Shibboleth SP with Tomcat. How to use <security-constraints>
Luis Rodríguez Fernández
uo67113 at gmail.com
Tue Nov 1 11:10:21 GMT 2011
Hi Everybody,
I have set up the Shibboleth SP over my Apache 2.2 and it is working
with Tomcat through the proxy_ajp_module, great!
Now I would like to manage the access to the resources through the
deployment descriptors of my webapps (web.xml).
I have followed the Scott advice of this thread
(http://groups.google.com/group/shibboleth-users/browse_thread/thread/9370d1f7c7956705/46b89b216be8c3db?lnk=gst&q=%3Csecurity-constraint%3E#46b89b216be8c3db)
and I have implemented a filter in order to get the attributes of the
request header and populate my principals with them.
In the web.xml I have declared:
<filter>
<filter-name>ShibdFilter</filter-name>
<filter-class>com.test.filter.ShibFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>ShibdFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<security-constraint>
<display-name>Apache Tomcat Shibboleth Security Constraint</display-name>
<web-resource-collection>
<web-resource-name>Application</web-resource-name>
<url-pattern>/secure/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>pac-team</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>pac-team</role-name>
</security-role>
The code of the filter is really trivial. It just parses the values of
the "AJP_ADFS_GROUP" header and create with them instance of my
Principal's implementation:
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain filterchain) throws IOException, ServletException {
HttpServletResponse httpRes = (HttpServletResponse) response;
HttpServletRequest httpReq = (HttpServletRequest) request;
Subject subject = new Subject();
Principal principal;
principal = new ShibUserPrincipal(httpReq.getHeader("AJP_ADFS_LOGIN"));
subject.getPrincipals().add(principal);
String groups = httpReq.getHeader("AJP_ADFS_GROUP");
StringTokenizer stringTokenizer = new StringTokenizer(groups, ";");
while(stringTokenizer.hasMoreElements()){
principal = new ShibGroupPrincipal(stringTokenizer.nextToken());
System.out.println("SHIB_GROUP_PRINCIPAL: " +
principal.getName());
subject.getPrincipals().add(principal);
}
httpReq.getSession().setAttribute("javax.security.auth.subject",
subject);
filterchain.doFilter(request, httpRes);
}
I have two classes that implement java.security.Principal:
One for the users:
public class ShibUserPrincipal implements Principal {
private String name;
public ShibUserPrincipal(String name) {
super();
this.name = name;
}
public String getName() {
return this.name;
}
public void setName(String name) {
this.name = name;
}
}
And another for the groups (roles):
public class ShibGroupPrincipal implements Principal {
private String name;
public ShibGroupPrincipal(String name) {
super();
this.name = name;
}
public String getName() {
return this.name;
}
public void setName(String name) {
this.name = name;
}
}
When I invoke the filter I can see that the subject is being populated
with the principals, but when I ask for a secure resource
(http://my.host/myApp/secure/default.jsp) I am getting a 403 Error,
grasp!!!!
Am I missing somethig?
My aim is that the developers could configure the authorisation being
independent of the SSO implementation, this is, they just need the
filter and the principal classes for getting all of the info about the
users.
Thanks in advance,
Luis
--
"Los caminos del usuario son inescrutables…"
-- Rick Cook
--
"Los caminos del usuario son inescrutables…"
-- Rick Cook
More information about the users
mailing list