Uploaded image for project: 'CXF-Fediz'
  1. CXF-Fediz
  2. FEDIZ-254

"org.apache.catalina.realm.RealmBase.hasResourcePermission No role found: XXX" + SSO Not working in Tomcat 9 & Fediz 1.5.1

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 1.5.1
    • None
    • IDP
    • None

    Description

      Hi Team,

      SSO Authorization is failing/getting 403 error,  after we upgrade the Tomcat from 8.5.X -> 9.0.45 (Fediz 1.5.1). 

      Fediz distribution used:
      <groupId>org.apache.cxf.fediz</groupId>  
      <artifactId>fediz-tomcat</artifactId>  
      <version>1.5.1</version>
      Tomcat Distribution used:
      <groupId>org.apache.tomcat</groupId>
      <artifactId>tomcat</artifactId>
      <version>9.0.45</version>

      Log:

      06-Oct-2021 06:16:20.918 FINE [https-jsse-nio2-8443-exec-9] org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling accessControl()
      06-Oct-2021 06:16:20.918 FINE [https-jsse-nio2-8443-exec-9] org.apache.catalina.realm.RealmBase.hasResourcePermission Checking roles GenericPrincipal[USERMASKEDXXX(ADMIN,GENERALIST,SPEZIALIST,)]
      06-Oct-2021 06:16:20.918 FINE [https-jsse-nio2-8443-exec-9] org.apache.catalina.realm.RealmBase.hasResourcePermission No role found: SPEZIALIST
      06-Oct-2021 06:16:20.919 FINE [https-jsse-nio2-8443-exec-9] org.apache.catalina.realm.RealmBase.hasResourcePermission No role found: ADMIN
      06-Oct-2021 06:16:20.919 FINE [https-jsse-nio2-8443-exec-9] org.apache.catalina.realm.RealmBase.hasResourcePermission No role found: GENERALIST
      06-Oct-2021 06:16:20.919 FINE [https-jsse-nio2-8443-exec-9] org.apache.catalina.authenticator.AuthenticatorBase.invoke Failed accessControl() test

       

      web.xml: under webapps/sample/WEB-INF

      <?xml version="1.0" encoding="ISO-8859-1"?>
      <web-app xmlns="http://java.sun.com/xml/ns/j2ee"
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
      version="2.4">

      <display-name>Hello, World Application</display-name>
      <description>
      This is a simple web application with a source code organization
      based on the recommendations of the Application Developer's Guide.
      </description>

      <servlet>
      <servlet-name>HelloServlet</servlet-name>
      <servlet-class>mypackage.Hello</servlet-class>
      </servlet>

      <servlet-mapping>
      <servlet-name>HelloServlet</servlet-name>
      <url-pattern>/hello</url-pattern>
      </servlet-mapping>

      <!-- Fragment Fediz -->
      <!--
      <filter>
      <filter-name>FederationFilter</filter-name>
      <filter-class>org.apache.cxf.fediz.core.servlet.FederationFilter</filter-class>
      </filter>

      <filter-mapping>
      <filter-name>FederationFilter</filter-name>
      <url-pattern>/*</url-pattern>
      </filter-mapping>

      <security-role>
      <role-name>GENERALIST</role-name>
      </security-role>
      <security-role>
      <role-name>SPEZIALIST</role-name>
      </security-role>
      <security-role>
      <role-name>ADMIN</role-name>
      </security-role>

      <security-constraint>
      <web-resource-collection>
      <web-resource-name>Web app</web-resource-name>
      <url-pattern>/*</url-pattern>
      </web-resource-collection>
      <auth-constraint>
      <role-name>*</role-name>
      </auth-constraint>
      </security-constraint>

      <login-config>
      <auth-method>WSFED</auth-method>
      <realm-name>WSFED</realm-name>
      </login-config>
      -->
      </web-app>

       

      context.xml under tomcat/conf/

      <Context>
      <WatchedResource>WEB-INF/web.xml</WatchedResource>
      <WatchedResource>WEB-INF/tomcat-web.xml</WatchedResource>
      <WatchedResource>${catalina.base}/conf/web.xml</WatchedResource>
      <Valve className="org.apache.cxf.fediz.tomcat.FederationAuthenticator" configFile="conf/fediz_config.xml" />
      </Context>

      fediz_config.xml

      <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
      <FedizConfig>
      <contextConfig name="/sample">
      <audienceUris>
      <audienceItem>https://masked-app-url.com/</audienceItem>
      </audienceUris>
      <certificateStores>
      <trustManager>
      <keyStore file="/app/tomcatcerts/client/trust.jks" password="******" type="JKS" />
      </trustManager>
      </certificateStores>
      <tokenExpirationValidation>true</tokenExpirationValidation>
      <trustedIssuers>
      <issuer certificateValidation="PeerTrust" />
      </trustedIssuers>
      <maximumClockSkew>1000</maximumClockSkew>
      <protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:type="federationProtocolType" version="1.0.0">
      <realm>https://masked-app-url.com/</realm>
      <issuer>https://masked-idp-url.com/</issuer>
      <roleDelimiter>,</roleDelimiter>
      <roleURI>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role</roleURI>
      <homeRealm>https://masked-homerealm-url.com/</homeRealm>
      <claimTypesRequested>
      <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role" optional="false" />
      <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" optional="true" />
      <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" optional="true" />
      <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" optional="true" />
      </claimTypesRequested>
      </protocol>
      <logoutURL>/secure/logout</logoutURL>
      <logoutRedirectTo>/</logoutRedirectTo>
      </contextConfig>
      </FedizConfig>

      Please help with this issue. and let me know if any other details required. Note: The same code is working fine in Tomcat 8.5.47 

      Attachments

        Activity

          People

            Unassigned Unassigned
            rmohanrj@gmail.com Mohanraj
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated: