<div dir="ltr"><div><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">In Keycloak integration we have a specific security realm implementation that expects a principal previously authenticated by a keycloak adapter (e.g.: using SAML or OIDC) and builds an authorized identity based on it. Basically, what this security realm does is populate the authorized idenitty with information from tokens.</div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><br></div></span></div><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">Later we complete authentication in Elytron and set the token as a credential into the identity. It is worth mention that in Keycloak integration, the adapter is a Elytron HTTP Authentication Mechanism, so we don't deal directly with the security domain but with the callback handler.</span><div><br></div><div>Regarding ElytronSecurityDomainContextImpl, is method pushContext called after a call to isValid ? If so, the security domain should be set with the security identity and you don't even need to keep that ThreadLocal ...<br><div class="gmail_extra"><br><div class="gmail_quote">On Thu, May 31, 2018 at 7:03 AM, Darran Lofthouse <span dir="ltr"><<a href="mailto:darran.lofthouse@redhat.com" target="_blank">darran.lofthouse@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Just added Pedro in CC so see if he has any suggestions - this is sounding similar to the problems he would have needed to handle when he added support for KeyCloak integration using the Elytron APIs. </div></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div><br></div><div>Although the reported problem we are working on is in the context of access to the token it does currently sound that there is a missing pre-requisite step of tying the authentication to Elytron to we can populate a SecurityIdentity. But this does not sound like the first time we have needed to approach this. </div></div></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div><br></div><div>Regards,</div><div>Darran Lofthouse.</div><div><div class="gmail-h5"><div><br><br><div class="gmail_quote"><div dir="ltr">On Thu, 31 May 2018 at 10:54 Jim Ma <<a href="mailto:ema@redhat.com" target="_blank">ema@redhat.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div bgcolor="#FFFFFF">
<div class="gmail-m_6817568120572316212m_6492737856986601187moz-cite-prefix">On 05/31/2018 05:37 PM, Darran
Lofthouse wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">So the validation is within Apache CXF - is there
an end result to this validation where you have access to
everything you need where we could perform some additional
steps?
<div><br>
</div>
</div>
</blockquote>
<br></div><div bgcolor="#FFFFFF">
After Apache CXF validation, we can get a LoginContext from CXF's
exchange message :
<a class="gmail-m_6817568120572316212m_6492737856986601187moz-txt-link-freetext" href="https://github.com/apache/cxf/blob/master/core/src/main/java/org/apache/cxf/security/LoginSecurityContext.java" target="_blank">https://github.com/apache/cxf/<wbr>blob/master/core/src/main/<wbr>java/org/apache/cxf/security/<wbr>LoginSecurityContext.java</a><br>
Can we do something to convert it to an Elytron authenticated
identity ? <br>
Or we have to hook/replace something with Elytron in CXF's
validation to make this work ?</div><div bgcolor="#FFFFFF"><br>
<br>
<blockquote type="cite"><br>
<div class="gmail_quote">
<div dir="ltr">On Thu, 31 May 2018 at 10:34 Jim Ma <<a href="mailto:ema@redhat.com" target="_blank">ema@redhat.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF">
<div class="gmail-m_6817568120572316212m_6492737856986601187m_399130190808493830moz-cite-prefix">The saml
validation is now Apache CXF's SAML functionality. We
can't port the CXF's security to rely on <br>
our Elytron. <br>
</div>
</div>
<div bgcolor="#FFFFFF">
<div class="gmail-m_6817568120572316212m_6492737856986601187m_399130190808493830moz-cite-prefix"> <br>
On 05/31/2018 05:07 PM, Darran Lofthouse wrote:<br>
</div>
</div>
<div bgcolor="#FFFFFF">
<blockquote type="cite">
<div dir="ltr">It sounds to me then that the place to
start is within the SAML validation, this is effectively
an authentication step so should be ported over to an
Elytron based authentication - the end result of the
authentication would then be the required
SecurityIdentity to propagate from container to
container.
