I assume that I am missing something very obvious here, but I've spend about 4 hours searching and trying and couldn't come to a solution, so maybe there is some help.
I was following this guide: https://docs.jboss.org/author/display/PLINK/Standalone+Web+Applications%28All+Servlet+Containers%29
I was able to connect my SP and my IDP and perform a login. I can see a user principal in the session. However, as soon as I add tomcat security, to protect some part of the application as in the above example it doesn't work.
Here are the relevant parts of the web.xml
The SP Filter intersects all requests at the SP and sees if there is a need to contact the IDP.
<!-- Processes application requests -->
The role that is required to log in to the Manager Application
Whenever I am trying to access something under /loginarea/ I get a 403 without even coming through to the SPFilter or my code. However, from my code under other urls I can read the user principal, and it contains the tomcat user (from the quickstart examples). Interestingly, if I am trying to read the roles, it always returns null:
Principal userPrincipal = (Principal) request.getSession().getAttribute(GeneralConstants.PRINCIPAL_ID); <-- returns the principal with correct user name
List<String> roles = (List<String>) request.getSession().getAttribute(GeneralConstants.ROLES_ID); <- null
If I remove the security-constraint I can access the app and the controller without any problems. I am using basic redirect idp from examples.