2

I have configured ADFS SAML on weblogic server and have added corresponding entry in web.xml. I want to exclude one url from authourization through ADFS SAML so i have added security constraint without auth-constraint in web.xml.So Now I am expecting the url with /Sample/ should get excluded but still it is authourizing /Sample/ request Please find below web.xml Restricted /Sample/* 

<security-constraint>
  <display-name>excluded</display-name>
      <web-resource-collection>
      <web-resource-name>No Access</web-resource-name>
      <url-pattern>*</url-pattern>
       <http-method>PUT</http-method>
       <http-method>DELETE</http-method>
     </web-resource-collection>

  <web-resource-collection>
        <web-resource-name>Restricted</web-resource-name>
        <url-pattern>/Sample</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
  </web-resource-collection>


  <web-resource-collection>
        <web-resource-name>SAML</web-resource-name>
        <url-pattern>*</url-pattern>
  </web-resource-collection>
    <auth-constraint>
        <role-name>everyone</role-name>
    </auth-constraint>
 </security-constraint>
happy
  • 2,550
  • 17
  • 64
  • 109

1 Answers1

2

You have multiple problems currently... The first thing you should do is break it up into multiple security-constraint. You can have more than one, so define a separate one for your SAML and No Access. Your URL pattern is the same for SAML and No Access, which one is it?:

<url-pattern>*</url-pattern>

Your auth-constraint seems bad too... allow access to everyone? If you're simply looking to restrict parts, of an app, specify no auth contraint like:

<auth-constraint />

Follow a through example on SO like: How to exclude one url from authorization

or

Follow a tutorial like http://java.dzone.com/articles/understanding-web-security

Community
  • 1
  • 1
Display Name is missing
  • 6,197
  • 3
  • 34
  • 46