<div dir="ltr">On the WildFly Elytron side if there is anything missing we can certainly consider it - I know on the KeyCloak side a KeyCloak specific realm was used but if we need something more generic for SAML we can certainly look at adding it if it is needed for this integration.<div><br></div><div>Regards,</div><div>Darran Lofthouse.</div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr">On Wed, 6 Jun 2018 at 06:30 Jim Ma &lt;<a href="mailto:ema@redhat.com">ema@redhat.com</a>&gt; wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div text="#000000" bgcolor="#FFFFFF">
    <div class="m_5478807400153600684moz-cite-prefix">On 06/04/2018 09:31 PM, Pedro Igor
      Silva wrote:<br>
    </div>
    <blockquote type="cite">
      <div dir="ltr">
        <div><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">
            <div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">In
              Keycloak integration we have a specific security realm
              implementation that expects a principal previously
              authenticated by a keycloak adapter (e.g.: using SAML or
              OIDC) and builds an authorized identity based on it.
              Basically, what this security realm does is populate the
              authorized idenitty with information from tokens.</div>
            <div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><br>
            </div>
          </span></div>
        <span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">Later
          we complete authentication in Elytron and set the token as a
          credential into the identity. It is worth mention that in
          Keycloak integration, the adapter is a Elytron HTTP
          Authentication Mechanism, so we don&#39;t deal directly with the
          security domain but with the callback handler.</span>
        <div><br>
        </div>
        <div>Regarding ElytronSecurityDomainContextImpl, is method
          pushContext called after a call to isValid ? If so, the
          security domain should be set with the security identity and
          you don&#39;t even need to keep that ThreadLocal ...<br>
        </div>
      </div>
    </blockquote>
      <br></div><div text="#000000" bgcolor="#FFFFFF">
     Thanks Pedro . Do you think the keycloak Elytron integration code
    can be improved or changed to a common utility to convert the
    principal to an Elytron identity?<br>
     Can you please point me the integration code or some Elytron
    example code snippet to build this authorized identity from a
    authenticated principal ?     <br></div><div text="#000000" bgcolor="#FFFFFF">
    <br>
    <blockquote type="cite">
      <div dir="ltr">
        <div>
          <div class="gmail_extra"><br>
            <div class="gmail_quote">On Thu, May 31, 2018 at 7:03 AM,
              Darran Lofthouse <span dir="ltr">&lt;<a href="mailto:darran.lofthouse@redhat.com" target="_blank">darran.lofthouse@redhat.com</a>&gt;</span>
              wrote:<br>
              <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
                <div dir="ltr">Just added Pedro in CC so see if he has
                  any suggestions - this is sounding similar to the
                  problems he would have needed to handle when he added
                  support for KeyCloak integration using the Elytron
                  APIs.  </div>
              </blockquote>
              <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
                <div dir="ltr">
                  <div><br>
                  </div>
                  <div>Although the reported problem we are working on
                    is in the context of access to the token it does
                    currently sound that there is a missing
                    pre-requisite step of tying the authentication to
                    Elytron to we can populate a SecurityIdentity.  But
                    this does not sound like the first time we have
                    needed to approach this. </div>
                </div>
              </blockquote>
              <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
                <div dir="ltr">
                  <div><br>
                  </div>
                  <div>Regards,</div>
                  <div>Darran Lofthouse.</div>
                  <div>
                    <div class="m_5478807400153600684gmail-h5">
                      <div><br>
                        <br>
                        <div class="gmail_quote">
                          <div dir="ltr">On Thu, 31 May 2018 at 10:54
                            Jim Ma &lt;<a href="mailto:ema@redhat.com" target="_blank">ema@redhat.com</a>&gt;
                            wrote:<br>
                          </div>
                          <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
                            <div bgcolor="#FFFFFF">
                              <div class="m_5478807400153600684gmail-m_6817568120572316212m_6492737856986601187moz-cite-prefix">On
                                05/31/2018 05:37 PM, Darran Lofthouse
                                wrote:<br>
                              </div>
                              <blockquote type="cite">
                                <div dir="ltr">So the validation is
                                  within Apache CXF - is there an end
                                  result to this validation where you
                                  have access to everything you need
                                  where we could perform some additional
                                  steps?
                                  <div><br>
                                  </div>
                                </div>
                              </blockquote>
                              <br>
                            </div>
                            <div bgcolor="#FFFFFF">  After Apache CXF
                              validation, we can get a LoginContext from
                              CXF&#39;s exchange message :
                              <a class="m_5478807400153600684gmail-m_6817568120572316212m_6492737856986601187moz-txt-link-freetext" href="https://github.com/apache/cxf/blob/master/core/src/main/java/org/apache/cxf/security/LoginSecurityContext.java" target="_blank">https://github.com/apache/cxf/blob/master/core/src/main/java/org/apache/cxf/security/LoginSecurityContext.java</a><br>
                               Can we do something to convert it to an
                              Elytron authenticated identity ? <br>
                               Or we have to hook/replace something with
                              Elytron in CXF&#39;s validation to make this
                              work ?</div>
                            <div bgcolor="#FFFFFF"><br>
                              <br>
                              <blockquote type="cite"><br>
                                <div class="gmail_quote">
                                  <div dir="ltr">On Thu, 31 May 2018 at
                                    10:34 Jim Ma &lt;<a href="mailto:ema@redhat.com" target="_blank">ema@redhat.com</a>&gt;
                                    wrote:<br>
                                  </div>
                                  <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
                                    <div bgcolor="#FFFFFF">
                                      <div class="m_5478807400153600684gmail-m_6817568120572316212m_6492737856986601187m_399130190808493830moz-cite-prefix">The
                                        saml validation is now Apache
                                        CXF&#39;s SAML functionality. We
                                        can&#39;t port the CXF&#39;s security to
                                        rely on <br>
                                        our Elytron.   <br>
                                      </div>
                                    </div>
                                    <div bgcolor="#FFFFFF">
                                      <div class="m_5478807400153600684gmail-m_6817568120572316212m_6492737856986601187m_399130190808493830moz-cite-prefix">
                                        <br>
                                        On 05/31/2018 05:07 PM, Darran
                                        Lofthouse wrote:<br>
                                      </div>
                                    </div>
                                    <div bgcolor="#FFFFFF">
                                      <blockquote type="cite">
                                        <div dir="ltr">It sounds to me
                                          then that the place to start
                                          is within the SAML validation,
                                          this is effectively an
                                          authentication step so should
                                          be ported over to an Elytron
                                          based authentication - the end
                                          result of the authentication
                                          would then be the required
                                          SecurityIdentity to propagate
                                          from container to container.
