I need to have windows integrated authentication(via IIS8) working with JBOSS EAP 6.2 and Spnego authentication
The connection between the 2 is working fine and authentication works but Role Authorization seems to fail.
I end up getting a '403 - Forbidden: Access is denied'
The log file shows
Calling hasUserDataPermission()
Calling authenticate()
Already authenticated 'mydomain\myuserID'
Calling accessControl()
Failed accessControl() test
So it looks like my user ID is passed and authenitcated but getting errors on Authorization similar to what Ales is describing here https://developer.jboss.org/thread/195834
with the tomcatAuthentication flag artificially set to false, it is not possible to make use of the security-domain configuration, namely its authorization configuration. The reason here is that the JBoss's class org.jboss.as.web.security.JBossWebRealm that evaluates the user's role, delegates to the Tomcat class org.apache.catalina.realm.RealmBase. The RealmBase uses the following code:
public boolean hasRole(Principal principal, String role) { if ((principal == null) || (role == null) || !(principal instanceof GenericPrincipal)) { return false; } ... }
The authorization evaluation will always yield false since the Principal created using the Apache's AJP13_FORWARD_REQUEST?remote_user data is of class org.apache.catalina.connector.CoyotePrincipal, not org.apache.catalina.realm.GenericPrincipal created normally during form based authentication. But the story does not end here either.
Same issue is also described here Tomcat - User - Tomcat7: debugging realms - a howto? seems like that user created a patch for tomcat? Is this something I can get applied to JBOSS?