<div dir="ltr">It sounds to me then that the place to start is within the SAML validation, this is effectively an authentication step so should be ported over to an Elytron based authentication - the end result of the authentication would then be the required SecurityIdentity to propagate from container to container.<div><br></div></div><br><div class="gmail_quote"><div dir="ltr">On Thu, 31 May 2018 at 03:57 Jim Ma &lt;<a href="mailto:ema@redhat.com">ema@redhat.com</a>&gt; wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div text="#000000" bgcolor="#FFFFFF">
    <div class="m_5946244944197837763moz-cite-prefix">On 05/30/2018 09:47 PM, Darran
      Lofthouse wrote:<br>
    </div>
    <blockquote type="cite">
      <div dir="ltr">I am currently gathering together some information
        regarding how the JCA subsystem handles the requirement of
        populating a Subject for propagation into a resource adapter,
        however there is a general question about what is attempting to
        be achieved here.
        <div><br>
        </div>
        <div>Once an EJB is secured using WildFly Elytron the associated
          identity is not accessed as a Subject instead it is accessed a
          SecurityIdentity the current SecurityIdentity can always be
          retrieved by calling the current SecurityDomain: -</div>
        <div><br>
        </div>
        <div><a href="http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityDomain.html#getCurrent--" target="_blank">http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityDomain.html#getCurrent--</a></div>
        <div><a href="http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityDomain.html#getCurrentSecurityIdentity--" target="_blank">http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityDomain.html#getCurrentSecurityIdentity--</a></div>
        <div><br>
        </div>
        <div>The SecurityIdentity has some similarity with the Subject
          in that amongst other things it also contains a collection of
          public credentials and a collection of private credentials: -</div>
        <div><br>
        </div>
        <div><a href="http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityIdentity.html#getPublicCredentials--" target="_blank">http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityIdentity.html#getPublicCredentials--</a></div>
        <div><a href="http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityIdentity.html#getPrivateCredentials--" target="_blank">http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityIdentity.html#getPrivateCredentials--</a></div>
        <div><br>
        </div>
        <div>So I think the very first question is has the
          SecurityIdentity been correctly populated with any delegated
          credentials?  If not that is going to be a pre-requisite for
          any follow on steps regardless.</div>
        <div><br>
        </div>
        <div>Then secondly what is it that is making use of this
          identity?  Why can&#39;t it be ported to make use of the Elytron
          authentication client APIs which amongst other things provide
          support for delegation from the current identity.</div>
      </div>
    </blockquote>
    <blockquote type="cite">
      <div dir="ltr">
        <div><br>
        </div>
        <div>If we need to we can look at a conversion to a Subject but
          we are only doing that where it is really required.</div>
      </div>
    </blockquote>
    <br></div><div text="#000000" bgcolor="#FFFFFF">
      We don&#39;t have the SecurityIdentity populated, there is only
    principal and subject created by jbossws/CXF&#39;s saml validator. <br>
      We need to convert the subject/principal to Elytron&#39;s
    SecurityIdentity or something else, then later on EJB subystem with
    Elytron <br>
      security can retrieve this authenticated info without check it
    twice. So we&#39;d like to know how can we convert a subject/principal <br>
      to Elytron&#39;s SecurityIdentity and let Elytron know this is already
    authenticated and authorized. <br>
    <br>
    Thanks,<br>
    Jim   <br></div><div text="#000000" bgcolor="#FFFFFF">
    <br>
    <br>
    <blockquote type="cite">
      <div dir="ltr">
        <div><br>
        </div>
        <div>Regards,</div>
        <div>Darran Lofthouse.</div>
        <div><br>
          <br>
          <div class="gmail_quote">
            <div dir="ltr">On Wed, 30 May 2018 at 10:27 Alessio Soldano
              &lt;<a href="mailto:asoldano@redhat.com" target="_blank">asoldano@redhat.com</a>&gt;
              wrote:<br>
            </div>
            <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
              <div dir="ltr">
                <div>As suggested by Darran, I&#39;m forwarding the message
                  below to the list on behalf of Jim.<br>
                </div>
