[keycloak-user] Arquillian / Remote Container / EJB Security

Thu Mar 31 03:09:30 EDT 2016

Am Donnerstag, den 24.03.2016, 09:55 +0000 schrieb Lauer Markus:
> >
>
> > I'm looking for s/th like this:
>
> > https://developer.jboss.org/wiki/TestingSecuredEJBsOnWildFly81xWithArquillian
>
> >
>
> > This could possibly be combined with:
>
> > https://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#jaas-adapter
>
> >
>
> > org.keycloak.adapters.jaas.DirectAccessGrantsLoginModule
>
> >
>
> > But I can not change the "keycloak" security-domain for testing...
>
> >
>
>
>
> Ok. Approaching a solution...
>
> I adopted the JBossLoginContextFactory from the link above:
>
> https://gist.github.com/anonymous/892d957dfdf289158ccc
>
>
>
>
> LoginContext loginContext =
> JBossLoginContextFactory.createLoginContext("markus.lauer at co-met.info",
> "********");
> loginContext.login();
>
> log.info("principals: " + loginContext.getSubject().getPrincipals());
>
> Set<Principal> principals = loginContext.getSubject().getPrincipals();
> for ( Principal p : principals ) {
>     log.info("name: " + p.getName() + ", type: " + p.getClass());
> }
>
>
> Output:
>
> principals: [40fe2bc5-fc55-496a-b438-0783c7473b90, view-master-data,
> user, manage-master-data, markus.lauer at co-met.info]
> name: 40fe2bc5-fc55-496a-b438-0783c7473b90, type: class
> org.keycloak.KeycloakPrincipal
> name: view-master-data, type: class
> org.keycloak.adapters.jaas.RolePrincipal
> name: user, type: class org.keycloak.adapters.jaas.RolePrincipal
> name: manage-master-data, type: class
> org.keycloak.adapters.jaas.RolePrincipal
> name: markus.lauer at co-met.info, type: class
> org.jboss.security.SimplePrincipal
>
>
> Login works!
>
> But unfortunately I still can not access the secured EJB:
>
> Subject.doAs(loginContext.getSubject(), new PrivilegedAction<Void>() {
>
>    @Override
>    public Void run() {
>      log.info("count: " + securedEJB.count());
>      return null;
>    }
>
> });
>
>
> This throws an exception:
>
> javax.ejb.EJBAccessException: WFLYSEC0027: Invalid User
>
>
>
> Here is a snippet of SecuredEJB:
>
> @Stateless
> @SecurityDomain("keycloak")
> @DeclareRoles({ "view-master-data", "manage-master-data" })
> public class SecuredEJB {
>
>     @RolesAllowed({"view-master-data"})
>     public int count() {
> ....
>     }
>
> }
>
>
>
> Any ideas how to deal with the "Invalid User"?
> Perhaps the keycloak UUID vs. username?
>
>
> Regards,
>
> Markus.
>
>

No ideas? No comment?

Another possible problem:
The configured security domain in Wildfly is called "keycloak" and uses
the default LoginModule "KeycloakLoginModule".
Now I'm trying to access secured EJBs in this security domain
("keycloak") with another LoginModule: DirectAccessGrantsLoginModule.
Is this possible at least?

There is also a bug report in this context:
https://issues.jboss.org/browse/WFLY-4626
Is this the same bug here?

To recap: The only thing I'm trying to accomplish is to access secured
EJBs from automated tests (arquillian). The @RunAs solution (see above /
last mails in this thread) is not sufficient.

Is there an easier way? (Stripping @RolesAllowed annotations in tests,
deactivating security in tests, etc.)

Regards,

Markus.

________________________________

Zum Lesen der rechtlichen Hinweise dieser Mail, kopieren Sie bitte die aufgeführte URL in Ihren Browser oder folgen Sie dem Link.

http://disclaimer.tec-saar.de/co-met.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4628 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160331/8d911979/attachment.bin 