<div dir="ltr">Hi Pedro,<br><div><div class="gmail_extra">I&#39;ll let Jim follow-up on the details here and see with you the best way to move forward.<br></div><div class="gmail_extra">This said, in the current scenario, the isValid is method is not called (it was originally thought for the username token profile scenario, so the string password credential would be available, etc), maybe it should be changed a bit to be used in this scenario too, so that the pushContext is not needed, according to what you&#39;re writing below.<br></div><div class="gmail_extra">Can you and Jim please review the current implementation of ElytronSecurityDomainContextIm<wbr>pl and change it to support this SAML token authentication scenario too?<br></div><div class="gmail_extra">Thanks<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Jun 4, 2018 at 3:31 PM, Pedro Igor Silva <span dir="ltr">&lt;<a href="mailto:psilva@redhat.com" target="_blank">psilva@redhat.com</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">In Keycloak integration we have a specific security realm implementation that expects a principal previously authenticated by a keycloak adapter (e.g.: using SAML or OIDC) and builds an authorized identity based on it. Basically, what this security realm does is populate the authorized idenitty with information from tokens.</div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><br></div></span></div><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">Later we complete authentication in Elytron and set the token as a credential into the identity. It is worth mention that in Keycloak integration, the adapter is a Elytron HTTP Authentication Mechanism, so we don&#39;t deal directly with the security domain but with the callback handler.</span><div><br></div><div>Regarding ElytronSecurityDomainContextIm<wbr>pl, is method pushContext called after a call to isValid ? If so, the security domain should be set with the security identity and you don&#39;t even need to keep that ThreadLocal ...<div><div class="h5"><br><div class="gmail_extra"><br><div class="gmail_quote">On Thu, May 31, 2018 at 7:03 AM, Darran Lofthouse <span dir="ltr">&lt;<a href="mailto:darran.lofthouse@redhat.com" target="_blank">darran.lofthouse@redhat.com</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Just added Pedro in CC so see if he has any suggestions - this is sounding similar to the problems he would have needed to handle when he added support for KeyCloak integration using the Elytron APIs.  </div></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div><br></div><div>Although the reported problem we are working on is in the context of access to the token it does currently sound that there is a missing pre-requisite step of tying the authentication to Elytron to we can populate a SecurityIdentity.  But this does not sound like the first time we have needed to approach this. </div></div></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div><br></div><div>Regards,</div><div>Darran Lofthouse.</div><div><div class="m_3291311215180637306gmail-h5"><div><br><br><div class="gmail_quote"><div dir="ltr">On Thu, 31 May 2018 at 10:54 Jim Ma &lt;<a href="mailto:ema@redhat.com" target="_blank">ema@redhat.com</a>&gt; wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div bgcolor="#FFFFFF">
    <div class="m_3291311215180637306gmail-m_6817568120572316212m_6492737856986601187moz-cite-prefix">On 05/31/2018 05:37 PM, Darran
      Lofthouse wrote:<br>
    </div>
    <blockquote type="cite">
      <div dir="ltr">So the validation is within Apache CXF - is there
        an end result to this validation where you have access to
        everything you need where we could perform some additional
        steps?
