Details
-
Bug
-
Status: Open
-
Major
-
Resolution: Unresolved
-
1.5.1
-
None
-
None
Description
Hi Team,
SSO Authorization is failing/getting 403 error, after we upgrade the Tomcat from 8.5.X -> 9.0.45 (Fediz 1.5.1).
Fediz distribution used:
<groupId>org.apache.cxf.fediz</groupId>
<artifactId>fediz-tomcat</artifactId>
<version>1.5.1</version>
Tomcat Distribution used:
<groupId>org.apache.tomcat</groupId>
<artifactId>tomcat</artifactId>
<version>9.0.45</version>
Log:
06-Oct-2021 06:16:20.918 FINE [https-jsse-nio2-8443-exec-9] org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling accessControl()
06-Oct-2021 06:16:20.918 FINE [https-jsse-nio2-8443-exec-9] org.apache.catalina.realm.RealmBase.hasResourcePermission Checking roles GenericPrincipal[USERMASKEDXXX(ADMIN,GENERALIST,SPEZIALIST,)]
06-Oct-2021 06:16:20.918 FINE [https-jsse-nio2-8443-exec-9] org.apache.catalina.realm.RealmBase.hasResourcePermission No role found: SPEZIALIST
06-Oct-2021 06:16:20.919 FINE [https-jsse-nio2-8443-exec-9] org.apache.catalina.realm.RealmBase.hasResourcePermission No role found: ADMIN
06-Oct-2021 06:16:20.919 FINE [https-jsse-nio2-8443-exec-9] org.apache.catalina.realm.RealmBase.hasResourcePermission No role found: GENERALIST
06-Oct-2021 06:16:20.919 FINE [https-jsse-nio2-8443-exec-9] org.apache.catalina.authenticator.AuthenticatorBase.invoke Failed accessControl() test
web.xml: under webapps/sample/WEB-INF
<?xml version="1.0" encoding="ISO-8859-1"?>
<web-app xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
version="2.4">
<display-name>Hello, World Application</display-name>
<description>
This is a simple web application with a source code organization
based on the recommendations of the Application Developer's Guide.
</description>
<servlet>
<servlet-name>HelloServlet</servlet-name>
<servlet-class>mypackage.Hello</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>HelloServlet</servlet-name>
<url-pattern>/hello</url-pattern>
</servlet-mapping>
<!-- Fragment Fediz -->
<!--
<filter>
<filter-name>FederationFilter</filter-name>
<filter-class>org.apache.cxf.fediz.core.servlet.FederationFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>FederationFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<security-role>
<role-name>GENERALIST</role-name>
</security-role>
<security-role>
<role-name>SPEZIALIST</role-name>
</security-role>
<security-role>
<role-name>ADMIN</role-name>
</security-role>
<security-constraint>
<web-resource-collection>
<web-resource-name>Web app</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>WSFED</auth-method>
<realm-name>WSFED</realm-name>
</login-config>
-->
</web-app>
context.xml under tomcat/conf/
<Context>
<WatchedResource>WEB-INF/web.xml</WatchedResource>
<WatchedResource>WEB-INF/tomcat-web.xml</WatchedResource>
<WatchedResource>${catalina.base}/conf/web.xml</WatchedResource>
<Valve className="org.apache.cxf.fediz.tomcat.FederationAuthenticator" configFile="conf/fediz_config.xml" />
</Context>
fediz_config.xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<FedizConfig>
<contextConfig name="/sample">
<audienceUris>
<audienceItem>https://masked-app-url.com/</audienceItem>
</audienceUris>
<certificateStores>
<trustManager>
<keyStore file="/app/tomcatcerts/client/trust.jks" password="******" type="JKS" />
</trustManager>
</certificateStores>
<tokenExpirationValidation>true</tokenExpirationValidation>
<trustedIssuers>
<issuer certificateValidation="PeerTrust" />
</trustedIssuers>
<maximumClockSkew>1000</maximumClockSkew>
<protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="federationProtocolType" version="1.0.0">
<realm>https://masked-app-url.com/</realm>
<issuer>https://masked-idp-url.com/</issuer>
<roleDelimiter>,</roleDelimiter>
<roleURI>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role</roleURI>
<homeRealm>https://masked-homerealm-url.com/</homeRealm>
<claimTypesRequested>
<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role" optional="false" />
<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" optional="true" />
<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" optional="true" />
<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" optional="true" />
</claimTypesRequested>
</protocol>
<logoutURL>/secure/logout</logoutURL>
<logoutRedirectTo>/</logoutRedirectTo>
</contextConfig>
</FedizConfig>
Please help with this issue. and let me know if any other details required. Note: The same code is working fine in Tomcat 8.5.47