cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm O hEigeartaigh <cohei...@apache.org>
Subject Re: 403 with CXF OIDC when user has roles
Date Mon, 18 Jul 2016 14:01:47 GMT
Ok this should now be fixed, please let me know if you run into any
problems with it:

https://issues.apache.org/jira/browse/FEDIZ-171

The default Fediz configuration in the OIDC service has been updated to use
the new configuration option, so it should just work without any changes.

Colm.

On Mon, Jul 18, 2016 at 2:34 PM, Adrian Gonzalez <
adr_gonzalez@yahoo.fr.invalid> wrote:

> Hi Sergey, Colm,
> Sorry for not answering before, I wanted to test your suggestion, but had
> a hard time with my environment.
> Anywa here it is, when I remove authentication checks [1], I have a 401
> (see [2]) on
> http://localhost:8080/oidc/idp/authorize?client_id=NWuw2CijNchtRQ&redirect_uri=http://localhost:9999/dashboard/login&response_type=code&scope=openid&state=blabla
>
> So +1 for adding Authenticated role !
> Thanks,
> [1] my new web.xml
>     <security-constraint>
>         <web-resource-collection>
>             <web-resource-name>Whitelist access</web-resource-name>
>             <url-pattern>/idp/*</url-pattern>
>         </web-resource-collection>
>     </security-constraint>
> [2] Error 401 due to :
> 2016-07-18 13:26:56,954 [http-apr-8080-exec-10] WARN
> org.apache.cxf.jaxrs.impl.WebApplicationExceptionMapper  -
> javax.ws.rs.NotAuthorizedException: HTTP 401 Unauthorized
>     at
> org.apache.cxf.jaxrs.utils.SpecExceptions.toNotAuthorizedException(SpecExceptions.java:94)
>     at
> org.apache.cxf.jaxrs.utils.ExceptionUtils.toNotAuthorizedException(ExceptionUtils.java:130)
>     at
> org.apache.cxf.rs.security.oauth2.services.RedirectionBasedGrantService.getAndValidateSecurityContext(RedirectionBasedGrantService.java:423)
>     at
> org.apache.cxf.rs.security.oauth2.services.RedirectionBasedGrantService.startAuthorization(RedirectionBasedGrantService.java:123)
>     at
> org.apache.cxf.rs.security.oauth2.services.RedirectionBasedGrantService.authorize(RedirectionBasedGrantService.java:93)
>     at
> org.apache.cxf.rs.security.oauth2.services.AuthorizationService.authorize(AuthorizationService.java:58)
>
>
>
>       De : Colm O hEigeartaigh <coheigea@apache.org>
>  À : "users@cxf.apache.org" <users@cxf.apache.org>
>  Envoyé le : Lundi 18 juillet 2016 15h26
>  Objet : Re: 403 with CXF OIDC when user has roles
>
> Actually, this won't work. We need to specify a role to get the Tomcat
> filters to kick in. What I'll do is add the "Authenticated" role to the
> list of roles in the filters, if a configuration option is set to true.
>
> Colm.
>
> On Mon, Jul 18, 2016 at 12:28 PM, Sergey Beryozkin <sberyozkin@gmail.com>
> wrote:
>
> > +1,
> >
> > Cheers, Sergey
> > On 18/07/16 14:18, Colm O hEigeartaigh wrote:
> >
> >> I think we could just get rid of them for the non-console part of the
> OIDC
> >> IdP. For the normal RP case, you want to make sure that only
> authenticated
> >> users in a given role can access the application. But here we're just
> >> logging users in, so I don't think we need to specify a constraint on
> the
> >> role.
> >>
> >> Colm.
> >>
> >> On Mon, Jul 18, 2016 at 12:11 PM, Sergey Beryozkin <
> sberyozkin@gmail.com>
> >> wrote:
> >>
> >> One thing to note is that these roles in fediz-oidc/web.xml is a
> >>> temporarily side-effect of the fact that OIDC is implemented right now
> as
> >>> Fediz WS-Fed RP (meaning that internally, when the user is actually
