<div dir="ltr">So the validation is within Apache CXF - is there an end result to this validation where you have access to everything you need where we could perform some additional steps?<div><br></div></div><br><div class="gmail_quote"><div dir="ltr">On Thu, 31 May 2018 at 10:34 Jim Ma <<a href="mailto:ema@redhat.com">ema@redhat.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<div class="m_399130190808493830moz-cite-prefix">The saml validation is now Apache CXF's
SAML functionality. We can't port the CXF's security to rely on <br>
our Elytron. <br></div></div><div text="#000000" bgcolor="#FFFFFF"><div class="m_399130190808493830moz-cite-prefix">
<br>
On 05/31/2018 05:07 PM, Darran Lofthouse wrote:<br>
</div></div><div text="#000000" bgcolor="#FFFFFF">
<blockquote type="cite">
<div dir="ltr">It sounds to me then that the place to start is
within the SAML validation, this is effectively an
authentication step so should be ported over to an Elytron based
authentication - the end result of the authentication would then
be the required SecurityIdentity to propagate from container to
container.
<div><br>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr">On Thu, 31 May 2018 at 03:57 Jim Ma <<a href="mailto:ema@redhat.com" target="_blank">ema@redhat.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<div class="m_399130190808493830m_5946244944197837763moz-cite-prefix">On
05/30/2018 09:47 PM, Darran Lofthouse wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">I am currently gathering together some
information regarding how the JCA subsystem handles the
requirement of populating a Subject for propagation into
a resource adapter, however there is a general question
about what is attempting to be achieved here.
<div><br>
</div>
<div>Once an EJB is secured using WildFly Elytron the
associated identity is not accessed as a Subject
instead it is accessed a SecurityIdentity the current
SecurityIdentity can always be retrieved by calling
the current SecurityDomain: -</div>
<div><br>
</div>
<div><a href="http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityDomain.html#getCurrent--" target="_blank">http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityDomain.html#getCurrent--</a></div>
<div><a href="http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityDomain.html#getCurrentSecurityIdentity--" target="_blank">http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityDomain.html#getCurrentSecurityIdentity--</a></div>
<div><br>
</div>
<div>The SecurityIdentity has some similarity with the
Subject in that amongst other things it also contains
a collection of public credentials and a collection of
private credentials: -</div>
<div><br>
</div>
<div><a href="http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityIdentity.html#getPublicCredentials--" target="_blank">http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityIdentity.html#getPublicCredentials--</a></div>
<div><a href="http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityIdentity.html#getPrivateCredentials--" target="_blank">http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityIdentity.html#getPrivateCredentials--</a></div>
<div><br>
</div>
<div>So I think the very first question is has the
SecurityIdentity been correctly populated with any
delegated credentials? If not that is going to be a
pre-requisite for any follow on steps regardless.</div>
<div><br>
</div>
<div>Then secondly what is it that is making use of this
identity? Why can't it be ported to make use of the
Elytron authentication client APIs which amongst other
things provide support for delegation from the current
identity.</div>
</div>
</blockquote>
<blockquote type="cite">
<div dir="ltr">
<div><br>
</div>
<div>If we need to we can look at a conversion to a
Subject but we are only doing that where it is really
required.</div>
</div>
</blockquote>
<br>
</div>
<div text="#000000" bgcolor="#FFFFFF"> We don't have the
SecurityIdentity populated, there is only principal and
