Roles are not transmitted in picketlink SPFilter integration on tomcat7

Question

I assume that I am missing something very obvious here, but I've spend about 4 hours searching and trying and couldn't come to a solution, so maybe there is some help. I was following this guide: https://docs.jboss.org/author/display/PLINK/Standalone+Web+Applications%28All+Servlet+Containers%29 I was able to connect my SP and my IDP and perform a login. I can see a user principal in the session. However, as soon as I add tomcat security, to protect some part of the application as in the above example it doesn't work. Here are the relevant parts of the web.xml

<filter>
    <description>
        The SP Filter intersects all requests at the SP and sees if there is a need to contact the IDP.
    </description>
    <filter-name>SPFilter</filter-name>
    <filter-class>org.picketlink.identity.federation.web.filters.SPFilter</filter-class>
    <init-param>
        <param-name>ROLES</param-name>
        <param-value>sales,manager</param-value>
    </init-param>
    <init-param>
        <param-name>IGNORE_SIGNATURES</param-name>
        <param-value>true</param-value>
    </init-param>
</filter>


<filter-mapping>
    <filter-name>SPFilter</filter-name>
    <url-pattern>/login</url-pattern>
</filter-mapping>


<!-- Processes application requests -->
<servlet>
    <servlet-name>appServlet</servlet-name>
    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
    <init-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>/WEB-INF/servlet-context.xml</param-value>
    </init-param>
    <load-on-startup>1</load-on-startup>
</servlet>


<servlet-mapping>
    <servlet-name>appServlet</servlet-name>
    <url-pattern>*.html</url-pattern>
</servlet-mapping>


<security-constraint>
    <web-resource-collection>
        <web-resource-name>Manager command</web-resource-name>
        <url-pattern>/loginarea/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>manager</role-name>
    </auth-constraint>
</security-constraint>
<security-role>
    <description>
        The role that is required to log in to the Manager Application
    </description>
    <role-name>manager</role-name>
</security-role>

Whenever I am trying to access something under /loginarea/ I get a 403 without even coming through to the SPFilter or my code. However, from my code under other urls I can read the user principal, and it contains the tomcat user (from the quickstart examples). Interestingly, if I am trying to read the roles, it always returns null:

Principal userPrincipal = (Principal) request.getSession().getAttribute(GeneralConstants.PRINCIPAL_ID); <-- returns the principal with correct user name

List roles = (List) request.getSession().getAttribute(GeneralConstants.ROLES_ID); <- null

If I remove the security-constraint I can access the app and the controller without any problems. I am using basic redirect idp from examples.

regards Leon

Answer 1

why are u trying to use picktlink and also spring security? I think you have to pick one or the other. Once your request gets taken over by spring security, I don't think you can pass the security context back over to picketlink. Spring kind of takes over your project. So what I did was use the regular picketlink web authentication filter. And then I found that I should create my own group and role filters to restrict access to certain directories.

   <filter>
        <filter-name>PicketLinkAuthenticationFilter</filter-name>
        <filter-class>org.picketlink.authentication.web.AuthenticationFilter</filter-class>

        <init-param>
            <param-name>authType</param-name>
            <param-value>FORM</param-value>
        </init-param>
    </filter>

I havent tried using the federation filter stuff yet so let us know how you do it.