> >>> authenticated, OIDC talks to the core Fediz IDP using WS-Fed which is
> >>> transparent to the user).
> >>> And because OIDC is Fediz RP right now, it is like any other web
> >>> application protected by Fediz Authenticators and hence I simply copied
> >>> the roles from a based Fediz demo when prototyping the initial Fediz
> OIDC
> >>> web.xml.
> >>>
> >>> So I wonder can we simply get rid of those roles ? I recall it was
> quite
> >>> sensitive. Or may be fix something at the Fediz core level not to lose
> >>> 'Authenticated' ?
> >>>
> >>> Either way these roles will go once we have OIDC and IDP combined with
> >>> OIDC becoming a real IDP itself...
> >>>
> >>> Cheers, Sergey
> >>>
> >>>
> >>>
> >>> On 18/07/16 13:58, Colm O hEigeartaigh wrote:
> >>>
> >>> Hi Adrian,
> >>>>
> >>>> I suppose the question is why you need to specify a role constraint
at
> >>>> all
> >>>> for the OIDC authorization call? If you're happy to allow any
> >>>> authenticated
> >>>> user access, then why have a constraint on the role of the user?
> >>>>
> >>>> Colm.
> >>>>
> >>>> On Mon, Jul 18, 2016 at 10:51 AM, Adrian Gonzalez <
> >>>> adr_gonzalez@yahoo.fr.invalid> wrote:
> >>>>
> >>>> Hello,
> >>>>
> >>>>> I'm using CXF OIDC.When my Client Application redirects a user to
> OIDC
> >>>>> and
> >>>>> the user is not associated with any role in sts side, then everything
> >>>>> works
> >>>>> fine.
> >>>>> When I associate the user with at least 1 roles, I've got a 403
on
> this
> >>>>> request :
> >>>>>
> >>>>>
> >>>>>
> http://localhost:8080/oidc/idp/authorize?client_id=XXX&redirect_uri=http://localhost:9999/dashboard/login&response_type=code&scope=openid&state=YYY
> >>>>> From
> >>>>>
> >>>>>
> >>>>>
> https://github.com/apache/cxf-fediz/blob/master/plugins/tomcat8/src/main/java/org/apache/cxf/fediz/tomcat8/handler/TomcatSigninHandler.java#L54
> >>>>> :
> >>>>>    * When user has no roles, tomcat handler adds 'Authenticated'
> role.
> >>>>> *
> >>>>> When user has 1..n roles, no 'Authenticated' role is added.
> >>>>> As a workaround, I could give everyone of my users an Authenticated
> >>>>> role,
> >>>>> but it seems a bit artificial.Shouldn't TomcatSigninHandler.java
> >>>>> systematically add Authenticated role ?
> >>>>> Thanks,Adrian
> >>>>>
> >>>>> P.S.Here's the extract of my web.xml :    <security-role>
> >>>>>          <role-name>Manager</role-name>
> >>>>>      </security-role>
> >>>>>      <security-role>
> >>>>>          <role-name>User</role-name>
> >>>>>      </security-role>
> >>>>>      <security-role>
> >>>>>          <role-name>Admin</role-name>
> >>>>>      </security-role>
> >>>>>      <security-role>
> >>>>>          <role-name>Authenticated</role-name>
> >>>>>      </security-role>
> >>>>>      <security-constraint>
> >>>>>          <web-resource-collection>
> >>>>>              <web-resource-name>User Protected
> >>>>> Area</web-resource-name>
> >>>>>              <url-pattern>/idp/*</url-pattern>
> >>>>>          </web-resource-collection>
> >>>>>          <auth-constraint>
> >>>>>              <role-name>*</role-name>
> >>>>>          </auth-constraint>
> >>>>>      </security-constraint>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>
> >>>>
> >>> --
> >>> Sergey Beryozkin
> >>>
> >>> Talend Community Coders
> >>> http://coders.talend.com/
> >>>
> >>>
> >>
> >>
> >>
> >
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
>
>




-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message