<div><br>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr">On Thu, 31 May 2018 at 03:57 Jim Ma <<a href="mailto:ema@redhat.com" target="_blank">ema@redhat.com</a>> wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF">
<div class="gmail-m_6817568120572316212m_6492737856986601187m_399130190808493830m_5946244944197837763moz-cite-prefix">On
05/30/2018 09:47 PM, Darran Lofthouse wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">I am currently gathering together
some information regarding how the JCA subsystem
handles the requirement of populating a Subject
for propagation into a resource adapter, however
there is a general question about what is
attempting to be achieved here.
<div><br>
</div>
<div>Once an EJB is secured using WildFly
Elytron the associated identity is not
accessed as a Subject instead it is accessed a
SecurityIdentity the current SecurityIdentity
can always be retrieved by calling the current
SecurityDomain: -</div>
<div><br>
</div>
<div><a href="http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityDomain.html#getCurrent--" target="_blank">http://wildfly-security.<wbr>github.io/wildfly-elytron/1.3.<wbr>x/api-javadoc/org/wildfly/<wbr>security/auth/server/<wbr>SecurityDomain.html#<wbr>getCurrent--</a></div>
<div><a href="http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityDomain.html#getCurrentSecurityIdentity--" target="_blank">http://wildfly-security.<wbr>github.io/wildfly-elytron/1.3.<wbr>x/api-javadoc/org/wildfly/<wbr>security/auth/server/<wbr>SecurityDomain.html#<wbr>getCurrentSecurityIdentity--</a></div>
<div><br>
</div>
<div>The SecurityIdentity has some similarity
with the Subject in that amongst other things
it also contains a collection of public
credentials and a collection of private
credentials: -</div>
<div><br>
</div>
<div><a href="http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityIdentity.html#getPublicCredentials--" target="_blank">http://wildfly-security.<wbr>github.io/wildfly-elytron/1.3.<wbr>x/api-javadoc/org/wildfly/<wbr>security/auth/server/<wbr>SecurityIdentity.html#<wbr>getPublicCredentials--</a></div>
<div><a href="http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityIdentity.html#getPrivateCredentials--" target="_blank">http://wildfly-security.<wbr>github.io/wildfly-elytron/1.3.<wbr>x/api-javadoc/org/wildfly/<wbr>security/auth/server/<wbr>SecurityIdentity.html#<wbr>getPrivateCredentials--</a></div>
<div><br>
</div>
<div>So I think the very first question is has
the SecurityIdentity been correctly populated
with any delegated credentials? If not that
is going to be a pre-requisite for any follow
on steps regardless.</div>
<div><br>
</div>
<div>Then secondly what is it that is making use
of this identity? Why can't it be ported to
make use of the Elytron authentication client
APIs which amongst other things provide
support for delegation from the current
identity.</div>
</div>
</blockquote>
<blockquote type="cite">
<div dir="ltr">
<div><br>
</div>
<div>If we need to we can look at a conversion
to a Subject but we are only doing that where
it is really required.</div>
</div>
</blockquote>
<br>
</div>
<div bgcolor="#FFFFFF"> We don't have
the SecurityIdentity populated, there is only
principal and subject created by jbossws/CXF's saml
validator. <br>
We need to convert the subject/principal to
Elytron's SecurityIdentity or something else, then
later on EJB subystem with Elytron <br>
security can retrieve this authenticated info
without check it twice. So we'd like to know how can
we convert a subject/principal <br>
to Elytron's SecurityIdentity and let Elytron know
this is already authenticated and authorized. <br>
<br>
Thanks,<br>
Jim <br>
</div>