        <div><br>
        </div>
      </div>
    </blockquote>
    <br></div><div bgcolor="#FFFFFF">
     After Apache CXF validation, we can get a LoginContext from CXF&#39;s
    exchange message :
<a class="m_3291311215180637306gmail-m_6817568120572316212m_6492737856986601187moz-txt-link-freetext" href="https://github.com/apache/cxf/blob/master/core/src/main/java/org/apache/cxf/security/LoginSecurityContext.java" target="_blank">https://github.com/apache/cxf/<wbr>blob/master/core/src/main/java<wbr>/org/apache/cxf/security/Login<wbr>SecurityContext.java</a><br>
     Can we do something to convert it to an Elytron authenticated
    identity ? <br>
     Or we have to hook/replace something with Elytron in CXF&#39;s
    validation to make this work ?</div><div bgcolor="#FFFFFF"><br>
    <br>
    <blockquote type="cite"><br>
      <div class="gmail_quote">
        <div dir="ltr">On Thu, 31 May 2018 at 10:34 Jim Ma &lt;<a href="mailto:ema@redhat.com" target="_blank">ema@redhat.com</a>&gt;
          wrote:<br>
        </div>
        <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
          <div bgcolor="#FFFFFF">
            <div class="m_3291311215180637306gmail-m_6817568120572316212m_6492737856986601187m_399130190808493830moz-cite-prefix">The saml
              validation is now Apache CXF&#39;s SAML functionality. We
              can&#39;t port the CXF&#39;s security to rely on <br>
              our Elytron.   <br>
            </div>
          </div>
          <div bgcolor="#FFFFFF">
            <div class="m_3291311215180637306gmail-m_6817568120572316212m_6492737856986601187m_399130190808493830moz-cite-prefix"> <br>
              On 05/31/2018 05:07 PM, Darran Lofthouse wrote:<br>
            </div>
          </div>
          <div bgcolor="#FFFFFF">
            <blockquote type="cite">
              <div dir="ltr">It sounds to me then that the place to
                start is within the SAML validation, this is effectively
                an authentication step so should be ported over to an
                Elytron based authentication - the end result of the
                authentication would then be the required
                SecurityIdentity to propagate from container to
                container.
                <div><br>
                </div>
              </div>
              <br>
              <div class="gmail_quote">
                <div dir="ltr">On Thu, 31 May 2018 at 03:57 Jim Ma &lt;<a href="mailto:ema@redhat.com" target="_blank">ema@redhat.com</a>&gt; wrote:<br>
                </div>
                <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
                  <div bgcolor="#FFFFFF">
                    <div class="m_3291311215180637306gmail-m_6817568120572316212m_6492737856986601187m_399130190808493830m_5946244944197837763moz-cite-prefix">On
                      05/30/2018 09:47 PM, Darran Lofthouse wrote:<br>
                    </div>
                    <blockquote type="cite">
                      <div dir="ltr">I am currently gathering together
                        some information regarding how the JCA subsystem
                        handles the requirement of populating a Subject
                        for propagation into a resource adapter, however
                        there is a general question about what is
                        attempting to be achieved here.
                        <div><br>
                        </div>
                        <div>Once an EJB is secured using WildFly
                          Elytron the associated identity is not
                          accessed as a Subject instead it is accessed a
                          SecurityIdentity the current SecurityIdentity
                          can always be retrieved by calling the current
                          SecurityDomain: -</div>
                        <div><br>
                        </div>
                        <div><a href="http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityDomain.html#getCurrent--" target="_blank">http://wildfly-security.github<wbr>.io/wildfly-elytron/1.3.x/api-<wbr>javadoc/org/wildfly/security/<wbr>auth/server/SecurityDomain.<wbr>html#getCurrent--</a></div>
                        <div><a href="http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityDomain.html#getCurrentSecurityIdentity--" target="_blank">http://wildfly-security.github<wbr>.io/wildfly-elytron/1.3.x/api-<wbr>javadoc/org/wildfly/security/<wbr>auth/server/SecurityDomain.<wbr>html#getCurrentSecurityIdentit<wbr>y--</a></div>
                        <div><br>
                        </div>
                        <div>The SecurityIdentity has some similarity
                          with the Subject in that amongst other things
                          it also contains a collection of public
                          credentials and a collection of private
                          credentials: -</div>
                        <div><br>
                        </div>
                        <div><a href="http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityIdentity.html#getPublicCredentials--" target="_blank">http://wildfly-security.github<wbr>.io/wildfly-elytron/1.3.x/api-<wbr>javadoc/org/wildfly/security/<wbr>auth/server/SecurityIdentity.<wbr>html#getPublicCredentials--</a></div>
                        <div><a href="http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityIdentity.html#getPrivateCredentials--" target="_blank">http://wildfly-security.github<wbr>.io/wildfly-elytron/1.3.x/api-<wbr>javadoc/org/wildfly/security/<wbr>auth/server/SecurityIdentity.<wbr>html#getPrivateCredentials--</a></div>
                        <div><br>
