<div dir="ltr">So the validation is within Apache CXF - is there an end result to this validation where you have access to everything you need where we could perform some additional steps?<div><br></div></div><br><div class="gmail_quote"><div dir="ltr">On Thu, 31 May 2018 at 10:34 Jim Ma &lt;<a href="mailto:ema@redhat.com">ema@redhat.com</a>&gt; wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
  
    
  
  <div text="#000000" bgcolor="#FFFFFF">
    <div class="m_399130190808493830moz-cite-prefix">The saml validation is now Apache CXF&#39;s
      SAML functionality. We can&#39;t port the CXF&#39;s security to rely on <br>
      our Elytron.   <br></div></div><div text="#000000" bgcolor="#FFFFFF"><div class="m_399130190808493830moz-cite-prefix">
      <br>
      On 05/31/2018 05:07 PM, Darran Lofthouse wrote:<br>
    </div></div><div text="#000000" bgcolor="#FFFFFF">
    <blockquote type="cite">
      <div dir="ltr">It sounds to me then that the place to start is
        within the SAML validation, this is effectively an
        authentication step so should be ported over to an Elytron based
        authentication - the end result of the authentication would then
        be the required SecurityIdentity to propagate from container to
        container.
        <div><br>
        </div>
      </div>
      <br>
      <div class="gmail_quote">
        <div dir="ltr">On Thu, 31 May 2018 at 03:57 Jim Ma &lt;<a href="mailto:ema@redhat.com" target="_blank">ema@redhat.com</a>&gt;
          wrote:<br>
        </div>
        <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
          <div text="#000000" bgcolor="#FFFFFF">
            <div class="m_399130190808493830m_5946244944197837763moz-cite-prefix">On
              05/30/2018 09:47 PM, Darran Lofthouse wrote:<br>
            </div>
            <blockquote type="cite">
              <div dir="ltr">I am currently gathering together some
                information regarding how the JCA subsystem handles the
                requirement of populating a Subject for propagation into
                a resource adapter, however there is a general question
                about what is attempting to be achieved here.
                <div><br>
                </div>
                <div>Once an EJB is secured using WildFly Elytron the
                  associated identity is not accessed as a Subject
                  instead it is accessed a SecurityIdentity the current
                  SecurityIdentity can always be retrieved by calling
                  the current SecurityDomain: -</div>
                <div><br>
                </div>
                <div><a href="http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityDomain.html#getCurrent--" target="_blank">http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityDomain.html#getCurrent--</a></div>
                <div><a href="http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityDomain.html#getCurrentSecurityIdentity--" target="_blank">http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityDomain.html#getCurrentSecurityIdentity--</a></div>
                <div><br>
                </div>
                <div>The SecurityIdentity has some similarity with the
                  Subject in that amongst other things it also contains
                  a collection of public credentials and a collection of
                  private credentials: -</div>
                <div><br>
                </div>
                <div><a href="http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityIdentity.html#getPublicCredentials--" target="_blank">http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityIdentity.html#getPublicCredentials--</a></div>
                <div><a href="http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityIdentity.html#getPrivateCredentials--" target="_blank">http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityIdentity.html#getPrivateCredentials--</a></div>
                <div><br>
                </div>
                <div>So I think the very first question is has the
                  SecurityIdentity been correctly populated with any
                  delegated credentials?  If not that is going to be a
                  pre-requisite for any follow on steps regardless.</div>
                <div><br>
                </div>
                <div>Then secondly what is it that is making use of this
                  identity?  Why can&#39;t it be ported to make use of the
                  Elytron authentication client APIs which amongst other
                  things provide support for delegation from the current
                  identity.</div>
              </div>
            </blockquote>
            <blockquote type="cite">
              <div dir="ltr">
                <div><br>
                </div>
                <div>If we need to we can look at a conversion to a
                  Subject but we are only doing that where it is really
                  required.</div>
              </div>
            </blockquote>
            <br>
          </div>
          <div text="#000000" bgcolor="#FFFFFF">   We don&#39;t have the
            SecurityIdentity populated, there is only principal and
            subject created by jbossws/CXF&#39;s saml validator. <br>
              We need to convert the subject/principal to Elytron&#39;s
            SecurityIdentity or something else, then later on EJB
            subystem with Elytron <br>
              security can retrieve this authenticated info without
            check it twice. So we&#39;d like to know how can we convert a
            subject/principal <br>
              to Elytron&#39;s SecurityIdentity and let Elytron know this is
            already authenticated and authorized. <br>
            <br>
            Thanks,<br>
            Jim   <br>
          </div>
          <div text="#000000" bgcolor="#FFFFFF"> <br>
            <br>
            <blockquote type="cite">
              <div dir="ltr">
                <div><br>
                </div>
                <div>Regards,</div>
                <div>Darran Lofthouse.</div>
                <div><br>
                  <br>
                  <div class="gmail_quote">
                    <div dir="ltr">On Wed, 30 May 2018 at 10:27 Alessio
