[keycloak-user] JAAS plugin and roles

Amat, Juan (Nokia - US) juan.amat at nokia.com
Thu Mar 9 09:33:01 EST 2017 

Thank you for the pointer.

I would have expected that this would be supported out of the box.

Another comment.
In the logout method of AbstractKeycloakLoginModule.java, we remove the RolePrincipal.class principals from the subject's principals.
We can though configure the class used for the 'role' principal. Should this class be used instead?

Juan.
> -----Original Message-----
> From: Marek Posolda [mailto:mposolda at redhat.com]
> Sent: Thursday, March 09, 2017 12:23 AM
> To: Amat, Juan (Nokia - US) <juan.amat at nokia.com>; keycloak-
> user at lists.jboss.org
> Subject: Re: [keycloak-user] JAAS plugin and roles
> 
> I recently did some example of the remote EJB client. You're right, there are
> special groups on Wildfly, which JAAS Subject needs to be member of.
> 
> See the example here [1] . Especially take a look at the security-domain
> configuration and the "ConvertKEycloakRolesLoginModule", which needs to be
> put to the chain after DirectAccessGrantsLoginModule.
> 
> Btv. if you are using web (HttpServletRequest etc), you should maybe rather use
> our OIDC/SAML adapters? But maybe I am missing something in your setup...
> 
> [1] https://github.com/mposolda/keycloak-remote-ejb
> 
> Marek
> 
> On 08/03/17 20:10, Amat, Juan (Nokia - US) wrote:
> > I was trying to use this login module with an application deployed on Wildfly
> 10:
> > org.keycloak.adapters.jaas.DirectAccessGrantsLoginModule
> > And it kind of worked.
> > By that I mean that when you log in, you are authenticated fine but
> > then calling
> > HttpServletRequest.isUserInRole(xxx) did not work.
> >
> > The reason is that JBoss (EAP and Wildfly I think) expects the roles in a specific
> group.
> >
> > This page
> https://docs.jboss.org/jbosssecurity/docs/6.0/security_guide/html/Login_Modu
> les.html says:
> >
> > "The JBossSX framework uses two well-known role sets with the names Roles
> and CallerPrincipal.
> > The Roles group is the collection of Principals for the named roles as known in
> the application domain under which the Subject has been authenticated. This
> role set is used by methods like the EJBContext.isCallerInRole(String), which EJBs
> can use to see if the current caller belongs to the named application domain
> role. The security interceptor logic that performs method permission checks also
> uses this role set.
> > The CallerPrincipalGroup consists of the single Principal identity assigned to
> the user in the application domain. The EJBContext.getCallerPrincipal() method
> uses the CallerPrincipal to allow the application domain to map from the
> operation environment identity to a user identity suitable for the application. If a
> Subject does not have a CallerPrincipalGroup, the application identity is the
> same used for login."
> >
> > A q&d patch of AbstractKeycloakLoginModule.java makes the whole thing
> work.
> >
> > Am I doing something wrong?
> >
> > Thank you.
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>

More information about the keycloak-user mailing list