                        </div>
                        <div>So I think the very first question is has
                          the SecurityIdentity been correctly populated
                          with any delegated credentials?  If not that
                          is going to be a pre-requisite for any follow
                          on steps regardless.</div>
                        <div><br>
                        </div>
                        <div>Then secondly what is it that is making use
                          of this identity?  Why can&#39;t it be ported to
                          make use of the Elytron authentication client
                          APIs which amongst other things provide
                          support for delegation from the current
                          identity.</div>
                      </div>
                    </blockquote>
                    <blockquote type="cite">
                      <div dir="ltr">
                        <div><br>
                        </div>
                        <div>If we need to we can look at a conversion
                          to a Subject but we are only doing that where
                          it is really required.</div>
                      </div>
                    </blockquote>
                    <br>
                  </div>
                  <div bgcolor="#FFFFFF">   We don&#39;t have
                    the SecurityIdentity populated, there is only
                    principal and subject created by jbossws/CXF&#39;s saml
                    validator. <br>
                      We need to convert the subject/principal to
                    Elytron&#39;s SecurityIdentity or something else, then
                    later on EJB subystem with Elytron <br>
                      security can retrieve this authenticated info
                    without check it twice. So we&#39;d like to know how can
                    we convert a subject/principal <br>
                      to Elytron&#39;s SecurityIdentity and let Elytron know
                    this is already authenticated and authorized. <br>
                    <br>
                    Thanks,<br>
                    Jim   <br>
                  </div>
                  <div bgcolor="#FFFFFF"> <br>
                    <br>
                    <blockquote type="cite">
                      <div dir="ltr">
                        <div><br>
                        </div>
                        <div>Regards,</div>
                        <div>Darran Lofthouse.</div>
                        <div><br>
                          <br>
                          <div class="gmail_quote">
                            <div dir="ltr">On Wed, 30 May 2018 at 10:27
                              Alessio Soldano &lt;<a href="mailto:asoldano@redhat.com" target="_blank">asoldano@redhat.com</a>&gt;
                              wrote:<br>
                            </div>
                            <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
                              <div dir="ltr">
                                <div>As suggested by Darran, I&#39;m
                                  forwarding the message below to the
                                  list on behalf of Jim.<br>
                                </div>
                                The classes Jim is referring to are at <a href="https://github.com/wildfly/wildfly/tree/master/webservices/server-integration/src/main/java/org/jboss/as/webservices/security" target="_blank">https://github.com/wildfly/wil<wbr>dfly/tree/master/webservices/<wbr>server-integration/src/main/<wbr>java/org/jboss/as/webservices/<wbr>security</a>
                                <br>
                                <br>
                                <div><br>
                                  <div class="gmail_quote">----------
                                    Forwarded message ----------<br>
                                    From: <b class="gmail_sendername">Jim
                                      Ma</b> <span dir="ltr">&lt;<a href="mailto:ema@redhat.com" target="_blank">ema@redhat.com</a>&gt;</span><br>
                                    Date: Wed, May 30, 2018 at 9:03 AM<br>
                                    Subject: Set an authorized identity
                                    to EltyronSecurity Context<br>
                                    To: Darran Lofthouse &lt;<a href="mailto:darran.lofthouse@redhat.com" target="_blank">darran.lofthouse@redhat.com</a>&gt;<br>
                                    Cc: Alessio Soldano &lt;<a href="mailto:asoldano@redhat.com" target="_blank">asoldano@redhat.com</a>&gt;<br>
                                    <br>
                                    <br>
                                    Hi Darran,<br>
                                    <br>
                                    We are helping look at a customer
                                    issue which requires propagate the
                                    authenticated subject from
                                    webservice subsystem to<br>
                                    <br>
                                    ejb subystem. With old security
                                    domain , we can do this with
                                    creating a subject :<br>
                                    <br>
                                        @Override<br>
                                        public void
                                    pushSubjectContext(final Subject
                                    subject, final Principal principal,
