You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Colm O hEigeartaigh (Jira)" <ji...@apache.org> on 2022/01/14 16:36:00 UTC
[jira] [Commented] (FEDIZ-254) "org.apache.catalina.realm.RealmBase.hasResourcePermission No role found: XXX" + SSO Not working in Tomcat 9 & Fediz 1.5.1
[ https://issues.apache.org/jira/browse/FEDIZ-254?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17476263#comment-17476263 ]
Colm O hEigeartaigh commented on FEDIZ-254:
-------------------------------------------
Hi, sorry for the late response - is this still an issue for you?
> "org.apache.catalina.realm.RealmBase.hasResourcePermission No role found: XXX" + SSO Not working in Tomcat 9 & Fediz 1.5.1
> --------------------------------------------------------------------------------------------------------------------------
>
> Key: FEDIZ-254
> URL: https://issues.apache.org/jira/browse/FEDIZ-254
> Project: CXF-Fediz
> Issue Type: Bug
> Components: IDP
> Affects Versions: 1.5.1
> Reporter: Mohanraj
> Priority: Major
>
> Hi Team,
> SSO Authorization is failing/getting 403 error, after we upgrade the Tomcat from 8.5.X -> 9.0.45 (Fediz 1.5.1).
> *Fediz distribution used:*
> <groupId>org.apache.cxf.fediz</groupId>
> <artifactId>fediz-tomcat</artifactId>
> <version>1.5.1</version>
> *Tomcat Distribution used:*
> <groupId>org.apache.tomcat</groupId>
> <artifactId>tomcat</artifactId>
> <version>9.0.45</version>
> *Log:*
> 06-Oct-2021 06:16:20.918 FINE [https-jsse-nio2-8443-exec-9] org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling accessControl()
> 06-Oct-2021 06:16:20.918 FINE [https-jsse-nio2-8443-exec-9] org.apache.catalina.realm.RealmBase.hasResourcePermission Checking roles GenericPrincipal[USERMASKEDXXX(ADMIN,GENERALIST,SPEZIALIST,)]
> 06-Oct-2021 06:16:20.918 FINE [https-jsse-nio2-8443-exec-9] {color:#FF0000}org.apache.catalina.realm.RealmBase.hasResourcePermission No role found: SPEZIALIST{color}
> {color:#FF0000}06-Oct-2021 06:16:20.919 FINE [https-jsse-nio2-8443-exec-9] org.apache.catalina.realm.RealmBase.hasResourcePermission No role found: ADMIN{color}
> {color:#FF0000}06-Oct-2021 06:16:20.919 FINE [https-jsse-nio2-8443-exec-9] org.apache.catalina.realm.RealmBase.hasResourcePermission No role found: GENERALIST{color}
> 06-Oct-2021 06:16:20.919 FINE [https-jsse-nio2-8443-exec-9] {color:#FF0000}org.apache.catalina.authenticator.AuthenticatorBase.invoke Failed accessControl() test{color}
>
> *web.xml: under webapps/sample/WEB-INF*
> <?xml version="1.0" encoding="ISO-8859-1"?>
> <web-app xmlns="http://java.sun.com/xml/ns/j2ee"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
> version="2.4">
> <display-name>Hello, World Application</display-name>
> <description>
> This is a simple web application with a source code organization
> based on the recommendations of the Application Developer's Guide.
> </description>
> <servlet>
> <servlet-name>HelloServlet</servlet-name>
> <servlet-class>mypackage.Hello</servlet-class>
> </servlet>
> <servlet-mapping>
> <servlet-name>HelloServlet</servlet-name>
> <url-pattern>/hello</url-pattern>
> </servlet-mapping>
> <!-- Fragment Fediz -->
> <!--
> <filter>
> <filter-name>FederationFilter</filter-name>
> <filter-class>org.apache.cxf.fediz.core.servlet.FederationFilter</filter-class>
> </filter>
> <filter-mapping>
> <filter-name>FederationFilter</filter-name>
> <url-pattern>/*</url-pattern>
> </filter-mapping>
> <security-role>
> <role-name>GENERALIST</role-name>
> </security-role>
> <security-role>
> <role-name>SPEZIALIST</role-name>
> </security-role>
> <security-role>
> <role-name>ADMIN</role-name>
> </security-role>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Web app</web-resource-name>
> <url-pattern>/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>*</role-name>
> </auth-constraint>
> </security-constraint>
> <login-config>
> <auth-method>WSFED</auth-method>
> <realm-name>WSFED</realm-name>
> </login-config>
> -->
> </web-app>
>
> context.xml under tomcat/conf/
> <Context>
> <WatchedResource>WEB-INF/web.xml</WatchedResource>
> <WatchedResource>WEB-INF/tomcat-web.xml</WatchedResource>
> <WatchedResource>${catalina.base}/conf/web.xml</WatchedResource>
> <Valve className="org.apache.cxf.fediz.tomcat.FederationAuthenticator" configFile="conf/fediz_config.xml" />
> </Context>
> *fediz_config.xml*
> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
> <FedizConfig>
> <contextConfig name="/sample">
> <audienceUris>
> <audienceItem>https://masked-app-url.com/</audienceItem>
> </audienceUris>
> <certificateStores>
> <trustManager>
> <keyStore file="/app/tomcatcerts/client/trust.jks" password="******" type="JKS" />
> </trustManager>
> </certificateStores>
> <tokenExpirationValidation>true</tokenExpirationValidation>
> <trustedIssuers>
> <issuer certificateValidation="PeerTrust" />
> </trustedIssuers>
> <maximumClockSkew>1000</maximumClockSkew>
> <protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:type="federationProtocolType" version="1.0.0">
> <realm>https://masked-app-url.com/</realm>
> <issuer>https://masked-idp-url.com/</issuer>
> <roleDelimiter>,</roleDelimiter>
> <roleURI>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role</roleURI>
> <homeRealm>https://masked-homerealm-url.com/</homeRealm>
> <claimTypesRequested>
> <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role" optional="false" />
> <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" optional="true" />
> <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" optional="true" />
> <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" optional="true" />
> </claimTypesRequested>
> </protocol>
> <logoutURL>/secure/logout</logoutURL>
> <logoutRedirectTo>/</logoutRedirectTo>
> </contextConfig>
> </FedizConfig>
> Please help with this issue. and let me know if any other details required. Note: The same code is working fine in Tomcat 8.5.47
--
This message was sent by Atlassian Jira
(v8.20.1#820001)