SecurityRoleFilter
After successful authentication, that is, after having passed the IdentityCreationFilter, the user will own one or several security roles. The main task of the SecurityRoleFilter is to ensure that the user has the required security roles when accessing a resource. If this is not the case, the SecurityRoleFilter has to enforce an authentication step-up, if an authentication servlet is configured, or simply deny access.
Step-up
The main task of the SecurityRoleFilter is to ensure that the user has the required security roles when accessing a resource. If this is not the case, the SecurityRoleFilter has to enforce an authentication step-up (if an authentication servlet is configured) or simply deny access.
ch::nevis::isiweb4::filter::auth::SecurityRoleFilter
libIdentityCreationFilters.so.1
+NEEDS_PARAMS +NEEDS_JSON_PARSING
Configuration
Shared parameters with the IdentityCreationFilter
The following parameters are shared with the IdentityCreationFilter. For detailed description see the IdentityCreationFilter
- AuthenticationServlet - required if DynamicRoleAcquire is
true
- LoginRendererServlet - required if DynamicRoleAcquire is
true
- DelegateSecToken
- ReauthInterval
- InactiveInterval
- InactivePolicy
- SecureConnection
- StoreInterceptedRequest
- InterceptionRedirect
- PropagateInterceptionState
- ClearFrames
- PropagateFromEnv
- PropagateFromRequest
- RequestPeerCert
- BodyReadSize
- OnlySoapHeader
- NoClientCertRedirect
- RenewIdentification
- InvalidLogoutRedirect
- SendAlwaysClientCert
- StoreProperties
- Statekey
- SecTokenTolerance
- MaxLifetime
- SynchronizeLoginRequests
ClientCert
Type: Enum
Possible values: want
Usage Constraint: optional
This attribute is used to enable X.509 client certificate stepup. Valid values are:
- want: a client certificate is expected and will be renegotiated before the first request to the authentication service. A missing client certificate must be handled by the authentication service.
StoreClientCert
Type: Boolean
Usage Constraint: optional
Default: false
If set to true
, the client certificate used for the client step-up will be stored as a parameter in the session.
RolesRequired
Type: List of security roles
Usage Constraint: optional
A list of required security roles separated by whitespace. The user needs at least one of the specified roles. The authentication service has to provide the security model used here.
RolesForbidden
Type: List of security roles
Usage Constraint: optional
A list of required security roles separated by whitespace. If the user has one of those roles, access is denied.
DynamicRoleAcquire
Type: Boolean
Usage Constraint: optional
Default: false
If enabled, the filter will trigger an authentication step-up in case the session does not have the right roles. If disabled, the filter will return response code 403 ("HTTP Forbidden") if the required roles are missing. In this case, you do not need to configure the parameters AuthenticationServlet and LoginRendererServlet.
DynamicRoleAcquire.CheckRoleRemoval
Type: Boolean
Usage Constraint: optional
Default: false
If enabled, the filter will check whether all roles are still valid. If the roles are not valid anymore, the filter will re-trigger a step-up. This attribute is considered only if the attribute DynamicRoleAcquire is set to true
.
InvalidateOnError
Type: Boolean
Usage Constraint: optional
Default: true
Secure default: true
If enabled, the filter will invalidate the session in case nevisAuth returns an error. As a consequence, the user has to restart the login process.
AllowRedirectOnAuthDone
Type: Boolean
Usage Constraint: optional
Default: false
This parameter will only be evaluated if InterceptionRedirect is never
. If this parameter is set to true, it accepts that an AUTH_DONE response from nevisAuth allows to have a 'nevis.transfer.type' set to redirect
and this will cause the request to answer with a redirect response to the URL defined in nevis.transfer.destination.
If set to false, the redirection will be ignored and the requests goes directly to the backend.