[wildfly-dev] How to set an authorized identity to EltyronSecurity Context
Jim Ma
ema at redhat.com
Thu May 31 05:34:41 EDT 2018
The saml validation is now Apache CXF's SAML functionality. We can't
port the CXF's security to rely on
our Elytron.
On 05/31/2018 05:07 PM, Darran Lofthouse wrote:
> It sounds to me then that the place to start is within the SAML
> validation, this is effectively an authentication step so should be
> ported over to an Elytron based authentication - the end result of the
> authentication would then be the required SecurityIdentity to
> propagate from container to container.
>
>
> On Thu, 31 May 2018 at 03:57 Jim Ma <ema at redhat.com
> <mailto:ema at redhat.com>> wrote:
>
> On 05/30/2018 09:47 PM, Darran Lofthouse wrote:
>> I am currently gathering together some information regarding how
>> the JCA subsystem handles the requirement of populating a Subject
>> for propagation into a resource adapter, however there is a
>> general question about what is attempting to be achieved here.
>>
>> Once an EJB is secured using WildFly Elytron the associated
>> identity is not accessed as a Subject instead it is accessed a
>> SecurityIdentity the current SecurityIdentity can always be
>> retrieved by calling the current SecurityDomain: -
>>
>> http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityDomain.html#getCurrent--
>> http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityDomain.html#getCurrentSecurityIdentity--
>>
>> The SecurityIdentity has some similarity with the Subject in that
>> amongst other things it also contains a collection of public
>> credentials and a collection of private credentials: -
>>
>> http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityIdentity.html#getPublicCredentials--
>> http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityIdentity.html#getPrivateCredentials--
>>
>> So I think the very first question is has the SecurityIdentity
>> been correctly populated with any delegated credentials? If not
>> that is going to be a pre-requisite for any follow on steps
>> regardless.
>>
>> Then secondly what is it that is making use of this identity?
>> Why can't it be ported to make use of the Elytron authentication
>> client APIs which amongst other things provide support for
>> delegation from the current identity.
>>
>> If we need to we can look at a conversion to a Subject but we are
>> only doing that where it is really required.
>
> We don't have the SecurityIdentity populated, there is only
> principal and subject created by jbossws/CXF's saml validator.
> We need to convert the subject/principal to Elytron's
> SecurityIdentity or something else, then later on EJB subystem
> with Elytron
> security can retrieve this authenticated info without check it
> twice. So we'd like to know how can we convert a subject/principal
> to Elytron's SecurityIdentity and let Elytron know this is
> already authenticated and authorized.
>
> Thanks,
> Jim
>
>
>>
>> Regards,
>> Darran Lofthouse.
>>
>>
>> On Wed, 30 May 2018 at 10:27 Alessio Soldano <asoldano at redhat.com
>> <mailto:asoldano at redhat.com>> wrote:
>>
>> As suggested by Darran, I'm forwarding the message below to
>> the list on behalf of Jim.
>> The classes Jim is referring to are at
>> https://github.com/wildfly/wildfly/tree/master/webservices/server-integration/src/main/java/org/jboss/as/webservices/security
>>
>>
>>
>> ---------- Forwarded message ----------
>> From: *Jim Ma* <ema at redhat.com <mailto:ema at redhat.com>>
>> Date: Wed, May 30, 2018 at 9:03 AM
>> Subject: Set an authorized identity to EltyronSecurity Context
>> To: Darran Lofthouse <darran.lofthouse at redhat.com
>> <mailto:darran.lofthouse at redhat.com>>
>> Cc: Alessio Soldano <asoldano at redhat.com
>> <mailto:asoldano at redhat.com>>
>>
>>
>> Hi Darran,
>>
>> We are helping look at a customer issue which requires
>> propagate the authenticated subject from webservice subsystem to
>>
>> ejb subystem. With old security domain , we can do this with
>> creating a subject :
>>
>> @Override
>> public void pushSubjectContext(final Subject subject,
>> final Principal principal, final Object credential) {
>> AccessController.doPrivileged(new
>> PrivilegedAction<Void>() {
>>
>> public Void run() {
>> SecurityContext securityContext =
>> SecurityContextAssociation.getSecurityContext();
>> if (securityContext == null) {
>> securityContext =
>> createSecurityContext(getSecurityDomain());
>> setSecurityContextOnAssociation(securityContext);
>> }
>> securityContext.getUtil().createSubjectInfo(principal,
>> credential, subject);
>> return null;
>> }
>> });
>> }
>>
>>
>> After Elytron, what is the equivalent thing to do this then
>> ejb can retrieve this security without check this twice ?
>>
>> Thanks,
>>
>> Jim
>>
>>
>>
>>
>> --
>>
>> Alessio Soldano
>>
>> Associate Manager
>>
>> Red Hat
>>
>> <https://www.redhat.com>
>>
>> <https://red.ht/sig>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/wildfly-dev/attachments/20180531/f752184a/attachment.html
More information about the wildfly-dev
mailing list