurityRolesAssociation] (http-127.0.0.1-8080-2) Setting threadlocal:null

      2012-11-16 17:29:07,380 DEBUG [org.apache.catalina.connector.CoyoteAdapter] (http-127.0.0.1-8080-2)  Requested cookie session id is C4A6DE0A81CEF55213D4B35394D9F3E4

      2012-11-16 17:29:07,380 TRACE [org.jboss.security.SecurityRolesAssociation] (http-127.0.0.1-8080-2) Setting threadlocal:{}

      2012-11-16 17:29:07,380 TRACE [org.jboss.web.tomcat.security.JaccContextValve] (http-127.0.0.1-8080-2) MetaData:org.jboss.metadata.web.jboss.JBossWebMetaData@1f:principalToRoleSetMap{}

      2012-11-16 17:29:07,380 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http-127.0.0.1-8080-2) Security checking request GET /IDP/

      2012-11-16 17:29:07,380 DEBUG [org.apache.catalina.realm.RealmBase] (http-127.0.0.1-8080-2)   Checking constraint 'SecurityConstraint[Images, CSS]' against GET /index.jsp --> false

      2012-11-16 17:29:07,380 DEBUG [org.apache.catalina.realm.RealmBase] (http-127.0.0.1-8080-2)   Checking constraint 'SecurityConstraint[Manager command]' against GET /index.jsp --> true

      2012-11-16 17:29:07,380 DEBUG [org.apache.catalina.realm.RealmBase] (http-127.0.0.1-8080-2)   Checking constraint 'SecurityConstraint[Images, CSS]' against GET /index.jsp --> false

      2012-11-16 17:29:07,380 DEBUG [org.apache.catalina.realm.RealmBase] (http-127.0.0.1-8080-2)   Checking constraint 'SecurityConstraint[Manager command]' against GET /index.jsp --> true

      2012-11-16 17:29:07,380 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http-127.0.0.1-8080-2)  Calling hasUserDataPermission()

      2012-11-16 17:29:07,380 DEBUG [org.apache.catalina.realm.RealmBase] (http-127.0.0.1-8080-2)   User data constraint has no restrictions

      2012-11-16 17:29:07,381 TRACE [org.jboss.security.plugins.authorization.JBossAuthorizationContext] (http-127.0.0.1-8080-2) Control flag for entry:org.jboss.security.authorization.config.AuthorizationModuleEntry{org.jboss.security.authorization.modules.DelegatingAuthorizationModule:{}REQUIRED}is:[REQUIRED]

      2012-11-16 17:29:07,381 TRACE [org.jboss.security.audit.providers.LogAuditProvider] (http-127.0.0.1-8080-2) [Success]Source=org.jboss.security.plugins.javaee.WebAuthorizationHelper;Exception:=;userDataPermissionCheck=true;securityConstraints=SecurityConstraint[Manager command];Resource:=[org.jboss.security.authorization.resources.WebResource:contextMap={userDataPermissionCheck=true, securityConstraints=[Lorg.apache.catalina.deploy.SecurityConstraint;@32fe8c46, policyRegistration=org.jboss.security.plugins.JBossPolicyRegistration@4ef0916c},canonicalRequestURI=null,request=[/IDP],CodeSource=null];policyRegistration=org.jboss.security.plugins.JBossPolicyRegistration@4ef0916c;

      2012-11-16 17:29:07,381 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http-127.0.0.1-8080-2)  Calling authenticate()

      2012-11-16 17:29:07,381 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] (http-127.0.0.1-8080-2) Restore request from session 'C4A6DE0A81CEF55213D4B35394D9F3E4'

      2012-11-16 17:29:07,381 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http-127.0.0.1-8080-2) Authenticated 'johndoe' with type 'FORM'

      2012-11-16 17:29:07,385 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] (http-127.0.0.1-8080-2) Proceed to restored request

      2012-11-16 17:29:07,385 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http-127.0.0.1-8080-2)  Calling accessControl()

      2012-11-16 17:29:07,385 DEBUG [org.apache.catalina.realm.RealmBase] (http-127.0.0.1-8080-2)   Checking roles GenericPrincipal[johndoe(6,)]

      2012-11-16 17:29:07,386 TRACE [org.jboss.web.tomcat.security.JBossWebRealm] (http-127.0.0.1-8080-2) [getServletName:servletmappings=[Ljava.lang.String;@681a4e9e:servlet.getName()=jsp]

      2012-11-16 17:29:07,386 DEBUG [org.apache.catalina.realm.RealmBase] (http-127.0.0.1-8080-2) Username johndoe has role sales

      2012-11-16 17:29:07,393 TRACE [org.jboss.security.plugins.authorization.JBossAuthorizationContext] (http-127.0.0.1-8080-2) Control flag for entry:org.jboss.security.authorization.config.AuthorizationModuleEntry{org.jboss.security.authorization.modules.DelegatingAuthorizationModule:{}REQUIRED}is:[REQUIRED]

      2012-11-16 17:29:07,394 TRACE [org.jboss.security.audit.providers.LogAuditProvider] (http-127.0.0.1-8080-2) [Success]Source=org.jboss.security.plugins.javaee.WebAuthorizationHelper;roleRefPermissionCheck=true;principal.roles=6;Exception:=;roleName=6;Resource:=[org.jboss.security.authorization.resources.WebResource:contextMap={roleRefPermissionCheck=true, principal.roles=[sales], roleName=sales, policyRegistration=org.jboss.security.plugins.JBossPolicyRegistration@4ef0916c},canonicalRequestURI=null,request= ,CodeSource=null];policyRegistration=org.jboss.security.plugins.JBossPolicyRegistration@4ef0916c;