                      Soldano &lt;<a href="mailto:asoldano@redhat.com" target="_blank">asoldano@redhat.com</a>&gt;
                      wrote:<br>
                    </div>
                    <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                      <div dir="ltr">
                        <div>As suggested by Darran, I&#39;m forwarding the
                          message below to the list on behalf of Jim.<br>
                        </div>
                        The classes Jim is referring to are at <a href="https://github.com/wildfly/wildfly/tree/master/webservices/server-integration/src/main/java/org/jboss/as/webservices/security" target="_blank">https://github.com/wildfly/wildfly/tree/master/webservices/server-integration/src/main/java/org/jboss/as/webservices/security</a>
                        <br>
                        <br>
                        <div><br>
                          <div class="gmail_quote">---------- Forwarded
                            message ----------<br>
                            From: <b class="gmail_sendername">Jim Ma</b>
                            <span dir="ltr">&lt;<a href="mailto:ema@redhat.com" target="_blank">ema@redhat.com</a>&gt;</span><br>
                            Date: Wed, May 30, 2018 at 9:03 AM<br>
                            Subject: Set an authorized identity to
                            EltyronSecurity Context<br>
                            To: Darran Lofthouse &lt;<a href="mailto:darran.lofthouse@redhat.com" target="_blank">darran.lofthouse@redhat.com</a>&gt;<br>
                            Cc: Alessio Soldano &lt;<a href="mailto:asoldano@redhat.com" target="_blank">asoldano@redhat.com</a>&gt;<br>
                            <br>
                            <br>
                            Hi Darran,<br>
                            <br>
                            We are helping look at a customer issue
                            which requires propagate the authenticated
                            subject from webservice subsystem to<br>
                            <br>
                            ejb subystem. With old security domain , we
                            can do this with creating a subject :<br>
                            <br>
                                @Override<br>
                                public void pushSubjectContext(final
                            Subject subject, final Principal principal,
                            final Object credential) {<br>
                                    AccessController.doPrivileged(new
                            PrivilegedAction&lt;Void&gt;() {<br>
                            <br>
                                        public Void run() {<br>
                                            SecurityContext
                            securityContext =
                            SecurityContextAssociation.getSecurityContext();<br>
                                            if (securityContext == null)
                            {<br>
                                                securityContext =
                            createSecurityContext(getSecurityDomain());<br>
setSecurityContextOnAssociation(securityContext);<br>
                                            }<br>
securityContext.getUtil().createSubjectInfo(principal, credential,
                            subject);<br>
                                            return null;<br>
                                        }<br>
                                    });<br>
                                }<br>
                            <br>
                            <br>
                            After Elytron,  what is the equivalent thing
                            to do this  then ejb can retrieve this
                            security without check this twice ?<br>
                            <br>
                            Thanks,<br>
                            <br>
                            Jim<br>
                            <br>
                          </div>
                        </div>
                      </div>
                      <div dir="ltr">
                        <div><br>
                          <br clear="all">
                          <br>
                          -- <br>
                          <div class="m_399130190808493830m_5946244944197837763m_-7102110169809177803gmail_signature">
                            <div dir="ltr">
                              <div>
                                <p style="font-weight:bold;margin:0px;padding:0px;font-size:14px;text-transform:uppercase"><span>Alessio</span>
                                  <span>Soldano</span></p>
                                <p style="font-weight:normal;font-size:10px;margin:0px 0px 4px;text-transform:uppercase"><span>Associate
                                    Manager</span><span style="font-weight:normal;color:rgb(170,170,170);margin:0px"></span></p>
                                <p style="font-weight:normal;margin:0px;font-size:10px;color:rgb(153,153,153)"><a style="color:rgb(0,136,206);font-size:10px;margin:0px;text-decoration:none;font-family:&quot;overpass&quot;,sans-serif" href="https://www.redhat.com" target="_blank">Red Hat <span><br>
                                      <br>
                                    </span></a></p>
                                <table border="0">
                                  <tbody>
                                    <tr>
                                      <td width="100px"><a href="https://red.ht/sig" target="_blank"> <img src="https://www.redhat.com/files/brand/email/sig-redhat.png" height="auto" width="90"></a>
                                      </td>
                                    </tr>
                                  </tbody>
                                </table>
                              </div>
                            </div>
                          </div>
                        </div>
                      </div>
                    </blockquote>
                  </div>
                </div>
              </div>
            </blockquote>
            <p><br>
            </p>
          </div>
        </blockquote>
      </div>
    </blockquote>
    <p><br>
    </p>
  </div></blockquote></div>