Mohanraj created FEDIZ-254:
------------------------------
Summary:
"org.apache.catalina.realm.RealmBase.hasResourcePermission No role found: XXX"
+ SSO Not working in Tomcat 9 & Fediz 1.5.1
Key: FEDIZ-254
URL: https://issues.apache.org/jira/browse/FEDIZ-254
Project: CXF-Fediz
Issue Type: Bug
Components: IDP
Affects Versions: 1.5.1
Reporter: Mohanraj
Hi Team,
SSO Authorization is failing/getting 403 error, after we upgrade the Tomcat
from 8.5.X -> 9.0.45 (Fediz 1.5.1).
*Fediz distribution used:*
<groupId>org.apache.cxf.fediz</groupId>
<artifactId>fediz-tomcat</artifactId>
<version>1.5.1</version>
*Tomcat Distribution used:*
<groupId>org.apache.tomcat</groupId>
<artifactId>tomcat</artifactId>
<version>9.0.45</version>
*Log:*
06-Oct-2021 06:16:20.918 FINE [https-jsse-nio2-8443-exec-9]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling
accessControl()
06-Oct-2021 06:16:20.918 FINE [https-jsse-nio2-8443-exec-9]
org.apache.catalina.realm.RealmBase.hasResourcePermission Checking roles
GenericPrincipal[USERMASKEDXXX(ADMIN,GENERALIST,SPEZIALIST,)]
06-Oct-2021 06:16:20.918 FINE [https-jsse-nio2-8443-exec-9]
{color:#FF0000}org.apache.catalina.realm.RealmBase.hasResourcePermission No
role found: SPEZIALIST{color}
{color:#FF0000}06-Oct-2021 06:16:20.919 FINE [https-jsse-nio2-8443-exec-9]
org.apache.catalina.realm.RealmBase.hasResourcePermission No role found:
ADMIN{color}
{color:#FF0000}06-Oct-2021 06:16:20.919 FINE [https-jsse-nio2-8443-exec-9]
org.apache.catalina.realm.RealmBase.hasResourcePermission No role found:
GENERALIST{color}
06-Oct-2021 06:16:20.919 FINE [https-jsse-nio2-8443-exec-9]
{color:#FF0000}org.apache.catalina.authenticator.AuthenticatorBase.invoke
Failed accessControl() test{color}
*web.xml: under webapps/sample/WEB-INF*
<?xml version="1.0" encoding="ISO-8859-1"?>
<web-app xmlns="http://java.sun.com/xml/ns/j2ee";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd";
version="2.4">
<display-name>Hello, World Application</display-name>
<description>
This is a simple web application with a source code organization
based on the recommendations of the Application Developer's Guide.
</description>
<servlet>
<servlet-name>HelloServlet</servlet-name>
<servlet-class>mypackage.Hello</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>HelloServlet</servlet-name>
<url-pattern>/hello</url-pattern>
</servlet-mapping>
<!-- Fragment Fediz -->
<!--
<filter>
<filter-name>FederationFilter</filter-name>
<filter-class>org.apache.cxf.fediz.core.servlet.FederationFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>FederationFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<security-role>
<role-name>GENERALIST</role-name>
</security-role>
<security-role>
<role-name>SPEZIALIST</role-name>
</security-role>
<security-role>
<role-name>ADMIN</role-name>
</security-role>
<security-constraint>
<web-resource-collection>
<web-resource-name>Web app</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>WSFED</auth-method>
<realm-name>WSFED</realm-name>
</login-config>
-->
</web-app>
context.xml under tomcat/conf/
<Context>
<WatchedResource>WEB-INF/web.xml</WatchedResource>
<WatchedResource>WEB-INF/tomcat-web.xml</WatchedResource>
<WatchedResource>${catalina.base}/conf/web.xml</WatchedResource>
<Valve className="org.apache.cxf.fediz.tomcat.FederationAuthenticator"
configFile="conf/fediz_config.xml" />
</Context>
*fediz_config.xml*
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<FedizConfig>
<contextConfig name="/sample">
<audienceUris>
<audienceItem>https://masked-app-url.com/</audienceItem>
</audienceUris>
<certificateStores>
<trustManager>
<keyStore file="/app/tomcatcerts/client/trust.jks" password="******"
type="JKS" />
</trustManager>
</certificateStores>
<tokenExpirationValidation>true</tokenExpirationValidation>
<trustedIssuers>
<issuer certificateValidation="PeerTrust" />
</trustedIssuers>
<maximumClockSkew>1000</maximumClockSkew>
<protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:type="federationProtocolType" version="1.0.0">
<realm>https://masked-app-url.com/</realm>
<issuer>https://masked-idp-url.com/</issuer>
<roleDelimiter>,</roleDelimiter>
<roleURI>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role</roleURI>
<homeRealm>https://masked-homerealm-url.com/</homeRealm>
<claimTypesRequested>
<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role";
optional="false" />
<claimType
type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname";
optional="true" />
<claimType
type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname";
optional="true" />
<claimType
type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress";
optional="true" />
</claimTypesRequested>
</protocol>
<logoutURL>/secure/logout</logoutURL>
<logoutRedirectTo>/</logoutRedirectTo>
</contextConfig>
</FedizConfig>
Please help with this issue. and let me know if any other details required.
Note: The same code is working fine in Tomcat 8.5.47
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
