<div dir="ltr"><div><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">In Keycloak integration we have a specific security realm implementation that expects a principal previously authenticated by a keycloak adapter (e.g.: using SAML or OIDC) and builds an authorized identity based on it. Basically, what this security realm does is populate the authorized idenitty with information from tokens.</div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><br></div></span></div><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">Later we complete authentication in Elytron and set the token as a credential into the identity. It is worth mention that in Keycloak integration, the adapter is a Elytron HTTP Authentication Mechanism, so we don&#39;t deal directly with the security domain but with the callback handler.</span><div><br></div><div>Regarding ElytronSecurityDomainContextImpl, is method pushContext called after a call to isValid ? If so, the security domain should be set with the security identity and you don&#39;t even need to keep that ThreadLocal ...<br><div class="gmail_extra"><br><div class="gmail_quote">On Thu, May 31, 2018 at 7:03 AM, Darran Lofthouse <span dir="ltr">&lt;<a href="mailto:darran.lofthouse@redhat.com" target="_blank">darran.lofthouse@redhat.com</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Just added Pedro in CC so see if he has any suggestions - this is sounding similar to the problems he would have needed to handle when he added support for KeyCloak integration using the Elytron APIs.  </div></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div><br></div><div>Although the reported problem we are working on is in the context of access to the token it does currently sound that there is a missing pre-requisite step of tying the authentication to Elytron to we can populate a SecurityIdentity.  But this does not sound like the first time we have needed to approach this. </div></div></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div><br></div><div>Regards,</div><div>Darran Lofthouse.</div><div><div class="gmail-h5"><div><br><br><div class="gmail_quote"><div dir="ltr">On Thu, 31 May 2018 at 10:54 Jim Ma &lt;<a href="mailto:ema@redhat.com" target="_blank">ema@redhat.com</a>&gt; wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div bgcolor="#FFFFFF">
    <div class="gmail-m_6817568120572316212m_6492737856986601187moz-cite-prefix">On 05/31/2018 05:37 PM, Darran
      Lofthouse wrote:<br>
    </div>
    <blockquote type="cite">
      <div dir="ltr">So the validation is within Apache CXF - is there
        an end result to this validation where you have access to
        everything you need where we could perform some additional
        steps?
        <div><br>
        </div>
      </div>
    </blockquote>
    <br></div><div bgcolor="#FFFFFF">
     After Apache CXF validation, we can get a LoginContext from CXF&#39;s
    exchange message :
<a class="gmail-m_6817568120572316212m_6492737856986601187moz-txt-link-freetext" href="https://github.com/apache/cxf/blob/master/core/src/main/java/org/apache/cxf/security/LoginSecurityContext.java" target="_blank">https://github.com/apache/cxf/<wbr>blob/master/core/src/main/<wbr>java/org/apache/cxf/security/<wbr>LoginSecurityContext.java</a><br>
     Can we do something to convert it to an Elytron authenticated
    identity ? <br>
     Or we have to hook/replace something with Elytron in CXF&#39;s
    validation to make this work ?</div><div bgcolor="#FFFFFF"><br>
    <br>
    <blockquote type="cite"><br>
      <div class="gmail_quote">
        <div dir="ltr">On Thu, 31 May 2018 at 10:34 Jim Ma &lt;<a href="mailto:ema@redhat.com" target="_blank">ema@redhat.com</a>&gt;
          wrote:<br>
        </div>
        <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
          <div bgcolor="#FFFFFF">
            <div class="gmail-m_6817568120572316212m_6492737856986601187m_399130190808493830moz-cite-prefix">The saml
              validation is now Apache CXF&#39;s SAML functionality. We
              can&#39;t port the CXF&#39;s security to rely on <br>
              our Elytron.   <br>
            </div>
          </div>
          <div bgcolor="#FFFFFF">
            <div class="gmail-m_6817568120572316212m_6492737856986601187m_399130190808493830moz-cite-prefix"> <br>
              On 05/31/2018 05:07 PM, Darran Lofthouse wrote:<br>
            </div>
          </div>
          <div bgcolor="#FFFFFF">
            <blockquote type="cite">
              <div dir="ltr">It sounds to me then that the place to
                start is within the SAML validation, this is effectively
                an authentication step so should be ported over to an
                Elytron based authentication - the end result of the
                authentication would then be the required
                SecurityIdentity to propagate from container to
                container.
