Skip to main content
Version: 8.2411.x.x RR

SecurityRoleFilter

After successful authentication, that is, after having passed the IdentityCreationFilter, the user will own one or several security roles. The main task of the SecurityRoleFilter is to ensure that the user has the required security roles when accessing a resource. If this is not the case, the SecurityRoleFilter has to enforce an authentication step-up, if an authentication servlet is configured, or simply deny access.

Step-up

The main task of the SecurityRoleFilter is to ensure that the user has the required security roles when accessing a resource. If this is not the case, the SecurityRoleFilter has to enforce an authentication step-up (if an authentication servlet is configured) or simply deny access.

Classname
ch::nevis::isiweb4::filter::auth::SecurityRoleFilter
Library
libIdentityCreationFilters.so.1
Default RequestFlags
+NEEDS_PARAMS +NEEDS_JSON_PARSING

Configuration

Shared parameters with the IdentityCreationFilter

The following parameters are shared with the IdentityCreationFilter. For detailed description see the IdentityCreationFilter

  • AuthenticationServlet - required if DynamicRoleAcquire is true
  • LoginRendererServlet - required if DynamicRoleAcquire is true
  • DelegateSecToken
  • ReauthInterval
  • InactiveInterval
  • InactivePolicy
  • SecureConnection
  • StoreInterceptedRequest
  • InterceptionRedirect
  • PropagateInterceptionState
  • ClearFrames
  • PropagateFromEnv
  • PropagateFromRequest
  • RequestPeerCert
  • BodyReadSize
  • OnlySoapHeader
  • NoClientCertRedirect
  • RenewIdentification
  • InvalidLogoutRedirect
  • SendAlwaysClientCert
  • StoreProperties
  • Statekey
  • SecTokenTolerance
  • MaxLifetime
  • SynchronizeLoginRequests

ClientCert

Type: Enum
Possible values: want
Usage Constraint: optional

This attribute is used to enable X.509 client certificate stepup. Valid values are:

  • want: a client certificate is expected and will be renegotiated before the first request to the authentication service. A missing client certificate must be handled by the authentication service.

StoreClientCert

Type: Boolean
Usage Constraint: optional
Default: false

If set to true, the client certificate used for the client step-up will be stored as a parameter in the session.

RolesRequired

Type: List of security roles
Usage Constraint: optional

A list of required security roles separated by whitespace. The user needs at least one of the specified roles. The authentication service has to provide the security model used here.

RolesForbidden

Type: List of security roles
Usage Constraint: optional

A list of required security roles separated by whitespace. If the user has one of those roles, access is denied.

DynamicRoleAcquire

Type: Boolean
Usage Constraint: optional
Default: false

If enabled, the filter will trigger an authentication step-up in case the session does not have the right roles. If disabled, the filter will return response code 403 ("HTTP Forbidden") if the required roles are missing. In this case, you do not need to configure the parameters AuthenticationServlet and LoginRendererServlet.

DynamicRoleAcquire.CheckRoleRemoval

Type: Boolean
Usage Constraint: optional
Default: false

If enabled, the filter will check whether all roles are still valid. If the roles are not valid anymore, the filter will re-trigger a step-up. This attribute is considered only if the attribute DynamicRoleAcquire is set to true.

InvalidateOnError

Type: Boolean
Usage Constraint: optional
Default: true
Secure default: true

If enabled, the filter will invalidate the session in case nevisAuth returns an error. As a consequence, the user has to restart the login process.

AllowRedirectOnAuthDone

Type: Boolean
Usage Constraint: optional
Default: false

This parameter will only be evaluated if InterceptionRedirect is never. If this parameter is set to true, it accepts that an AUTH_DONE response from nevisAuth allows to have a 'nevis.transfer.type' set to redirect and this will cause the request to answer with a redirect response to the URL defined in nevis.transfer.destination. If set to false, the redirection will be ignored and the requests goes directly to the backend.