<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">The feature depends on what mechanism
you authenticate.<br>
<br>
If you use JAAS (and Subject as the security context), then you
can use the JDK Subject.doAs() call (David's email below).<br>
<br>
But if you are allergic to JAAS like most modern developers are,
then it is a different story.<br>
<br>
In addition to impersonation, the other feature is
step-up/step-down authentication in terms of roles getting added
to/removed<br>
for certain operations.<br>
<br>
On 05/03/2013 10:20 AM, Pete Muir wrote:<br>
</div>
<blockquote
cite="mid:8958FF8D-D1A3-418E-A269-9A22EBD4A17D@redhat.com"
type="cite">
<div class="moz-text-plain" wrap="true" graphical-quote="true"
style="font-family: -moz-fixed; font-size: 12px;"
lang="x-western">
<pre wrap="">Yeah, this was part of Core, not IDM.
On 3 May 2013, at 16:19, "David M. Lloyd" <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:david.lloyd@redhat.com"><david.lloyd@redhat.com></a> wrote:
</pre>
<blockquote type="cite" style="color: #C0C0C0;">
<pre wrap=""><span class="moz-txt-citetags">> </span>The (theoretically) "right" way to do this in the JDK is to authenticate
<span class="moz-txt-citetags">> </span>a Subject and use Subject.doAs().
<span class="moz-txt-citetags">> </span>
<span class="moz-txt-citetags">> </span>That first authentication part is really the interesting part though.
<span class="moz-txt-citetags">> </span>There are two main ways to do it:
<span class="moz-txt-citetags">> </span>
<span class="moz-txt-citetags">> </span>1. Establish that certain Subjects have permission to run as certain
<span class="moz-txt-citetags">> </span>other Subjects implicitly, thus the original authenticated Subject is
<span class="moz-txt-citetags">> </span>essentially the only credential you need.
<span class="moz-txt-citetags">> </span>2. Perform another authentication process (maybe prompt the user for the
<span class="moz-txt-citetags">> </span>target user's password for example).
<span class="moz-txt-citetags">> </span>
<span class="moz-txt-citetags">> </span>The right option depends on the right circumstances, but this (if
<span class="moz-txt-citetags">> </span>nothing else) is a use case that the JAAS authentication API is actually
<span class="moz-txt-citetags">> </span>sufficient for. In particular I think IDM is a secondary player in this
<span class="moz-txt-citetags">> </span>kind of thing.
<span class="moz-txt-citetags">> </span>
<span class="moz-txt-citetags">> </span>On 05/03/2013 09:50 AM, Pete Muir wrote:
</pre>
<blockquote type="cite" style="color: #C0C0C0;">
<pre wrap=""><span class="moz-txt-citetags">>> </span>This was on the original requirements list, IDK if it's implemented in this version or is scheduled for a later release.
<span class="moz-txt-citetags">>> </span>
<span class="moz-txt-citetags">>> </span>On 2 May 2013, at 17:19, Pedro Igor Silva <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:psilva@redhat.com"><psilva@redhat.com></a> wrote:
<span class="moz-txt-citetags">>> </span>
</pre>
<blockquote type="cite" style="color: #C0C0C0;">
<pre wrap=""><span class="moz-txt-citetags">>>> </span>+1. "RunAs" feature ...
<span class="moz-txt-citetags">>>> </span>
<span class="moz-txt-citetags">>>> </span>----- Original Message -----
<span class="moz-txt-citetags">>>> </span>From: "Rodney Russ" <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:rruss@redhat.com"><rruss@redhat.com></a>
<span class="moz-txt-citetags">>>> </span>To: "Anil Arora" <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:anil@yieldex.com"><anil@yieldex.com></a>
<span class="moz-txt-citetags">>>> </span>Cc: <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:security-dev@lists.jboss.org">security-dev@lists.jboss.org</a>
<span class="moz-txt-citetags">>>> </span>Sent: Thursday, May 2, 2013 1:13:08 PM
<span class="moz-txt-citetags">>>> </span>Subject: Re: [security-dev] Impersonation feature (was: Quickstarts)
<span class="moz-txt-citetags">>>> </span>
<span class="moz-txt-citetags">>>> </span>I have seen the need for a feature like this when a customer support representative needs to order on behalf on someone. In this particular case, the customer support rep could only order on behalf of the customers they were responsible for, but did not need credentials to "become" the users they were supporting.
