Hi Colm,
It works fine !
Sorry for the delay, I've had a hard time upgrading our application.
Thanks once more,Adrian
De : Colm O hEigeartaigh <[email protected]>
À : "[email protected]" <[email protected]>; Adrian Gonzalez
<[email protected]>
Envoyé le : Lundi 18 juillet 2016 16h01
Objet : Re: 403 with CXF OIDC when user has roles
Ok this should now be fixed, please let me know if you run into any problems
with it:
https://issues.apache.org/jira/browse/FEDIZ-171
The default Fediz configuration in the OIDC service has been updated to use the
new configuration option, so it should just work without any changes.
Colm.
On Mon, Jul 18, 2016 at 2:34 PM, Adrian Gonzalez
<[email protected]> wrote:
Hi Sergey, Colm,
Sorry for not answering before, I wanted to test your suggestion, but had a
hard time with my environment.
Anywa here it is, when I remove authentication checks [1], I have a 401 (see
[2]) on
http://localhost:8080/oidc/idp/authorize?client_id=NWuw2CijNchtRQ&redirect_uri=http://localhost:9999/dashboard/login&response_type=code&scope=openid&state=blabla
So +1 for adding Authenticated role !
Thanks,
[1] my new web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>Whitelist access</web-resource-name>
<url-pattern>/idp/*</url-pattern>
</web-resource-collection>
</security-constraint>
[2] Error 401 due to :
2016-07-18 13:26:56,954 [http-apr-8080-exec-10] WARN
org.apache.cxf.jaxrs.impl.WebApplicationExceptionMapper -
javax.ws.rs.NotAuthorizedException: HTTP 401 Unauthorized
at
org.apache.cxf.jaxrs.utils.SpecExceptions.toNotAuthorizedException(SpecExceptions.java:94)
at
org.apache.cxf.jaxrs.utils.ExceptionUtils.toNotAuthorizedException(ExceptionUtils.java:130)
at
org.apache.cxf.rs.security.oauth2.services.RedirectionBasedGrantService.getAndValidateSecurityContext(RedirectionBasedGrantService.java:423)
at
org.apache.cxf.rs.security.oauth2.services.RedirectionBasedGrantService.startAuthorization(RedirectionBasedGrantService.java:123)
at
org.apache.cxf.rs.security.oauth2.services.RedirectionBasedGrantService.authorize(RedirectionBasedGrantService.java:93)
at
org.apache.cxf.rs.security.oauth2.services.AuthorizationService.authorize(AuthorizationService.java:58)
De : Colm O hEigeartaigh <[email protected]>
À : "[email protected]" <[email protected]>
Envoyé le : Lundi 18 juillet 2016 15h26
Objet : Re: 403 with CXF OIDC when user has roles
Actually, this won't work. We need to specify a role to get the Tomcat
filters to kick in. What I'll do is add the "Authenticated" role to the
list of roles in the filters, if a configuration option is set to true.
Colm.
On Mon, Jul 18, 2016 at 12:28 PM, Sergey Beryozkin <[email protected]>
wrote:
> +1,
>
> Cheers, Sergey
> On 18/07/16 14:18, Colm O hEigeartaigh wrote:
>
>> I think we could just get rid of them for the non-console part of the OIDC
>> IdP. For the normal RP case, you want to make sure that only authenticated
>> users in a given role can access the application. But here we're just
>> logging users in, so I don't think we need to specify a constraint on the
>> role.
>>
>> Colm.
>>
>> On Mon, Jul 18, 2016 at 12:11 PM, Sergey Beryozkin <[email protected]>
>> wrote:
>>
>> One thing to note is that these roles in fediz-oidc/web.xml is a
>>> temporarily side-effect of the fact that OIDC is implemented right now as
>>> Fediz WS-Fed RP (meaning that internally, when the user is actually
>>> authenticated, OIDC talks to the core Fediz IDP using WS-Fed which is
>>> transparent to the user).
>>> And because OIDC is Fediz RP right now, it is like any other web
>>> application protected by Fediz Authenticators and hence I simply copied
>>> the roles from a based Fediz demo when prototyping the initial Fediz OIDC
>>> web.xml.
>>>
>>> So I wonder can we simply get rid of those roles ? I recall it was quite
>>> sensitive. Or may be fix something at the Fediz core level not to lose
>>> 'Authenticated' ?
>>>
>>> Either way these roles will go once we have OIDC and IDP combined with
>>> OIDC becoming a real IDP itself...
>>>
>>> Cheers, Sergey
>>>
>>>
>>>
>>> On 18/07/16 13:58, Colm O hEigeartaigh wrote:
>>>
>>> Hi Adrian,
>>>>
>>>> I suppose the question is why you need to specify a role constraint at
>>>> all
>>>> for the OIDC authorization call? If you're happy to allow any
>>>> authenticated
>>>> user access, then why have a constraint on the role of the user?
>>>>
>>>> Colm.
>>>>
>>>> On Mon, Jul 18, 2016 at 10:51 AM, Adrian Gonzalez <
>>>> [email protected]> wrote:
>>>>
>>>> Hello,
>>>>
>>>>> I'm using CXF OIDC.When my Client Application redirects a user to OIDC
>>>>> and
>>>>> the user is not associated with any role in sts side, then everything
>>>>> works
>>>>> fine.
>>>>> When I associate the user with at least 1 roles, I've got a 403 on this
>>>>> request :
>>>>>
>>>>>
>>>>> http://localhost:8080/oidc/idp/authorize?client_id=XXX&redirect_uri=http://localhost:9999/dashboard/login&response_type=code&scope=openid&state=YYY
>>>>> From
>>>>>
>>>>>
>>>>> https://github.com/apache/cxf-fediz/blob/master/plugins/tomcat8/src/main/java/org/apache/cxf/fediz/tomcat8/handler/TomcatSigninHandler.java#L54
>>>>> :
>>>>> * When user has no roles, tomcat handler adds 'Authenticated' role.
>>>>> *
>>>>> When user has 1..n roles, no 'Authenticated' role is added.
>>>>> As a workaround, I could give everyone of my users an Authenticated
>>>>> role,
>>>>> but it seems a bit artificial.Shouldn't TomcatSigninHandler.java
>>>>> systematically add Authenticated role ?
>>>>> Thanks,Adrian
>>>>>
>>>>> P.S.Here's the extract of my web.xml : <security-role>
>>>>> <role-name>Manager</role-name>
>>>>> </security-role>
>>>>> <security-role>
>>>>> <role-name>User</role-name>
>>>>> </security-role>
>>>>> <security-role>
>>>>> <role-name>Admin</role-name>
>>>>> </security-role>
>>>>> <security-role>
>>>>> <role-name>Authenticated</role-name>
>>>>> </security-role>
>>>>> <security-constraint>
>>>>> <web-resource-collection>
>>>>> <web-resource-name>User Protected
>>>>> Area</web-resource-name>
>>>>> <url-pattern>/idp/*</url-pattern>
>>>>> </web-resource-collection>
>>>>> <auth-constraint>
>>>>> <role-name>*</role-name>
>>>>> </auth-constraint>
>>>>> </security-constraint>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>> --
>>> Sergey Beryozkin
>>>
>>> Talend Community Coders
>>> http://coders.talend.com/
>>>
>>>
>>
>>
>>
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
