[keycloak-user] JAAS plugin and roles

Sat Mar 11 15:26:07 EST 2017

Created: https://issues.jboss.org/browse/KEYCLOAK-4567

Thank you.

> -----Original Message-----
> From: Marek Posolda [mailto:mposolda at redhat.com]
> Sent: Friday, March 10, 2017 2:35 AM
> To: Amat, Juan (Nokia - US) <juan.amat at nokia.com>; keycloak-
> user at lists.jboss.org
> Subject: Re: [keycloak-user] JAAS plugin and roles
> 
> On 09/03/17 15:33, Amat, Juan (Nokia - US) wrote:
> > Thank you for the pointer.
> >
> > I would have expected that this would be supported out of the box.
> If there is enough people asking for it, we can add it though. Feel free to create
> JIRA.
> >
> > Another comment.
> > In the logout method of AbstractKeycloakLoginModule.java, we remove the
> RolePrincipal.class principals from the subject's principals.
> > We can though configure the class used for the 'role' principal. Should this
> class be used instead?
> Yes, good point. Feel free to add that into the JIRA too.
> 
> Marek
> >
> > Juan.
> >> -----Original Message-----
> >> From: Marek Posolda [mailto:mposolda at redhat.com]
> >> Sent: Thursday, March 09, 2017 12:23 AM
> >> To: Amat, Juan (Nokia - US) <juan.amat at nokia.com>; keycloak-
> >> user at lists.jboss.org
> >> Subject: Re: [keycloak-user] JAAS plugin and roles
> >>
> >> I recently did some example of the remote EJB client. You're right,
> >> there are special groups on Wildfly, which JAAS Subject needs to be member
> of.
> >>
> >> See the example here [1] . Especially take a look at the
> >> security-domain configuration and the
> >> "ConvertKEycloakRolesLoginModule", which needs to be put to the chain
> after DirectAccessGrantsLoginModule.
> >>
> >> Btv. if you are using web (HttpServletRequest etc), you should maybe
> >> rather use our OIDC/SAML adapters? But maybe I am missing something in
> your setup...
> >>
> >> [1] https://github.com/mposolda/keycloak-remote-ejb
> >>
> >> Marek
> >>
> >> On 08/03/17 20:10, Amat, Juan (Nokia - US) wrote:
> >>> I was trying to use this login module with an application deployed
> >>> on Wildfly
> >> 10:
> >>> org.keycloak.adapters.jaas.DirectAccessGrantsLoginModule
> >>> And it kind of worked.
> >>> By that I mean that when you log in, you are authenticated fine but
> >>> then calling
> >>> HttpServletRequest.isUserInRole(xxx) did not work.
> >>>
> >>> The reason is that JBoss (EAP and Wildfly I think) expects the roles
> >>> in a specific
> >> group.
> >>> This page
> >> https://docs.jboss.org/jbosssecurity/docs/6.0/security_guide/html/Log
> >> in_Modu
> >> les.html says:
> >>> "The JBossSX framework uses two well-known role sets with the names
> >>> Roles
> >> and CallerPrincipal.
> >>> The Roles group is the collection of Principals for the named roles
> >>> as known in
> >> the application domain under which the Subject has been
> >> authenticated. This role set is used by methods like the
> >> EJBContext.isCallerInRole(String), which EJBs can use to see if the
> >> current caller belongs to the named application domain role. The
> >> security interceptor logic that performs method permission checks also uses
> this role set.
> >>> The CallerPrincipalGroup consists of the single Principal identity
> >>> assigned to
> >> the user in the application domain. The
> >> EJBContext.getCallerPrincipal() method uses the CallerPrincipal to
> >> allow the application domain to map from the operation environment
> >> identity to a user identity suitable for the application. If a
> >> Subject does not have a CallerPrincipalGroup, the application identity is the
> same used for login."
> >>> A q&d patch of AbstractKeycloakLoginModule.java makes the whole
> >>> thing
> >> work.
> >>> Am I doing something wrong?
> >>>
> >>> Thank you.
> >>> _______________________________________________
> >>> keycloak-user mailing list
> >>> keycloak-user at lists.jboss.org
> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 