[wildfly-dev] How to set an authorized identity to EltyronSecurity Context

Darran Lofthouse darran.lofthouse at redhat.com
Thu May 31 05:37:00 EDT 2018 

So the validation is within Apache CXF - is there an end result to this
validation where you have access to everything you need where we could
perform some additional steps?


On Thu, 31 May 2018 at 10:34 Jim Ma <ema at redhat.com> wrote:

> The saml validation is now Apache CXF's SAML functionality. We can't port
> the CXF's security to rely on
> our Elytron.
>
> On 05/31/2018 05:07 PM, Darran Lofthouse wrote:
>
> It sounds to me then that the place to start is within the SAML
> validation, this is effectively an authentication step so should be ported
> over to an Elytron based authentication - the end result of the
> authentication would then be the required SecurityIdentity to propagate
> from container to container.
>
>
> On Thu, 31 May 2018 at 03:57 Jim Ma <ema at redhat.com> wrote:
>
>> On 05/30/2018 09:47 PM, Darran Lofthouse wrote:
>>
>> I am currently gathering together some information regarding how the JCA
>> subsystem handles the requirement of populating a Subject for propagation
>> into a resource adapter, however there is a general question about what is
>> attempting to be achieved here.
>>
>> Once an EJB is secured using WildFly Elytron the associated identity is
>> not accessed as a Subject instead it is accessed a SecurityIdentity the
>> current SecurityIdentity can always be retrieved by calling the current
>> SecurityDomain: -
>>
>>
>> http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityDomain.html#getCurrent--
>>
>> http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityDomain.html#getCurrentSecurityIdentity--
>>
>> The SecurityIdentity has some similarity with the Subject in that amongst
>> other things it also contains a collection of public credentials and a
>> collection of private credentials: -
>>
>>
>> http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityIdentity.html#getPublicCredentials--
>>
>> http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityIdentity.html#getPrivateCredentials--
>>
>> So I think the very first question is has the SecurityIdentity been
>> correctly populated with any delegated credentials?  If not that is going
>> to be a pre-requisite for any follow on steps regardless.
>>
>> Then secondly what is it that is making use of this identity?  Why can't
>> it be ported to make use of the Elytron authentication client APIs which
>> amongst other things provide support for delegation from the current
>> identity.
>>
>>
>> If we need to we can look at a conversion to a Subject but we are only
>> doing that where it is really required.
>>
>>
>>   We don't have the SecurityIdentity populated, there is only principal
>> and subject created by jbossws/CXF's saml validator.
>>   We need to convert the subject/principal to Elytron's SecurityIdentity
>> or something else, then later on EJB subystem with Elytron
>>   security can retrieve this authenticated info without check it twice.
>> So we'd like to know how can we convert a subject/principal
>>   to Elytron's SecurityIdentity and let Elytron know this is already
>> authenticated and authorized.
>>
>> Thanks,
>> Jim
>>
>>
>>
>> Regards,
>> Darran Lofthouse.
>>
>>
>> On Wed, 30 May 2018 at 10:27 Alessio Soldano <asoldano at redhat.com> wrote:
>>
>>> As suggested by Darran, I'm forwarding the message below to the list on
>>> behalf of Jim.
>>> The classes Jim is referring to are at
>>> https://github.com/wildfly/wildfly/tree/master/webservices/server-integration/src/main/java/org/jboss/as/webservices/security
>>>
>>>
>>> ---------- Forwarded message ----------
>>> From: Jim Ma <ema at redhat.com>
>>> Date: Wed, May 30, 2018 at 9:03 AM
>>> Subject: Set an authorized identity to EltyronSecurity Context
>>> To: Darran Lofthouse <darran.lofthouse at redhat.com>
>>> Cc: Alessio Soldano <asoldano at redhat.com>
>>>
>>>
>>> Hi Darran,
>>>
>>> We are helping look at a customer issue which requires propagate the
>>> authenticated subject from webservice subsystem to
>>>
>>> ejb subystem. With old security domain , we can do this with creating a
>>> subject :
>>>
>>>     @Override
>>>     public void pushSubjectContext(final Subject subject, final
>>> Principal principal, final Object credential) {
>>>         AccessController.doPrivileged(new PrivilegedAction<Void>() {
>>>
>>>             public Void run() {
>>>                 SecurityContext securityContext =
>>> SecurityContextAssociation.getSecurityContext();
>>>                 if (securityContext == null) {
>>>                     securityContext =
>>> createSecurityContext(getSecurityDomain());
>>> setSecurityContextOnAssociation(securityContext);
>>>                 }
>>> securityContext.getUtil().createSubjectInfo(principal, credential,
>>> subject);
>>>                 return null;
>>>             }
>>>         });
>>>     }
>>>
>>>
>>> After Elytron,  what is the equivalent thing to do this  then ejb can
>>> retrieve this security without check this twice ?
>>>
>>> Thanks,
>>>
>>> Jim
>>>
>>>
>>>
>>>
>>> --
>>>
>>> Alessio Soldano
>>>
>>> Associate Manager
>>>
>>> Red Hat
>>>
>>> <https://www.redhat.com>
>>> <https://red.ht/sig>
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/wildfly-dev/attachments/20180531/e034eef1/attachment-0001.html

More information about the wildfly-dev mailing list