<span class="moz-txt-citetags">>>> </span>
<span class="moz-txt-citetags">>>> </span>-Rodney
<span class="moz-txt-citetags">>>> </span>
<span class="moz-txt-citetags">>>> </span>
<span class="moz-txt-citetags">>>> </span>
<span class="moz-txt-citetags">>>> </span>
<span class="moz-txt-citetags">>>> </span>To add to the list, I don't know if there's a feature for this...
<span class="moz-txt-citetags">>>> </span>
<span class="moz-txt-citetags">>>> </span>But, is there a way to do impersonation of users? Essentially, one user/agent logs in and then becomes a different user without requiring the user password. We're seeing this for REST based server-to-server communication calls. I am extrapolating that I could do some sort of silentAuthentication like indicated in the doc on the TicketMonster-PicketLink example, but that piece of the code isn't visible on the product documentation page.
<span class="moz-txt-citetags">>>> </span>
<span class="moz-txt-citetags">>>> </span>Thanks,
<span class="moz-txt-citetags">>>> </span>Anil
<span class="moz-txt-citetags">>>> </span>
<span class="moz-txt-citetags">>>> </span>
<span class="moz-txt-citetags">>>> </span>On Apr 30, 2013, at 4:59 PM, Shane Bryzak wrote:
<span class="moz-txt-citetags">>>> </span>
<span class="moz-txt-citetags">>>> </span>
<span class="moz-txt-citetags">>>> </span>
<span class="moz-txt-citetags">>>> </span>
<span class="moz-txt-citetags">>>> </span>There's three quickstarts that have been merged into JDF so far:
<span class="moz-txt-citetags">>>> </span>
<span class="moz-txt-citetags">>>> </span>picketlink-authentication-jsf - Simple authentication example
<span class="moz-txt-citetags">>>> </span>picketlink-authentication-idm-jsf - Authentication using Identity Management
<span class="moz-txt-citetags">>>> </span>picketlink-authorization-idm-jpa - Authorization example based on groups and roles
<span class="moz-txt-citetags">>>> </span>
<span class="moz-txt-citetags">>>> </span>You can find these in the JDF repo here:
<span class="moz-txt-citetags">>>> </span>
<span class="moz-txt-citetags">>>> </span><a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://github.com/jboss-jdf/jboss-as-quickstart">https://github.com/jboss-jdf/jboss-as-quickstart</a>
<span class="moz-txt-citetags">>>> </span>
<span class="moz-txt-citetags">>>> </span>There are also a whole bunch more planned and in progress, which we'll be adding as they are completed. If you have a good idea for a quickstart, please let us know also.
<span class="moz-txt-citetags">>>> </span>
<span class="moz-txt-citetags">>>> </span>Shane
<span class="moz-txt-citetags">>>> </span>
<span class="moz-txt-citetags">>>> </span>
<span class="moz-txt-citetags">>>> </span>On 01/05/13 08:35, Anil Arora wrote:
<span class="moz-txt-citetags">>>> </span>
<span class="moz-txt-citetags">>>> </span>
<span class="moz-txt-citetags">>>> </span>
<span class="moz-txt-citetags">>>> </span>Is there a location for the quickstarts? I've seen references in the emails and on the Wiki roadmap, but I've not seen any discussion about that.
<span class="moz-txt-citetags">>>> </span>We're definitely anxious to see how we can utilize PicketLink 3 for our prototypes, including preliminary OAuth 2 support.
<span class="moz-txt-citetags">>>> </span>
<span class="moz-txt-citetags">>>> </span>Thanks,
<span class="moz-txt-citetags">>>> </span>Anil
</pre>
</blockquote>
</blockquote>
</blockquote>
</div>
</blockquote>
</body>
</html>