                The classes Jim is referring to are at <a href="https://github.com/wildfly/wildfly/tree/master/webservices/server-integration/src/main/java/org/jboss/as/webservices/security" target="_blank">https://github.com/wildfly/wildfly/tree/master/webservices/server-integration/src/main/java/org/jboss/as/webservices/security</a>
                <br>
                <br>
                <div><br>
                  <div class="gmail_quote">---------- Forwarded message
                    ----------<br>
                    From: <b class="gmail_sendername">Jim Ma</b> <span dir="ltr">&lt;<a href="mailto:ema@redhat.com" target="_blank">ema@redhat.com</a>&gt;</span><br>
                    Date: Wed, May 30, 2018 at 9:03 AM<br>
                    Subject: Set an authorized identity to
                    EltyronSecurity Context<br>
                    To: Darran Lofthouse &lt;<a href="mailto:darran.lofthouse@redhat.com" target="_blank">darran.lofthouse@redhat.com</a>&gt;<br>
                    Cc: Alessio Soldano &lt;<a href="mailto:asoldano@redhat.com" target="_blank">asoldano@redhat.com</a>&gt;<br>
                    <br>
                    <br>
                    Hi Darran,<br>
                    <br>
                    We are helping look at a customer issue which
                    requires propagate the authenticated subject from
                    webservice subsystem to<br>
                    <br>
                    ejb subystem. With old security domain , we can do
                    this with creating a subject :<br>
                    <br>
                        @Override<br>
                        public void pushSubjectContext(final Subject
                    subject, final Principal principal, final Object
                    credential) {<br>
                            AccessController.doPrivileged(new
                    PrivilegedAction&lt;Void&gt;() {<br>
                    <br>
                                public Void run() {<br>
                                    SecurityContext securityContext =
                    SecurityContextAssociation.getSecurityContext();<br>
                                    if (securityContext == null) {<br>
                                        securityContext =
                    createSecurityContext(getSecurityDomain());<br>
                    setSecurityContextOnAssociation(securityContext);<br>
                                    }<br>
securityContext.getUtil().createSubjectInfo(principal, credential,
                    subject);<br>
                                    return null;<br>
                                }<br>
                            });<br>
                        }<br>
                    <br>
                    <br>
                    After Elytron,  what is the equivalent thing to do
                    this  then ejb can retrieve this security without
                    check this twice ?<br>
                    <br>
                    Thanks,<br>
                    <br>
                    Jim<br>
                    <br>
                  </div>
                </div>
              </div>
              <div dir="ltr">
                <div><br>
                  <br clear="all">
                  <br>
                  -- <br>
                  <div class="m_5946244944197837763m_-7102110169809177803gmail_signature">
                    <div dir="ltr">
                      <div>
                        <p style="font-weight:bold;margin:0px;padding:0px;font-size:14px;text-transform:uppercase"><span>Alessio</span>
                          <span>Soldano</span></p>
                        <p style="font-weight:normal;font-size:10px;margin:0px 0px 4px;text-transform:uppercase"><span>Associate
                            Manager</span><span style="font-weight:normal;color:rgb(170,170,170);margin:0px"></span></p>
                        <p style="font-weight:normal;margin:0px;font-size:10px;color:rgb(153,153,153)"><a style="color:rgb(0,136,206);font-size:10px;margin:0px;text-decoration:none;font-family:&quot;overpass&quot;,sans-serif" href="https://www.redhat.com" target="_blank">Red
                            Hat <span><br>
                              <br>
                            </span></a></p>
                        <table border="0">
                          <tbody>
                            <tr>
                              <td width="100px"><a href="https://red.ht/sig" target="_blank">
                                  <img src="https://www.redhat.com/files/brand/email/sig-redhat.png" height="auto" width="90"></a> </td>
                            </tr>
                          </tbody>
                        </table>
                      </div>
                    </div>
                  </div>
                </div>
              </div>
            </blockquote>
          </div>
        </div>
      </div>
    </blockquote>
    <p><br>
    </p>
  </div></blockquote></div>