[security-dev] Replacing Seam RunAsOperation (impersonate)
Pedro Igor Silva
psilva at redhat.com
Tue Jul 14 08:48:17 EDT 2015
----- Original Message -----
> From: "Sean Flanigan" <sflaniga at redhat.com>
> To: "Pedro Igor Silva" <psilva at redhat.com>
> Cc: security-dev at lists.jboss.org
> Sent: Monday, July 13, 2015 2:31:36 AM
> Subject: Re: [security-dev] Replacing Seam RunAsOperation (impersonate)
>
> On 2015-07-10 22:27, Pedro Igor Silva wrote:
> > Hey Sean,
> >
> > You are right, PL is missing that feature. It was planned but now the
> > PL and KC are merging I'm not sure if we are going to implement it in
> > PL.
>
> Ah yes, thanks for reminding me about the Keycloak merger. Sounds like
> that might make it all moot. I don't suppose it has an impersonation
> feature similar to the one in Seam?
>
> > Regarding your question, there is no easy way to specify your own
> > Identity implementation. However, I'm wondering if you can use a
> > custom CDI scope for that. PicketLink allows you to define a specific
> > scope for the Identity bean.
>
> So, some sort of short-lived scope for Identity, plus login via a dummy
> Authenticator? That might work, although it sounds more complex than
> what I had in mind for modifying Identity.getAccount() to use a
> ThreadLocal (ugly though it sounds).
I'm wondering if you can try the window scope from Apache DeltaSpike. I remember an user doing something similar a long time ago using this scope.
>
> But how does one configure the Identity bean's scope? I found slides 6
> and 9 of http://www.slideshare.net/pigorcraveiro/jud-con-2014. Is there
> a compiled example anywhere?
http://docs.jboss.org/picketlink/2/latest/reference/html-single/#Defining_a_Custom_Scope
>
> Would it be possible to change IdentityBeanDefinition to allow more
> customisation, eg for getBeanClass()?
>
> Also, is there some way I can disable PicketLinkExtension, so that I can
> replace it with one which uses a modified IdentityBeanDefinition?
>
I don't think CDI allows to disable an extension defined in a jar, like in our case. I believe this JIRA [1] is related with that.
[1] https://issues.jboss.org/browse/CDI-157
>
> >
> > Regards.
> > Pedro Igor
> >
> > ----- Original Message -----
> > From: "Sean Flanigan" <sflaniga at redhat.com>
> > To: security-dev at lists.jboss.org
> > Sent: Friday, July 10, 2015 5:37:51 AM
> > Subject: [security-dev] Replacing Seam RunAsOperation (impersonate)
> >
> > I was hoping I had missed an impersonation feature[1], but now I'm
> > thinking there isn't one in PicketLink. Assuming I have to subclass and
> > @Specialize org.picketlink.internal.DefaultIdentity, how would I go
> > about convincing PicketLink to use my implementation?
> >
> > org.picketlink.extension.PicketLinkExtension seems to be vetoing my
> > implementation. Is there some way of telling (or overriding)
> > IdentityBeanDefinition to use my Identity bean class?
> >
> > [1] https://developer.jboss.org/thread/260993
> >
> > Regards,
> >
> > Sean.
> >
>
>
> --
> Sean Flanigan
>
> Principal Software Engineer
> Globalisation Tools Engineering
> Red Hat
>
>
More information about the security-dev
mailing list