<div bgcolor="#FFFFFF"> <br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div><br>
</div>
<div>Regards,</div>
<div>Darran Lofthouse.</div>
<div><br>
<br>
<div class="gmail_quote">
<div dir="ltr">On Wed, 30 May 2018 at 10:27
Alessio Soldano <<a href="mailto:asoldano@redhat.com" target="_blank">asoldano@redhat.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div>As suggested by Darran, I'm
forwarding the message below to the
list on behalf of Jim.<br>
</div>
The classes Jim is referring to are at <a href="https://github.com/wildfly/wildfly/tree/master/webservices/server-integration/src/main/java/org/jboss/as/webservices/security" target="_blank">https://github.com/wildfly/<wbr>wildfly/tree/master/<wbr>webservices/server-<wbr>integration/src/main/java/org/<wbr>jboss/as/webservices/security</a>
<br>
<br>
<div><br>
<div class="gmail_quote">----------
Forwarded message ----------<br>
From: <b class="gmail_sendername">Jim
Ma</b> <span dir="ltr"><<a href="mailto:ema@redhat.com" target="_blank">ema@redhat.com</a>></span><br>
Date: Wed, May 30, 2018 at 9:03 AM<br>
Subject: Set an authorized identity
to EltyronSecurity Context<br>
To: Darran Lofthouse <<a href="mailto:darran.lofthouse@redhat.com" target="_blank">darran.lofthouse@redhat.com</a>><br>
Cc: Alessio Soldano <<a href="mailto:asoldano@redhat.com" target="_blank">asoldano@redhat.com</a>><br>
<br>
<br>
Hi Darran,<br>
<br>
We are helping look at a customer
issue which requires propagate the
authenticated subject from
webservice subsystem to<br>
<br>
ejb subystem. With old security
domain , we can do this with
creating a subject :<br>
<br>
@Override<br>
public void
pushSubjectContext(final Subject
subject, final Principal principal,
final Object credential) {<br>
AccessController.doPrivileged(<wbr>new
PrivilegedAction<Void>() {<br>
<br>
public Void run() {<br>
SecurityContext
securityContext =
SecurityContextAssociation.<wbr>getSecurityContext();<br>
if (securityContext
== null) {<br>
securityContext
=
createSecurityContext(<wbr>getSecurityDomain());<br>
setSecurityContextOnAssociatio<wbr>n(securityContext);<br>
}<br>
securityContext.getUtil().<wbr>createSubjectInfo(principal, credential,
subject);<br>
return null;<br>
}<br>
});<br>
}<br>
<br>
<br>
After Elytron, what is the
equivalent thing to do this then
ejb can retrieve this security
without check this twice ?<br>
<br>
Thanks,<br>
<br>
Jim<br>
<br>
</div>
</div>
</div>
<div dir="ltr">
<div><br>
<br clear="all">
<br>
-- <br>
<div class="gmail-m_6817568120572316212m_6492737856986601187m_399130190808493830m_5946244944197837763m_-7102110169809177803gmail_signature">
<div dir="ltr">
<div>
<p style="font-weight:bold;margin:0px;padding:0px;font-size:14px;text-transform:uppercase"><span>Alessio</span>
<span>Soldano</span></p>
<p style="font-weight:normal;font-size:10px;margin:0px 0px 4px;text-transform:uppercase"><span>Associate
Manager</span><span style="font-weight:normal;color:rgb(170,170,170);margin:0px"></span></p>
<p style="font-weight:normal;margin:0px;font-size:10px;color:rgb(153,153,153)"><a style="color:rgb(0,136,206);font-size:10px;margin:0px;text-decoration:none;font-family:overpass,sans-serif" href="https://www.redhat.com" target="_blank">Red
Hat <span><br>
<br>
</span></a></p>
<table border="0">
<tbody>
<tr>
<td width="100px"><a href="https://red.ht/sig" target="_blank">
<img src="https://www.redhat.com/files/brand/email/sig-redhat.png" height="auto" width="90"></a> </td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</div>
</blockquote>
<p><br>
</p>
</div>
</blockquote>
</div>
</blockquote>
<p><br>
</p>
</div>
</blockquote>
</div>
</blockquote>
<p><br>
</p>
</div></blockquote></div></div></div></div></div>
</blockquote></div><br></div></div></div>