subject created by jbossws/CXF's saml validator. <br>
We need to convert the subject/principal to Elytron's
SecurityIdentity or something else, then later on EJB
subystem with Elytron <br>
security can retrieve this authenticated info without
check it twice. So we'd like to know how can we convert a
subject/principal <br>
to Elytron's SecurityIdentity and let Elytron know this is
already authenticated and authorized. <br>
<br>
Thanks,<br>
Jim <br>
</div>
<div text="#000000" bgcolor="#FFFFFF"> <br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div><br>
</div>
<div>Regards,</div>
<div>Darran Lofthouse.</div>
<div><br>
<br>
<div class="gmail_quote">
<div dir="ltr">On Wed, 30 May 2018 at 10:27 Alessio
Soldano <<a href="mailto:asoldano@redhat.com" target="_blank">asoldano@redhat.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div>As suggested by Darran, I'm forwarding the
message below to the list on behalf of Jim.<br>
</div>
The classes Jim is referring to are at <a href="https://github.com/wildfly/wildfly/tree/master/webservices/server-integration/src/main/java/org/jboss/as/webservices/security" target="_blank">https://github.com/wildfly/wildfly/tree/master/webservices/server-integration/src/main/java/org/jboss/as/webservices/security</a>
<br>
<br>
<div><br>
<div class="gmail_quote">---------- Forwarded
message ----------<br>
From: <b class="gmail_sendername">Jim Ma</b>
<span dir="ltr"><<a href="mailto:ema@redhat.com" target="_blank">ema@redhat.com</a>></span><br>
Date: Wed, May 30, 2018 at 9:03 AM<br>
Subject: Set an authorized identity to
EltyronSecurity Context<br>
To: Darran Lofthouse <<a href="mailto:darran.lofthouse@redhat.com" target="_blank">darran.lofthouse@redhat.com</a>><br>
Cc: Alessio Soldano <<a href="mailto:asoldano@redhat.com" target="_blank">asoldano@redhat.com</a>><br>
<br>
<br>
Hi Darran,<br>
<br>
We are helping look at a customer issue
which requires propagate the authenticated
subject from webservice subsystem to<br>
<br>
ejb subystem. With old security domain , we
can do this with creating a subject :<br>
<br>
@Override<br>
public void pushSubjectContext(final
Subject subject, final Principal principal,
final Object credential) {<br>
AccessController.doPrivileged(new
PrivilegedAction<Void>() {<br>
<br>
public Void run() {<br>
SecurityContext
securityContext =
SecurityContextAssociation.getSecurityContext();<br>
if (securityContext == null)
{<br>
securityContext =
createSecurityContext(getSecurityDomain());<br>
setSecurityContextOnAssociation(securityContext);<br>
}<br>
securityContext.getUtil().createSubjectInfo(principal, credential,
subject);<br>
return null;<br>
}<br>
});<br>
}<br>
<br>
<br>
After Elytron, what is the equivalent thing
to do this then ejb can retrieve this
security without check this twice ?<br>
<br>
Thanks,<br>
<br>
Jim<br>
<br>
</div>
</div>
</div>
<div dir="ltr">
<div><br>
<br clear="all">
<br>
-- <br>
<div class="m_399130190808493830m_5946244944197837763m_-7102110169809177803gmail_signature">
<div dir="ltr">
<div>
<p style="font-weight:bold;margin:0px;padding:0px;font-size:14px;text-transform:uppercase"><span>Alessio</span>
<span>Soldano</span></p>
<p style="font-weight:normal;font-size:10px;margin:0px 0px 4px;text-transform:uppercase"><span>Associate
Manager</span><span style="font-weight:normal;color:rgb(170,170,170);margin:0px"></span></p>
<p style="font-weight:normal;margin:0px;font-size:10px;color:rgb(153,153,153)"><a style="color:rgb(0,136,206);font-size:10px;margin:0px;text-decoration:none;font-family:"overpass",sans-serif" href="https://www.redhat.com" target="_blank">Red Hat <span><br>
<br>
</span></a></p>
<table border="0">
<tbody>
<tr>
<td width="100px"><a href="https://red.ht/sig" target="_blank"> <img src="https://www.redhat.com/files/brand/email/sig-redhat.png" height="auto" width="90"></a>
</td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</div>
</blockquote>
<p><br>
</p>
</div>
</blockquote>
</div>
</blockquote>
<p><br>
</p>
</div></blockquote></div>