      2012-11-16 17:29:07,394 TRACE [org.jboss.web.tomcat.security.JBossWebRealm] (http-127.0.0.1-8080-2) hasRole:RealmBase says:true::Authz framework says:true:final=true

      2012-11-16 17:29:07,394 DEBUG [org.apache.catalina.realm.RealmBase] (http-127.0.0.1-8080-2) Role found:  sales

      2012-11-16 17:29:07,394 TRACE [org.jboss.web.tomcat.security.JBossWebRealm] (http-127.0.0.1-8080-2) [getServletName:servletmappings=[Ljava.lang.String;@2fc9ba33:servlet.getName()=jsp]

      2012-11-16 17:29:07,394 DEBUG [org.apache.catalina.realm.RealmBase] (http-127.0.0.1-8080-2) Username johndoe does NOT have role manager

      2012-11-16 17:29:07,394 TRACE [org.jboss.web.tomcat.security.JBossWebRealm] (http-127.0.0.1-8080-2) hasRole:RealmBase says:false::Authz framework says:false:final=false

      2012-11-16 17:29:07,394 DEBUG [org.apache.catalina.realm.RealmBase] (http-127.0.0.1-8080-2) No role found:  manager

      2012-11-16 17:29:07,394 TRACE [org.jboss.web.tomcat.security.JBossWebRealm] (http-127.0.0.1-8080-2) Restoring principal info from cache

      2012-11-16 17:29:07,395 TRACE [org.jboss.security.plugins.authorization.JBossAuthorizationContext] (http-127.0.0.1-8080-2) Control flag for entry:org.jboss.security.authorization.config.AuthorizationModuleEntry{org.jboss.security.authorization.modules.DelegatingAuthorizationModule:{}REQUIRED}is:[REQUIRED]

      2012-11-16 17:29:07,395 TRACE [org.jboss.security.audit.providers.LogAuditProvider] (http-127.0.0.1-8080-2) [Success]Source=org.jboss.security.plugins.javaee.WebAuthorizationHelper;resourcePermissionCheck=true;Exception:=;securityConstraints=SecurityConstraint[Manager command];Resource:=[org.jboss.security.authorization.resources.WebResource:contextMap={resourcePermissionCheck=true, securityConstraints=[Lorg.apache.catalina.deploy.SecurityConstraint;@32fe8c46, policyRegistration=org.jboss.security.plugins.JBossPolicyRegistration@4ef0916c},canonicalRequestURI=/index.jsp,request=[/IDP],CodeSource=null];policyRegistration=org.jboss.security.plugins.JBossPolicyRegistration@4ef0916c;

      2012-11-16 17:29:07,395 TRACE [org.jboss.web.tomcat.security.JBossWebRealm] (http-127.0.0.1-8080-2) hasResourcePerm:RealmBase says:true::Authz framework says:true:final=true

      2012-11-16 17:29:07,395 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http-127.0.0.1-8080-2)  Successfully passed all security constraints

      2012-11-16 17:29:07,395 TRACE [org.jboss.web.tomcat.security.SecurityAssociationValve] (http-127.0.0.1-8080-2) Begin invoke, caller=GenericPrincipal[johndoe(sales,)]

      2012-11-16 17:29:07,395 TRACE [org.jboss.web.tomcat.security.SecurityAssociationValve] (http-127.0.0.1-8080-2) Restoring principal info from cache

      2012-11-16 17:29:07,396 TRACE [org.jboss.web.tomcat.security.RunAsListener] (http-127.0.0.1-8080-2) jsp, runAs: null

      2012-11-16 17:29:07,396 TRACE [org.jboss.web.tomcat.security.RunAsListener] (http-127.0.0.1-8080-2) jsp, runAs: null

      2012-11-16 17:29:07,442 TRACE [org.jboss.web.tomcat.security.RunAsListener] (http-127.0.0.1-8080-2) jsp, runAs: null

      2012-11-16 17:29:07,442 TRACE [org.jboss.web.tomcat.security.RunAsListener] (http-127.0.0.1-8080-2) jsp, runAs: null

      2012-11-16 17:29:07,442 TRACE [org.jboss.web.tomcat.security.SecurityAssociationValve] (http-127.0.0.1-8080-2) End invoke, caller=GenericPrincipal[johndoe(sales,)]

      2012-11-16 17:29:07,442 TRACE [org.jboss.security.SecurityAssociation] (http-127.0.0.1-8080-2) clear, server=true

      2012-11-16 17:29:07,442 TRACE [org.jboss.security.SecurityRolesAssociation] (http-127.0.0.1-8080-2) Setting threadlocal:null

      2012-11-16 17:29:07,442 TRACE [org.jboss.security.SecurityRolesAssociation] (http-127.0.0.1-8080-2) Setting threadlocal:null

      2012-11-16 17:29:13,445 DEBUG [org.apache.catalina.session.ManagerBase] (ContainerBackgroundProcessor[StandardEngine[jboss.web]]) Start expire sessions StandardManager at 1353104953445 sessioncount 0

      2012-11-16 17:29:13,461 DEBUG [org.apache.catalina.session.ManagerBase] (ContainerBackgroundProcessor[StandardEngine[jboss.web]]) End expire sessions StandardManager processingTime 16 expired sessions: 0