[keycloak-user] Arquillian / Remote Container / EJB Security

Lauer Markus Markus.Lauer at co-met.info
Thu Mar 24 05:55:17 EDT 2016 

>
> I'm looking for s/th like this:
> https://developer.jboss.org/wiki/TestingSecuredEJBsOnWildFly81xWithArquillian
>
> This could possibly be combined with:
> https://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#jaas-adapter
>
> org.keycloak.adapters.jaas.DirectAccessGrantsLoginModule
>
> But I can not change the "keycloak" security-domain for testing...
>


Ok. Approaching a solution...

I adopted the JBossLoginContextFactory from the link above:

https://gist.github.com/anonymous/892d957dfdf289158ccc




LoginContext loginContext =
JBossLoginContextFactory.createLoginContext("markus.lauer at co-met.info",
"********");
loginContext.login();

log.info("principals: " + loginContext.getSubject().getPrincipals());

Set<Principal> principals = loginContext.getSubject().getPrincipals();
for ( Principal p : principals ) {
    log.info("name: " + p.getName() + ", type: " + p.getClass());
}


Output:

principals: [40fe2bc5-fc55-496a-b438-0783c7473b90, view-master-data,
user, manage-master-data, markus.lauer at co-met.info]
name: 40fe2bc5-fc55-496a-b438-0783c7473b90, type: class
org.keycloak.KeycloakPrincipal
name: view-master-data, type: class
org.keycloak.adapters.jaas.RolePrincipal
name: user, type: class org.keycloak.adapters.jaas.RolePrincipal
name: manage-master-data, type: class
org.keycloak.adapters.jaas.RolePrincipal
name: markus.lauer at co-met.info, type: class
org.jboss.security.SimplePrincipal


Login works!

But unfortunately I still can not access the secured EJB:

Subject.doAs(loginContext.getSubject(), new PrivilegedAction<Void>() {

   @Override
   public Void run() {
     log.info("count: " + securedEJB.count());
     return null;
   }

});


This throws an exception:

javax.ejb.EJBAccessException: WFLYSEC0027: Invalid User



Here is a snippet of SecuredEJB:

@Stateless
@SecurityDomain("keycloak")
@DeclareRoles({ "view-master-data", "manage-master-data" })
public class SecuredEJB {

    @RolesAllowed({"view-master-data"})
    public int count() {
....
    }

}



Any ideas how to deal with the "Invalid User"?
Perhaps the keycloak UUID vs. username?


Regards,

Markus.





________________________________

Zum Lesen der rechtlichen Hinweise dieser Mail, kopieren Sie bitte die aufgeführte URL in Ihren Browser oder folgen Sie dem Link.

http://disclaimer.tec-saar.de/co-met.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4628 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160324/681872a5/attachment-0001.bin

More information about the keycloak-user mailing list