                                    final Object credential) {<br>
                                           
                                    AccessController.doPrivileged(<wbr>new
                                    PrivilegedAction&lt;Void&gt;() {<br>
                                    <br>
                                                public Void run() {<br>
                                                    SecurityContext
                                    securityContext =
                                    SecurityContextAssociation.get<wbr>SecurityContext();<br>
                                                    if (securityContext
                                    == null) {<br>
                                                        securityContext
                                    =
                                    createSecurityContext(getSecur<wbr>ityDomain());<br>
setSecurityContextOnAssociatio<wbr>n(securityContext);<br>
                                                    }<br>
securityContext.getUtil().crea<wbr>teSubjectInfo(principal, credential,
                                    subject);<br>
                                                    return null;<br>
                                                }<br>
                                            });<br>
                                        }<br>
                                    <br>
                                    <br>
                                    After Elytron,  what is the
                                    equivalent thing to do this  then
                                    ejb can retrieve this security
                                    without check this twice ?<br>
                                    <br>
                                    Thanks,<br>
                                    <br>
                                    Jim<br>
                                    <br>
                                  </div>
                                </div>
                              </div>
                              <div dir="ltr">
                                <div><br>
                                  <br clear="all">
                                  <br>
                                  -- <br>
                                  <div class="m_3291311215180637306gmail-m_6817568120572316212m_6492737856986601187m_399130190808493830m_5946244944197837763m_-7102110169809177803gmail_signature">
                                    <div dir="ltr">
                                      <div>
                                        <p style="font-weight:bold;margin:0px;padding:0px;font-size:14px;text-transform:uppercase"><span>Alessio</span>
                                          <span>Soldano</span></p>
                                        <p style="font-weight:normal;font-size:10px;margin:0px 0px 4px;text-transform:uppercase"><span>Associate
                                            Manager</span><span style="font-weight:normal;color:rgb(170,170,170);margin:0px"></span></p>
                                        <p style="font-weight:normal;margin:0px;font-size:10px;color:rgb(153,153,153)"><a style="color:rgb(0,136,206);font-size:10px;margin:0px;text-decoration:none;font-family:overpass,sans-serif" href="https://www.redhat.com" target="_blank">Red
                                            Hat <span><br>
                                              <br>
                                            </span></a></p>
                                        <table border="0">
                                          <tbody>
                                            <tr>
                                              <td width="100px"><a href="https://red.ht/sig" target="_blank">
                                                  <img width="90" height="auto"></a> </td>
                                            </tr>
                                          </tbody>
                                        </table>
                                      </div>
                                    </div>
                                  </div>
                                </div>
                              </div>
                            </blockquote>
                          </div>
                        </div>
                      </div>
                    </blockquote>
                    <p><br>
                    </p>
                  </div>
                </blockquote>
              </div>
            </blockquote>
            <p><br>
            </p>
          </div>
        </blockquote>
      </div>
    </blockquote>
    <p><br>
    </p>
  </div></blockquote></div></div></div></div></div>
</blockquote></div><br></div></div></div></div></div>
</blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div>
<p style="font-weight:bold;margin:0;padding:0;font-size:14px;text-transform:uppercase;margin-bottom:0"><span>Alessio</span> <span>Soldano</span></p>
<p style="font-weight:normal;font-size:10px;margin:0px 0px 4px;text-transform:uppercase"><span>Associate Manager</span><span style="font-weight:normal;color:#aaa;margin:0"></span></p>
<p style="font-weight:normal;margin:0;font-size:10px;color:#999"><a style="color:#0088ce;font-size:10px;margin:0;text-decoration:none;font-family:&#39;overpass&#39;,sans-serif" href="https://www.redhat.com" target="_blank">Red Hat <span><br><br></span></a></p>




<table border="0"><tbody><tr><td width="100px"><a href="https://red.ht/sig" target="_blank"> <img src="https://www.redhat.com/files/brand/email/sig-redhat.png" width="90" height="auto"></a> </td>
</tr></tbody></table>

</div></div></div>
</div></div></div>