SecurityRoleFilter
After successful authentication, that is, after having passed the IdentityCreationFilter, the user will own one or several security roles. The main task of the SecurityRoleFilter is to ensure that the user has the required security roles when accessing a resource. If this is not the case, the SecurityRoleFilter has to enforce an authentication step-up, if an authentication servlet is configured, or simply deny access.
Step-up
The main task of the SecurityRoleFilter is to ensure that the user has the required security roles when accessing a resource. If this is not the case, the SecurityRoleFilter has to enforce an authentication step-up (if an authentication servlet is configured) or simply deny access.
ch::nevis::isiweb4::filter::auth::SecurityRoleFilter
libIdentityCreationFilters.so.1
Configuration
Shared parameters with the IdentityCreationFilter
The following parameters are shared with the IdentityCreationFilter. For detailed description see the IdentityCreationFilter
- AuthenticationServlet - required if DynamicRoleAcquire is
true - LoginRendererServlet - required if DynamicRoleAcquire is
true - DelegateSecToken
- ReauthInterval
- InactiveInterval
- InactivePolicy
- SecureConnection
- StoreInterceptedRequest
- CheckAlwaysClientCert
- InterceptionRedirect
- PropagateInterceptionState
- ClearFrames
- PropagateFromEnv
- PropagateFromRequest
- RequestPeerCert
- BodyReadSize
- OnlySoapHeader
- NoClientCertRedirect
- RenewIdentification
- InvalidLogoutRedirect
- SendAlwaysClientCert
- StoreProperties
- Statekey
- SecTokenTolerance
- MaxLifetime
- SynchronizeLoginRequests
ClientCert
- Type: Enum
- Possible values:
want - Usage Constraint: optional
- This attribute is used to enable X.509 client certificate stepup. Valid values are:
- want: a client certificate is expected and will be renegotiated before the first request to the authentication service. A missing client certificate must be handled by the authentication service.
StoreClientCert
- Type: Boolean
- Usage Constraint: optional
- Default:
false - If set to
true, the client certificate used for the client step-up will be stored as a parameter in the session.
RolesRequired
- Type: List of security roles
- Usage Constraint: optional
- A list of required security roles separated by whitespace. The user needs at least one of the specified roles. The authentication service has to provide the security model used here.
RolesForbidden
- Type: List of security roles
- Usage Constraint: optional
- A list of required security roles separated by whitespace. If the user has one of those roles, access is denied.
DynamicRoleAcquire
- Type: Boolean
- Usage Constraint: optional
- Default:
false - If enabled, the filter will trigger an authentication step-up in case the session does not have the right roles. If disabled, the filter will return response code 403 ("HTTP Forbidden") if the required roles are missing. In this case, you do not need to configure the parameters AuthenticationServlet and LoginRendererServlet.
DynamicRoleAcquire.CheckRoleRemoval
- Type: Boolean
- Usage Constraint: optional
- Default:
false - If enabled, the filter will check whether all roles are still valid. If the roles are not valid anymore, the filter will re-trigger a step-up. This attribute is considered only if the attribute DynamicRoleAcquire is set to
true.
InvalidateOnError
- Type: Boolean
- Usage Constraint: optional
- Default:
true - Secure default:
true - If enabled, the filter will invalidate the session in case nevisAuth returns an error. As a consequence, the user has to restart the login process.
AllowRedirectOnAuthDone
- Type: Boolean
- Usage Constraint: optional
- Default:
false
This parameter will only be evaluated if InterceptionRedirect is never. If this parameter is set to true, it accepts that an AUTH_DONE response from nevisAuth allows to have a 'nevis.transfer.type' set to redirect and this will cause the request to answer with a redirect response to the URL defined in nevis.transfer.destination.
If set to false, the redirection will be ignored and the requests goes directly to the backend.