Waffle Servlet Filter doesn’t work with security-constraint

453 views
Skip to first unread message

Dianlong

unread,
May 4, 2016, 4:48:27 AM5/4/16
to waffle

Dear Friends,

 

I have tried to use Waffle Servlet Security Filter to achieve Windows SSO.  I have written a Servlet to test it.

With following web.xml, the authentication works fine. The test Servlet KCD shows correct Windows User ID by calling request.getRemoteUser() and request.getUserPrincipal(). Also the request.isUserInRole("Everyone") (and other GroupID) returns true!

 

I want to use the <security-constraint> to protected the resource. However, when I apply 

        <auth-constraint>

            <role-name>Everyone</role-name>

        </auth-constraint>

(remove the comment in web.xml), the Web Application returns:


HTTP Status 403 - Access to the requested resource has been denied

type Status report

message Access to the requested resource has been denied

description Access to the specified resource has been forbidden.

1.1.1      Apache Tomcat/8.0.26

 

 What is wrong here? As you can see, the Test App runs on Tomcat 8.

 

Thanks a lot

Regards

Dianlong

       <filter>

             <filter-name>SecurityFilter</filter-name>

             <filter-class>waffle.servlet.NegotiateSecurityFilter</filter-class>

       </filter>

       <filter-mapping>

             <filter-name>SecurityFilter</filter-name>

             <url-pattern>/*</url-pattern>

       </filter-mapping>

 

<!-- this block doesn't work if uncommented

    <security-constraint>

        <display-name>Waffle Security Constraint</display-name>

        <web-resource-collection>

            <web-resource-name>Protected Area</web-resource-name>

            <url-pattern>/*</url-pattern>

            <http-method>DELETE</http-method>

            <http-method>GET</http-method>

            <http-method>POST</http-method>

            <http-method>PUT</http-method>

        </web-resource-collection>

        <auth-constraint>

            <role-name>Everyone</role-name>

        </auth-constraint>

    </security-constraint>

 

 <security-role>

    <role-name>Everyone</role-name>

</security-role>

 -->

       <servlet>

             <servlet-name>KCD</servlet-name>

             <servlet-class>com.test.ConstrainedDelegation</servlet-class>

       </servlet>

       <servlet-mapping>

             <servlet-name>KCD</servlet-name>

             <url-pattern>/*</url-pattern>

       </servlet-mapping>

 

Daniel Doubrovkine

unread,
May 4, 2016, 4:30:10 PM5/4/16
to waffle...@googlegroups.com
I believe the container processes the security constraints *first*, see http://stackoverflow.com/questions/17654020/precedence-of-security-constraint-over-filters-in-servlets. I am going to guess that it cannot work. A Tomcat valve does it the other way around I think.

--
You received this message because you are subscribed to the Google Groups "waffle" group.
To unsubscribe from this group and stop receiving emails from it, send an email to waffle-users...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.



--

dB. | Moscow - Geneva - Seattle - New York
code.dblock.org - @dblockdotorg - artsy.net - github/dblock

Reply all
Reply to author
Forward
0 new messages