Getting 403 error trying to config ECP on Tomcat

Mark John Rank rankm at uwm.edu
Thu Nov 1 17:54:31 EDT 2012 

List:

Another ECP config question. Going to apologize right off the bat 
if this has been addressed already but searching the list archives
and wiki's hasn't gotten me past what is likely a very simple 
configuration issue.

*** Environment ***  

IdP - Tomcat6 / Idp 2.3.5 / Redhat 5 
SP - Apache / SP 2.5 / Centos 6

OpenLDAP as credential store 

*** Issue Description *** 

Using the simple BASH client to test, I keep running into what is looking
like an authorization error based on the 403 error in the Tomcat access log 
(see below)

[****@idp01dev tomcat]# grep POST localhost_access_log.2012-11-01.txt 
***.***.***.*** - - rankm [01/Nov/2012:15:02:24 -0500] POST /idp/profile/SAML2/SOAP/ECP HTTP/1.1 403 1108 curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.13.1.0 zlib/1.2.3 libidn/1.18 libssh2/1.2.2 -

LDAP logs are showing a successful bind but that is all. My hunch is 
I either have something askew with my login.config used for JAAS or 
the <security-constraint> in the web.xml. Snips of both are presented 
below...

Any pointers to look for a resolution would be most appreciated.

Regards,
Mark

 
** web.xml snip ** 

    <security-constraint>
        <display-name>Shibboleth IdP</display-name>
        <web-resource-collection>
            <web-resource-name>ECP</web-resource-name>
            <url-pattern>/profile/SAML2/SOAP/ECP</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
        </web-resource-collection>
        <auth-constraint>
            <role-name>ldap-query</role-name>
        </auth-constraint>
        <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
    </security-constraint>

    <login-config>
        <auth-method>BASIC</auth-method>
        <realm-name>ShibUserPassAuth</realm-name>
    </login-config>

    <security-role>
        <role-name>ldap-query</role-name>
    </security-role>


** login.config snip ** 

ShibUserPassAuth {

// Example LDAP authentication
// See: https://spaces.internet2.edu/display/SHIB2/IdPAuthUserPass
//
   edu.vt.middleware.ldap.jaas.LdapLoginModule required
      host="ldap.uwm.edu"
      base="ou=people,o=uwm.edu"
      tls="true
      userField="uid"
      roleBase="ou=admingroup,o=uwm.edu"
      roleFilter="(uid={1})"
      roleAttribute="member";
//


------------------------------------------
Mark Rank 
Middleware and Identity Management Group
University Information Technology Services 
UW-Milwaukee                       
Email: rankm at uwm.edu            
Phn:  414-229-3706     
------------------------------------------

More information about the users mailing list