SPFilter + tomcat7 + idp + tomcat security -> Roles are not transmitted.
dvayanu Jul 21, 2014 8:14 PMHi,
I assume that I am missing something very obvious here, but I've spend about 4 hours searching and trying and couldn't come to a solution, so maybe there is some help.
I was following this guide: https://docs.jboss.org/author/display/PLINK/Standalone+Web+Applications%28All+Servlet+Containers%29
I was able to connect my SP and my IDP and perform a login. I can see a user principal in the session. However, as soon as I add tomcat security, to protect some part of the application as in the above example it doesn't work.
Here are the relevant parts of the web.xml
<filter>
<description>
The SP Filter intersects all requests at the SP and sees if there is a need to contact the IDP.
</description>
<filter-name>SPFilter</filter-name>
<filter-class>org.picketlink.identity.federation.web.filters.SPFilter</filter-class>
<init-param>
<param-name>ROLES</param-name>
<param-value>sales,manager</param-value>
</init-param>
<init-param>
<param-name>IGNORE_SIGNATURES</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>SPFilter</filter-name>
<url-pattern>/login</url-pattern>
</filter-mapping>
<!-- Processes application requests -->
<servlet>
<servlet-name>appServlet</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/servlet-context.xml</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>appServlet</servlet-name>
<url-pattern>*.html</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>Manager command</web-resource-name>
<url-pattern>/loginarea/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>manager</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<description>
The role that is required to log in to the Manager Application
</description>
<role-name>manager</role-name>
</security-role>
Whenever I am trying to access something under /loginarea/ I get a 403 without even coming through to the SPFilter or my code. However, from my code under other urls I can read the user principal, and it contains the tomcat user (from the quickstart examples). Interestingly, if I am trying to read the roles, it always returns null:
Principal userPrincipal = (Principal) request.getSession().getAttribute(GeneralConstants.PRINCIPAL_ID); <-- returns the principal with correct user name
List<String> roles = (List<String>) request.getSession().getAttribute(GeneralConstants.ROLES_ID); <- null
If I remove the security-constraint I can access the app and the controller without any problems. I am using basic redirect idp from examples.
regards
Leon