[wildfly-dev] How to set an authorized identity to EltyronSecurity Context
Jim Ma
ema at redhat.com
Thu May 31 05:53:52 EDT 2018
On 05/31/2018 05:37 PM, Darran Lofthouse wrote:
> So the validation is within Apache CXF - is there an end result to
> this validation where you have access to everything you need where we
> could perform some additional steps?
>
After Apache CXF validation, we can get a LoginContext from CXF's
exchange message :
https://github.com/apache/cxf/blob/master/core/src/main/java/org/apache/cxf/security/LoginSecurityContext.java
Can we do something to convert it to an Elytron authenticated identity ?
Or we have to hook/replace something with Elytron in CXF's validation
to make this work ?
>
> On Thu, 31 May 2018 at 10:34 Jim Ma <ema at redhat.com
> <mailto:ema at redhat.com>> wrote:
>
> The saml validation is now Apache CXF's SAML functionality. We
> can't port the CXF's security to rely on
> our Elytron.
>
> On 05/31/2018 05:07 PM, Darran Lofthouse wrote:
>> It sounds to me then that the place to start is within the SAML
>> validation, this is effectively an authentication step so should
>> be ported over to an Elytron based authentication - the end
>> result of the authentication would then be the required
>> SecurityIdentity to propagate from container to container.
>>
>>
>> On Thu, 31 May 2018 at 03:57 Jim Ma <ema at redhat.com
>> <mailto:ema at redhat.com>> wrote:
>>
>> On 05/30/2018 09:47 PM, Darran Lofthouse wrote:
>>> I am currently gathering together some information regarding
>>> how the JCA subsystem handles the requirement of populating
>>> a Subject for propagation into a resource adapter, however
>>> there is a general question about what is attempting to be
>>> achieved here.
>>>
>>> Once an EJB is secured using WildFly Elytron the associated
>>> identity is not accessed as a Subject instead it is accessed
>>> a SecurityIdentity the current SecurityIdentity can always
>>> be retrieved by calling the current SecurityDomain: -
>>>
>>> http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityDomain.html#getCurrent--
>>> http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityDomain.html#getCurrentSecurityIdentity--
>>>
>>> The SecurityIdentity has some similarity with the Subject in
>>> that amongst other things it also contains a collection of
>>> public credentials and a collection of private credentials: -
>>>
>>> http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityIdentity.html#getPublicCredentials--
>>> http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityIdentity.html#getPrivateCredentials--
>>>
>>> So I think the very first question is has the
>>> SecurityIdentity been correctly populated with any delegated
>>> credentials? If not that is going to be a pre-requisite for
>>> any follow on steps regardless.
>>>
>>> Then secondly what is it that is making use of this
>>> identity? Why can't it be ported to make use of the Elytron
>>> authentication client APIs which amongst other things
>>> provide support for delegation from the current identity.
>>>
>>> If we need to we can look at a conversion to a Subject but
>>> we are only doing that where it is really required.
>>
>> We don't have the SecurityIdentity populated, there is only
>> principal and subject created by jbossws/CXF's saml validator.
>> We need to convert the subject/principal to Elytron's
>> SecurityIdentity or something else, then later on EJB
>> subystem with Elytron
>> security can retrieve this authenticated info without check
>> it twice. So we'd like to know how can we convert a
>> subject/principal
>> to Elytron's SecurityIdentity and let Elytron know this is
>> already authenticated and authorized.
>>
>> Thanks,
>> Jim
>>
>>
>>>
>>> Regards,
>>> Darran Lofthouse.
>>>
>>>
>>> On Wed, 30 May 2018 at 10:27 Alessio Soldano
>>> <asoldano at redhat.com <mailto:asoldano at redhat.com>> wrote:
>>>
>>> As suggested by Darran, I'm forwarding the message below
>>> to the list on behalf of Jim.
>>> The classes Jim is referring to are at
>>> https://github.com/wildfly/wildfly/tree/master/webservices/server-integration/src/main/java/org/jboss/as/webservices/security
>>>
>>>
>>>
>>> ---------- Forwarded message ----------
>>> From: *Jim Ma* <ema at redhat.com <mailto:ema at redhat.com>>
>>> Date: Wed, May 30, 2018 at 9:03 AM
>>> Subject: Set an authorized identity to EltyronSecurity
>>> Context
>>> To: Darran Lofthouse <darran.lofthouse at redhat.com
>>> <mailto:darran.lofthouse at redhat.com>>
>>> Cc: Alessio Soldano <asoldano at redhat.com
>>> <mailto:asoldano at redhat.com>>
>>>
>>>
>>> Hi Darran,
>>>
>>> We are helping look at a customer issue which requires
>>> propagate the authenticated subject from webservice
>>> subsystem to
>>>
>>> ejb subystem. With old security domain , we can do this
>>> with creating a subject :
>>>
>>> @Override
>>> public void pushSubjectContext(final Subject
>>> subject, final Principal principal, final Object
>>> credential) {
>>> AccessController.doPrivileged(new PrivilegedAction<Void>() {
>>>
>>> public Void run() {
>>> SecurityContext securityContext =
>>> SecurityContextAssociation.getSecurityContext();
>>> if (securityContext == null) {
>>> securityContext =
>>> createSecurityContext(getSecurityDomain());
>>> setSecurityContextOnAssociation(securityContext);
>>> }
>>> securityContext.getUtil().createSubjectInfo(principal,
>>> credential, subject);
>>> return null;
>>> }
>>> });
>>> }
>>>
>>>
>>> After Elytron, what is the equivalent thing to do this
>>> then ejb can retrieve this security without check this
>>> twice ?
>>>
>>> Thanks,
>>>
>>> Jim
>>>
>>>
>>>
>>>
>>> --
>>>
>>> Alessio Soldano
>>>
>>> Associate Manager
>>>
>>> Red Hat
>>>
>>> <https://www.redhat.com>
>>>
>>> <https://red.ht/sig>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/wildfly-dev/attachments/20180531/729a45fa/attachment.html
More information about the wildfly-dev
mailing list