Actually, this won't work. We need to specify a role to get the Tomcat filters to kick in. What I'll do is add the "Authenticated" role to the list of roles in the filters, if a configuration option is set to true.
Colm. On Mon, Jul 18, 2016 at 12:28 PM, Sergey Beryozkin <[email protected]> wrote: > +1, > > Cheers, Sergey > On 18/07/16 14:18, Colm O hEigeartaigh wrote: > >> I think we could just get rid of them for the non-console part of the OIDC >> IdP. For the normal RP case, you want to make sure that only authenticated >> users in a given role can access the application. But here we're just >> logging users in, so I don't think we need to specify a constraint on the >> role. >> >> Colm. >> >> On Mon, Jul 18, 2016 at 12:11 PM, Sergey Beryozkin <[email protected]> >> wrote: >> >> One thing to note is that these roles in fediz-oidc/web.xml is a >>> temporarily side-effect of the fact that OIDC is implemented right now as >>> Fediz WS-Fed RP (meaning that internally, when the user is actually >>> authenticated, OIDC talks to the core Fediz IDP using WS-Fed which is >>> transparent to the user). >>> And because OIDC is Fediz RP right now, it is like any other web >>> application protected by Fediz Authenticators and hence I simply copied >>> the roles from a based Fediz demo when prototyping the initial Fediz OIDC >>> web.xml. >>> >>> So I wonder can we simply get rid of those roles ? I recall it was quite >>> sensitive. Or may be fix something at the Fediz core level not to lose >>> 'Authenticated' ? >>> >>> Either way these roles will go once we have OIDC and IDP combined with >>> OIDC becoming a real IDP itself... >>> >>> Cheers, Sergey >>> >>> >>> >>> On 18/07/16 13:58, Colm O hEigeartaigh wrote: >>> >>> Hi Adrian, >>>> >>>> I suppose the question is why you need to specify a role constraint at >>>> all >>>> for the OIDC authorization call? If you're happy to allow any >>>> authenticated >>>> user access, then why have a constraint on the role of the user? >>>> >>>> Colm. >>>> >>>> On Mon, Jul 18, 2016 at 10:51 AM, Adrian Gonzalez < >>>> [email protected]> wrote: >>>> >>>> Hello, >>>> >>>>> I'm using CXF OIDC.When my Client Application redirects a user to OIDC >>>>> and >>>>> the user is not associated with any role in sts side, then everything >>>>> works >>>>> fine. >>>>> When I associate the user with at least 1 roles, I've got a 403 on this >>>>> request : >>>>> >>>>> >>>>> http://localhost:8080/oidc/idp/authorize?client_id=XXX&redirect_uri=http://localhost:9999/dashboard/login&response_type=code&scope=openid&state=YYY >>>>> From >>>>> >>>>> >>>>> https://github.com/apache/cxf-fediz/blob/master/plugins/tomcat8/src/main/java/org/apache/cxf/fediz/tomcat8/handler/TomcatSigninHandler.java#L54 >>>>> : >>>>> * When user has no roles, tomcat handler adds 'Authenticated' role. >>>>> * >>>>> When user has 1..n roles, no 'Authenticated' role is added. >>>>> As a workaround, I could give everyone of my users an Authenticated >>>>> role, >>>>> but it seems a bit artificial.Shouldn't TomcatSigninHandler.java >>>>> systematically add Authenticated role ? >>>>> Thanks,Adrian >>>>> >>>>> P.S.Here's the extract of my web.xml : <security-role> >>>>> <role-name>Manager</role-name> >>>>> </security-role> >>>>> <security-role> >>>>> <role-name>User</role-name> >>>>> </security-role> >>>>> <security-role> >>>>> <role-name>Admin</role-name> >>>>> </security-role> >>>>> <security-role> >>>>> <role-name>Authenticated</role-name> >>>>> </security-role> >>>>> <security-constraint> >>>>> <web-resource-collection> >>>>> <web-resource-name>User Protected >>>>> Area</web-resource-name> >>>>> <url-pattern>/idp/*</url-pattern> >>>>> </web-resource-collection> >>>>> <auth-constraint> >>>>> <role-name>*</role-name> >>>>> </auth-constraint> >>>>> </security-constraint> >>>>> >>>>> >>>>> >>>>> >>>>> >>>> >>>> >>> -- >>> Sergey Beryozkin >>> >>> Talend Community Coders >>> http://coders.talend.com/ >>> >>> >> >> >> > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
