0 Replies Latest reply on Jul 21, 2014 8:14 PM by Leon Rosenberg

    SPFilter + tomcat7 + idp + tomcat security -> Roles are not transmitted.

    Leon Rosenberg Newbie

      Hi,

       

      I assume that I am missing something very obvious here, but I've spend about 4 hours searching and trying and couldn't come to a solution, so maybe there is some help.

      I was following this guide: https://docs.jboss.org/author/display/PLINK/Standalone+Web+Applications%28All+Servlet+Containers%29

      I was able to connect my SP and my IDP and perform a login. I can see a user principal in the session. However, as soon as I add tomcat security, to protect some part of the application as in the above example it doesn't work.

      Here are the relevant parts of the web.xml

       

          <filter>

              <description>

                  The SP Filter intersects all requests at the SP and sees if there is a need to contact the IDP.

              </description>

              <filter-name>SPFilter</filter-name>

              <filter-class>org.picketlink.identity.federation.web.filters.SPFilter</filter-class>

              <init-param>

                  <param-name>ROLES</param-name>

                  <param-value>sales,manager</param-value>

              </init-param>

              <init-param>

                  <param-name>IGNORE_SIGNATURES</param-name>

                  <param-value>true</param-value>

              </init-param>

          </filter>

       

       

          <filter-mapping>

              <filter-name>SPFilter</filter-name>

              <url-pattern>/login</url-pattern>

          </filter-mapping>

       

       

          <!-- Processes application requests -->

          <servlet>

              <servlet-name>appServlet</servlet-name>

              <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>

              <init-param>

                  <param-name>contextConfigLocation</param-name>

                  <param-value>/WEB-INF/servlet-context.xml</param-value>

              </init-param>

              <load-on-startup>1</load-on-startup>

          </servlet>

       

       

          <servlet-mapping>

              <servlet-name>appServlet</servlet-name>

              <url-pattern>*.html</url-pattern>

          </servlet-mapping>

       

       

          <security-constraint>

              <web-resource-collection>

                  <web-resource-name>Manager command</web-resource-name>

                  <url-pattern>/loginarea/*</url-pattern>

              </web-resource-collection>

              <auth-constraint>

                  <role-name>manager</role-name>

              </auth-constraint>

          </security-constraint>

          <security-role>

              <description>

                  The role that is required to log in to the Manager Application

              </description>

              <role-name>manager</role-name>

          </security-role>

       

      Whenever I am trying to access something under /loginarea/ I get a 403 without even coming through to the SPFilter or my code. However, from my code under other urls I can read the user principal, and it contains the tomcat user (from the quickstart examples). Interestingly, if I am trying to read the roles, it always returns null:

       

      Principal userPrincipal = (Principal) request.getSession().getAttribute(GeneralConstants.PRINCIPAL_ID); <-- returns the principal with correct user name

      List<String> roles = (List<String>) request.getSession().getAttribute(GeneralConstants.ROLES_ID); <- null

       

      If I remove the security-constraint I can access the app and the controller without any problems. I am using basic redirect idp from examples.

       

      regards

      Leon