                <div><br>
                </div>
              </div>
              <br>
              <div class="gmail_quote">
                <div dir="ltr">On Thu, 31 May 2018 at 03:57 Jim Ma &lt;<a href="mailto:ema@redhat.com" target="_blank">ema@redhat.com</a>&gt; wrote:<br>
                </div>
                <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
                  <div bgcolor="#FFFFFF">
                    <div class="gmail-m_6817568120572316212m_6492737856986601187m_399130190808493830m_5946244944197837763moz-cite-prefix">On
                      05/30/2018 09:47 PM, Darran Lofthouse wrote:<br>
                    </div>
                    <blockquote type="cite">
                      <div dir="ltr">I am currently gathering together
                        some information regarding how the JCA subsystem
                        handles the requirement of populating a Subject
                        for propagation into a resource adapter, however
                        there is a general question about what is
                        attempting to be achieved here.
                        <div><br>
                        </div>
                        <div>Once an EJB is secured using WildFly
                          Elytron the associated identity is not
                          accessed as a Subject instead it is accessed a
                          SecurityIdentity the current SecurityIdentity
                          can always be retrieved by calling the current
                          SecurityDomain: -</div>
                        <div><br>
                        </div>
                        <div><a href="http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityDomain.html#getCurrent--" target="_blank">http://wildfly-security.<wbr>github.io/wildfly-elytron/1.3.<wbr>x/api-javadoc/org/wildfly/<wbr>security/auth/server/<wbr>SecurityDomain.html#<wbr>getCurrent--</a></div>
                        <div><a href="http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityDomain.html#getCurrentSecurityIdentity--" target="_blank">http://wildfly-security.<wbr>github.io/wildfly-elytron/1.3.<wbr>x/api-javadoc/org/wildfly/<wbr>security/auth/server/<wbr>SecurityDomain.html#<wbr>getCurrentSecurityIdentity--</a></div>
                        <div><br>
                        </div>
                        <div>The SecurityIdentity has some similarity
                          with the Subject in that amongst other things
                          it also contains a collection of public
                          credentials and a collection of private
                          credentials: -</div>
                        <div><br>
                        </div>
                        <div><a href="http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityIdentity.html#getPublicCredentials--" target="_blank">http://wildfly-security.<wbr>github.io/wildfly-elytron/1.3.<wbr>x/api-javadoc/org/wildfly/<wbr>security/auth/server/<wbr>SecurityIdentity.html#<wbr>getPublicCredentials--</a></div>
                        <div><a href="http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityIdentity.html#getPrivateCredentials--" target="_blank">http://wildfly-security.<wbr>github.io/wildfly-elytron/1.3.<wbr>x/api-javadoc/org/wildfly/<wbr>security/auth/server/<wbr>SecurityIdentity.html#<wbr>getPrivateCredentials--</a></div>
                        <div><br>
                        </div>
                        <div>So I think the very first question is has
                          the SecurityIdentity been correctly populated
                          with any delegated credentials?  If not that
                          is going to be a pre-requisite for any follow
                          on steps regardless.</div>
                        <div><br>
                        </div>
                        <div>Then secondly what is it that is making use
                          of this identity?  Why can&#39;t it be ported to
                          make use of the Elytron authentication client
                          APIs which amongst other things provide
                          support for delegation from the current
                          identity.</div>
                      </div>
                    </blockquote>
                    <blockquote type="cite">
                      <div dir="ltr">
                        <div><br>
                        </div>
                        <div>If we need to we can look at a conversion
                          to a Subject but we are only doing that where
                          it is really required.</div>
                      </div>
                    </blockquote>
                    <br>
                  </div>
                  <div bgcolor="#FFFFFF">   We don&#39;t have
                    the SecurityIdentity populated, there is only
                    principal and subject created by jbossws/CXF&#39;s saml
                    validator. <br>
                      We need to convert the subject/principal to
                    Elytron&#39;s SecurityIdentity or something else, then
                    later on EJB subystem with Elytron <br>
                      security can retrieve this authenticated info
                    without check it twice. So we&#39;d like to know how can
                    we convert a subject/principal <br>
                      to Elytron&#39;s SecurityIdentity and let Elytron know
                    this is already authenticated and authorized. <br>
                    <br>
                    Thanks,<br>
                    Jim   <br>
                  </div>
                  <div bgcolor="#FFFFFF"> <br>
                    <br>
                    <blockquote type="cite">
                      <div dir="ltr">
                        <div><br>
                        </div>
                        <div>Regards,</div>
                        <div>Darran Lofthouse.</div>
                        <div><br>
                          <br>
                          <div class="gmail_quote">
                            <div dir="ltr">On Wed, 30 May 2018 at 10:27
                              Alessio Soldano &lt;<a href="mailto:asoldano@redhat.com" target="_blank">asoldano@redhat.com</a>&gt;
                              wrote:<br>
                            </div>
                            <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
                              <div dir="ltr">
                                <div>As suggested by Darran, I&#39;m
                                  forwarding the message below to the
                                  list on behalf of Jim.<br>
                                </div>
