KB0013321: Single Sign-On Authorization Error

December 1, 2016
|In SSO
|By Breanna Fitzgerald

Applies to: Ephesoft Transact 4.0.0.0

Issue

After configuring SSO using Authentication Type 1 or 2 in the web.xml, you may encounter the following error when logging in to Transact: “You are not authorized to view this page. Forbidden: Access is denied”.

2016-12-01_1540
Figure 1. Access Denied Error

Root Cause

The issue may be due to incorrect ordering of the SSO Authentication filter in the web.xml file.

Solution

To resolve this issue, you’ll need to re-order the entries in the web.xml file so that the authentication filter comes before the authorization filter.

  1. Open the web.xml file located at [Ephesoft_Directory]\Application\WEB-INF\.
  2. Locate the following excerpt:
<!-- Authentication Filter for SSO -->
<filter>
<filter-name>authenticationFilter</filter-name>
<filter-class>com.ephesoft.dcma.webapp.AuthenticationFilter</filter-class>

<!-- Name of HTTP header containing User Name. -->
<init-param>
<param-name>requestUsernameHeader</param-name>
<param-value>REMOTE_USER</param-value>
</init-param>

<!-- Name of HTTP header containing Group Name. -->
<init-param>
<param-name>requestGroupnameHeader</param-name>
<param-value>GROUP_USER</param-value>
</init-param>

<!-- Name of HTTP header containing Super Admin. -->
<init-param>
<param-name>requestSuperAdminHeader</param-name>
<param-value>SUPER_ADMIN</param-value>
</init-param>

<!-- Logout URL -->
<init-param>
<param-name>logoutUrl</param-name>
<param-value>https://www.samplecompanyname.com/Logout/logoff.asp</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>authenticationFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
  1. Cut and paste the above section to between the context-param tag and headerFilter. An example is included below:
<context-param>
<param-name>protocol</param-name>
<param-value>http</param-value>
</context-param>

<!-- Authentication Filter for SSO -->
<filter>
<filter-name>authenticationFilter</filter-name>
<filter-class>com.ephesoft.dcma.webapp.AuthenticationFilter</filter-class>

<!-- Name of HTTP header containing User Name. -->
<init-param>
<param-name>requestUsernameHeader</param-name>
<param-value>REMOTE_USER</param-value>
</init-param>

<!-- Name of HTTP header containing Group Name. -->
<init-param>
<param-name>requestGroupnameHeader</param-name>
<param-value>GROUP_USER</param-value>
</init-param>

<!-- Name of HTTP header containing Super Admin. -->
<init-param>
<param-name>requestSuperAdminHeader</param-name>
<param-value>SUPER_ADMIN</param-value>
</init-param>

<!-- Logout URL -->
<init-param>
<param-name>logoutUrl</param-name>
<param-value>https://www.samplecompanyname.com/Logout/logoff.asp</param-value>
</init-param>
</filter>

<filter-mapping>
<filter-name>authenticationFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

<filter>
<filter-name>headerFilter</filter-name>
<filter-class>com.ephesoft.dcma.webapp.HTTPHeaderFilter</filter-class>
</filter>

<filter>
<filter-name>hibernate.dcma</filter-name>
<filter-class>org.springframework.orm.hibernate3.support.OpenSessionInViewFilter</filter-class>
</filter>

<!---->
<filter>
<filter-name>serverAuthorizationFilter</filter-name>
<filter-class>com.ephesoft.dcma.webapp.AuthorizationFilter</filter-class>
</filter>
  1. Save and close the file.
  2. Restart Ephesoft Transact.