0 Replies Latest reply on Sep 1, 2015 9:01 PM by Dave E

    AJP Authorization   with roles

    Dave E Newbie

      I need to have windows integrated authentication(via IIS8) working with JBOSS EAP 6.2 and Spnego authentication

       

      The connection between the 2 is working fine and authentication works but Role Authorization seems to fail.

       

      I end up getting a '403 - Forbidden: Access is denied'


      The log file shows

      Calling hasUserDataPermission()

      Calling authenticate()

      Already authenticated 'mydomain\myuserID'   

      Calling accessControl()

      Failed accessControl() test

       

      So it looks like my user ID is passed and authenitcated but getting errors on Authorization similar to what Ales is describing here https://developer.jboss.org/thread/195834

       

      with the tomcatAuthentication flag artificially set to false, it  is not possible to make use of the security-domain configuration, namely its authorization configuration. The reason here is that the JBoss's class org.jboss.as.web.security.JBossWebRealm that evaluates the user's role, delegates to the Tomcat class org.apache.catalina.realm.RealmBase. The RealmBase uses the following code:

       

       

      public boolean hasRole(Principal principal, String role) {      if ((principal == null) || (role == null) || !(principal instanceof GenericPrincipal)) {           return false;      } ... } 

       

       

       

      The authorization evaluation will always yield false since the Principal created using  the Apache's AJP13_FORWARD_REQUEST?remote_user data is of class  org.apache.catalina.connector.CoyotePrincipal, not org.apache.catalina.realm.GenericPrincipal created normally during form based authentication. But the story does not end here either.

       

       

      Same issue is also described here Tomcat - User - Tomcat7: debugging realms - a howto?   seems like that user created a patch for tomcat? Is this something I can get applied to JBOSS?