                                The classes Jim is referring to are at <a href="https://github.com/wildfly/wildfly/tree/master/webservices/server-integration/src/main/java/org/jboss/as/webservices/security" target="_blank">https://github.com/wildfly/<wbr>wildfly/tree/master/<wbr>webservices/server-<wbr>integration/src/main/java/org/<wbr>jboss/as/webservices/security</a>
                                <br>
                                <br>
                                <div><br>
                                  <div class="gmail_quote">----------
                                    Forwarded message ----------<br>
                                    From: <b class="gmail_sendername">Jim
                                      Ma</b> <span dir="ltr">&lt;<a href="mailto:ema@redhat.com" target="_blank">ema@redhat.com</a>&gt;</span><br>
                                    Date: Wed, May 30, 2018 at 9:03 AM<br>
                                    Subject: Set an authorized identity
                                    to EltyronSecurity Context<br>
                                    To: Darran Lofthouse &lt;<a href="mailto:darran.lofthouse@redhat.com" target="_blank">darran.lofthouse@redhat.com</a>&gt;<br>
                                    Cc: Alessio Soldano &lt;<a href="mailto:asoldano@redhat.com" target="_blank">asoldano@redhat.com</a>&gt;<br>
                                    <br>
                                    <br>
                                    Hi Darran,<br>
                                    <br>
                                    We are helping look at a customer
                                    issue which requires propagate the
                                    authenticated subject from
                                    webservice subsystem to<br>
                                    <br>
                                    ejb subystem. With old security
                                    domain , we can do this with
                                    creating a subject :<br>
                                    <br>
                                        @Override<br>
                                        public void
                                    pushSubjectContext(final Subject
                                    subject, final Principal principal,
                                    final Object credential) {<br>
                                           
                                    AccessController.doPrivileged(<wbr>new
                                    PrivilegedAction&lt;Void&gt;() {<br>
                                    <br>
                                                public Void run() {<br>
                                                    SecurityContext
                                    securityContext =
                                    SecurityContextAssociation.<wbr>getSecurityContext();<br>
                                                    if (securityContext
                                    == null) {<br>
                                                        securityContext
                                    =
                                    createSecurityContext(<wbr>getSecurityDomain());<br>
setSecurityContextOnAssociatio<wbr>n(securityContext);<br>
                                                    }<br>
securityContext.getUtil().<wbr>createSubjectInfo(principal, credential,
                                    subject);<br>
                                                    return null;<br>
                                                }<br>
                                            });<br>
                                        }<br>
                                    <br>
                                    <br>
                                    After Elytron,  what is the
                                    equivalent thing to do this  then
                                    ejb can retrieve this security
                                    without check this twice ?<br>
                                    <br>
                                    Thanks,<br>
                                    <br>
                                    Jim<br>
                                    <br>
                                  </div>
                                </div>
                              </div>
                              <div dir="ltr">
                                <div><br>
                                  <br clear="all">
                                  <br>
                                  -- <br>
                                  <div class="gmail-m_6817568120572316212m_6492737856986601187m_399130190808493830m_5946244944197837763m_-7102110169809177803gmail_signature">
                                    <div dir="ltr">
                                      <div>
                                        <p style="font-weight:bold;margin:0px;padding:0px;font-size:14px;text-transform:uppercase"><span>Alessio</span>
                                          <span>Soldano</span></p>
                                        <p style="font-weight:normal;font-size:10px;margin:0px 0px 4px;text-transform:uppercase"><span>Associate
                                            Manager</span><span style="font-weight:normal;color:rgb(170,170,170);margin:0px"></span></p>
                                        <p style="font-weight:normal;margin:0px;font-size:10px;color:rgb(153,153,153)"><a style="color:rgb(0,136,206);font-size:10px;margin:0px;text-decoration:none;font-family:overpass,sans-serif" href="https://www.redhat.com" target="_blank">Red
                                            Hat <span><br>
                                              <br>
                                            </span></a></p>
                                        <table border="0">
                                          <tbody>
                                            <tr>
                                              <td width="100px"><a href="https://red.ht/sig" target="_blank">
                                                  <img src="https://www.redhat.com/files/brand/email/sig-redhat.png" height="auto" width="90"></a> </td>
                                            </tr>
                                          </tbody>
                                        </table>
                                      </div>
                                    </div>
                                  </div>
                                </div>
                              </div>
                            </blockquote>
                          </div>
                        </div>
                      </div>
                    </blockquote>
                    <p><br>
                    </p>
                  </div>
                </blockquote>
              </div>
            </blockquote>
            <p><br>
            </p>
          </div>
        </blockquote>
      </div>
    </blockquote>
    <p><br>
    </p>
  </div></blockquote></div></div></div></div></div>
</blockquote></div><br></div></div></div>