SecurityRoleFilter
After successful authentication, that is, after having passed the IdentityCreationFilter, the user will own one or several security roles.
Step-up
The main task of the SecurityRoleFilter is to ensure that the user has the required security roles when accessing a resource. If this is not the case, the SecurityRoleFilter has to enforce an authentication step-up (if an authentication servlet is configured) or simply deny access.
Classname
ch::nevis::isiweb4::filter::auth::SecurityRoleFilter
Library
libIdentityCreationFilters.so.1
Configuration
| Name | Type, Usage Constraints, Defaults | Description |
|---|---|---|
| AuthenticationServlet | See the description of the IdentityCreationFilter (in the chapter: IdentityCreationFilter). | |
| LoginRendererServlet | ||
| DelegateSecToken | ||
| ReauthInterval | ||
| InactiveInterval | ||
| InactivePolicy | ||
| SecureConnection | ||
| StoreInterceptedRequest | ||
| CheckAlwaysClientCert | ||
| InterceptionRedirect | ||
| PropagateInterceptionState | ||
| ClearFrames | ||
| PropagateFromEnv | ||
| PropagateFromRequest | ||
| RequestPeerCert | ||
| BodyReadSize | ||
| OnlySoapHeader | ||
| NoClientCertRedirect | ||
| RenewIdentification | ||
| InvalidLogoutRedirect | ||
| SendAlwaysClientCert | ||
| StoreProperties | ||
| Statekey | ||
| SecTokenTolerance | ||
| ExclusiveSessionLock | ||
| ClientCert | string; optional, basic feature | This attribute is used to enable X.509 client certificate stepup. Valid values are: want: a client certificate is expected and will be renegotiated before the first request to the authentication service. A missing client certificate must be handled by the authentication service. |
| StoreClientCert | boolean; optional; default: false | If set to "true", the client certificate used for the client step-up will be stored as a parameter in the HTTP session. |
| RolesRequired | list of security roles; optional, basic feature | A list of required security roles separated by white spaces. The user needs at least one of the specified roles. The authentication service has to provide the security model used here. |
| RolesForbidden | list of security roles; optional, advanced | A list of required security roles separated by whitespaces. If the user has one of those roles, access is denied. |
| DynamicRoleAcquire | boolean: true, false; optional, basic feature; default: false | - If you set this attribute to "true", the filter will trigger an authentication step-up in case the session does not have the right roles. - If set to "false", the filter will return response code 403 ("HTTP Forbidden") if the right roles are missing. In this case, you do not need to configure the parameters AuthenticationServlet and LoginRendererServlet . |