<div dir="ltr">It sounds to me then that the place to start is within the SAML validation, this is effectively an authentication step so should be ported over to an Elytron based authentication - the end result of the authentication would then be the required SecurityIdentity to propagate from container to container.<div><br></div></div><br><div class="gmail_quote"><div dir="ltr">On Thu, 31 May 2018 at 03:57 Jim Ma <<a href="mailto:ema@redhat.com">ema@redhat.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div text="#000000" bgcolor="#FFFFFF">
<div class="m_5946244944197837763moz-cite-prefix">On 05/30/2018 09:47 PM, Darran
Lofthouse wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">I am currently gathering together some information
regarding how the JCA subsystem handles the requirement of
populating a Subject for propagation into a resource adapter,
however there is a general question about what is attempting to
be achieved here.
<div><br>
</div>
<div>Once an EJB is secured using WildFly Elytron the associated
identity is not accessed as a Subject instead it is accessed a
SecurityIdentity the current SecurityIdentity can always be
retrieved by calling the current SecurityDomain: -</div>
<div><br>
</div>
<div><a href="http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityDomain.html#getCurrent--" target="_blank">http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityDomain.html#getCurrent--</a></div>
<div><a href="http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityDomain.html#getCurrentSecurityIdentity--" target="_blank">http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityDomain.html#getCurrentSecurityIdentity--</a></div>
<div><br>
</div>
<div>The SecurityIdentity has some similarity with the Subject
in that amongst other things it also contains a collection of
public credentials and a collection of private credentials: -</div>
<div><br>
</div>
<div><a href="http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityIdentity.html#getPublicCredentials--" target="_blank">http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityIdentity.html#getPublicCredentials--</a></div>
<div><a href="http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityIdentity.html#getPrivateCredentials--" target="_blank">http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityIdentity.html#getPrivateCredentials--</a></div>
<div><br>
</div>
<div>So I think the very first question is has the
SecurityIdentity been correctly populated with any delegated
credentials? If not that is going to be a pre-requisite for
any follow on steps regardless.</div>
<div><br>
</div>
<div>Then secondly what is it that is making use of this
identity? Why can't it be ported to make use of the Elytron
authentication client APIs which amongst other things provide
support for delegation from the current identity.</div>
</div>
</blockquote>
<blockquote type="cite">
<div dir="ltr">
<div><br>
</div>
<div>If we need to we can look at a conversion to a Subject but
we are only doing that where it is really required.</div>
</div>
</blockquote>
<br></div><div text="#000000" bgcolor="#FFFFFF">
We don't have the SecurityIdentity populated, there is only
principal and subject created by jbossws/CXF's saml validator. <br>
We need to convert the subject/principal to Elytron's
SecurityIdentity or something else, then later on EJB subystem with
Elytron <br>
security can retrieve this authenticated info without check it
twice. So we'd like to know how can we convert a subject/principal <br>
to Elytron's SecurityIdentity and let Elytron know this is already
authenticated and authorized. <br>
<br>
Thanks,<br>
Jim <br></div><div text="#000000" bgcolor="#FFFFFF">
<br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div><br>
</div>
<div>Regards,</div>
<div>Darran Lofthouse.</div>
<div><br>
<br>
<div class="gmail_quote">
<div dir="ltr">On Wed, 30 May 2018 at 10:27 Alessio Soldano
<<a href="mailto:asoldano@redhat.com" target="_blank">asoldano@redhat.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div>As suggested by Darran, I'm forwarding the message
below to the list on behalf of Jim.<br>
</div>
The classes Jim is referring to are at <a href="https://github.com/wildfly/wildfly/tree/master/webservices/server-integration/src/main/java/org/jboss/as/webservices/security" target="_blank">https://github.com/wildfly/wildfly/tree/master/webservices/server-integration/src/main/java/org/jboss/as/webservices/security</a>
<br>
<br>
<div><br>
<div class="gmail_quote">---------- Forwarded message
----------<br>
From: <b class="gmail_sendername">Jim Ma</b> <span dir="ltr"><<a href="mailto:ema@redhat.com" target="_blank">ema@redhat.com</a>></span><br>
Date: Wed, May 30, 2018 at 9:03 AM<br>
Subject: Set an authorized identity to
EltyronSecurity Context<br>
To: Darran Lofthouse <<a href="mailto:darran.lofthouse@redhat.com" target="_blank">darran.lofthouse@redhat.com</a>><br>
Cc: Alessio Soldano <<a href="mailto:asoldano@redhat.com" target="_blank">asoldano@redhat.com</a>><br>
<br>
<br>
Hi Darran,<br>
<br>
We are helping look at a customer issue which
requires propagate the authenticated subject from
webservice subsystem to<br>
<br>
ejb subystem. With old security domain , we can do
this with creating a subject :<br>
<br>
@Override<br>
public void pushSubjectContext(final Subject
subject, final Principal principal, final Object
credential) {<br>
AccessController.doPrivileged(new
PrivilegedAction<Void>() {<br>
<br>
public Void run() {<br>
SecurityContext securityContext =
SecurityContextAssociation.getSecurityContext();<br>
if (securityContext == null) {<br>
securityContext =
createSecurityContext(getSecurityDomain());<br>
setSecurityContextOnAssociation(securityContext);<br>
}<br>
securityContext.getUtil().createSubjectInfo(principal, credential,
subject);<br>
return null;<br>
}<br>
});<br>
}<br>
<br>
<br>
After Elytron, what is the equivalent thing to do
this then ejb can retrieve this security without
check this twice ?<br>
<br>
Thanks,<br>
<br>
Jim<br>
<br>
</div>
</div>
</div>
<div dir="ltr">
<div><br>
<br clear="all">
<br>
-- <br>
<div class="m_5946244944197837763m_-7102110169809177803gmail_signature">
<div dir="ltr">
<div>
<p style="font-weight:bold;margin:0px;padding:0px;font-size:14px;text-transform:uppercase"><span>Alessio</span>
<span>Soldano</span></p>
<p style="font-weight:normal;font-size:10px;margin:0px 0px 4px;text-transform:uppercase"><span>Associate
Manager</span><span style="font-weight:normal;color:rgb(170,170,170);margin:0px"></span></p>
<p style="font-weight:normal;margin:0px;font-size:10px;color:rgb(153,153,153)"><a style="color:rgb(0,136,206);font-size:10px;margin:0px;text-decoration:none;font-family:"overpass",sans-serif" href="https://www.redhat.com" target="_blank">Red
Hat <span><br>
<br>
</span></a></p>
<table border="0">
<tbody>
<tr>
<td width="100px"><a href="https://red.ht/sig" target="_blank">
<img src="https://www.redhat.com/files/brand/email/sig-redhat.png" height="auto" width="90"></a> </td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</div>
</blockquote>
<p><br>
</p>
</div></blockquote></div>