                                          <div><br>
                                          </div>
                                        </div>
                                        <br>
                                        <div class="gmail_quote">
                                          <div dir="ltr">On Thu, 31 May
                                            2018 at 03:57 Jim Ma &lt;<a href="mailto:ema@redhat.com" target="_blank">ema@redhat.com</a>&gt;
                                            wrote:<br>
                                          </div>
                                          <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
                                            <div bgcolor="#FFFFFF">
                                              <div class="m_5478807400153600684gmail-m_6817568120572316212m_6492737856986601187m_399130190808493830m_5946244944197837763moz-cite-prefix">On
                                                05/30/2018 09:47 PM,
                                                Darran Lofthouse wrote:<br>
                                              </div>
                                              <blockquote type="cite">
                                                <div dir="ltr">I am
                                                  currently gathering
                                                  together some
                                                  information regarding
                                                  how the JCA subsystem
                                                  handles the
                                                  requirement of
                                                  populating a Subject
                                                  for propagation into a
                                                  resource adapter,
                                                  however there is a
                                                  general question about
                                                  what is attempting to
                                                  be achieved here.
                                                  <div><br>
                                                  </div>
                                                  <div>Once an EJB is
                                                    secured using
                                                    WildFly Elytron the
                                                    associated identity
                                                    is not accessed as a
                                                    Subject instead it
                                                    is accessed a
                                                    SecurityIdentity the
                                                    current
                                                    SecurityIdentity can
                                                    always be retrieved
                                                    by calling the
                                                    current
                                                    SecurityDomain: -</div>
                                                  <div><br>
                                                  </div>
                                                  <div><a href="http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityDomain.html#getCurrent--" target="_blank">http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityDomain.html#getCurrent--</a></div>
                                                  <div><a href="http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityDomain.html#getCurrentSecurityIdentity--" target="_blank">http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityDomain.html#getCurrentSecurityIdentity--</a></div>
                                                  <div><br>
                                                  </div>
                                                  <div>The
                                                    SecurityIdentity has
                                                    some similarity with
                                                    the Subject in that
                                                    amongst other things
                                                    it also contains a
                                                    collection of public
                                                    credentials and a
                                                    collection of
                                                    private credentials:
                                                    -</div>
                                                  <div><br>
                                                  </div>
                                                  <div><a href="http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityIdentity.html#getPublicCredentials--" target="_blank">http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityIdentity.html#getPublicCredentials--</a></div>
                                                  <div><a href="http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityIdentity.html#getPrivateCredentials--" target="_blank">http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityIdentity.html#getPrivateCredentials--</a></div>
                                                  <div><br>
                                                  </div>
                                                  <div>So I think the
                                                    very first question
                                                    is has the
                                                    SecurityIdentity
                                                    been correctly
                                                    populated with any
                                                    delegated
                                                    credentials?  If not
                                                    that is going to be
                                                    a pre-requisite for
                                                    any follow on steps
                                                    regardless.</div>
                                                  <div><br>
                                                  </div>
                                                  <div>Then secondly
                                                    what is it that is
                                                    making use of this
                                                    identity?  Why can&#39;t
                                                    it be ported to make
                                                    use of the Elytron
                                                    authentication
                                                    client APIs which
                                                    amongst other things
                                                    provide support for
                                                    delegation from the
                                                    current identity.</div>
                                                </div>
                                              </blockquote>
                                              <blockquote type="cite">
                                                <div dir="ltr">
                                                  <div><br>
                                                  </div>
                                                  <div>If we need to we
                                                    can look at a
                                                    conversion to a
                                                    Subject but we are
                                                    only doing that
                                                    where it is really
                                                    required.</div>
                                                </div>
                                              </blockquote>
                                              <br>
                                            </div>
                                            <div bgcolor="#FFFFFF">   We
                                              don&#39;t have the
                                              SecurityIdentity
                                              populated, there is only
                                              principal and subject
                                              created by jbossws/CXF&#39;s
                                              saml validator. <br>
                                                We need to convert the
                                              subject/principal to
                                              Elytron&#39;s SecurityIdentity
                                              or something else, then
                                              later on EJB subystem with
                                              Elytron <br>
                                                security can retrieve
                                              this authenticated info
                                              without check it twice. So
                                              we&#39;d like to know how can
                                              we convert a
                                              subject/principal <br>
                                                to Elytron&#39;s
                                              SecurityIdentity and let
                                              Elytron know this is
                                              already authenticated and
                                              authorized. <br>
                                              <br>
                                              Thanks,<br>
                                              Jim   <br>
                                            </div>
                                            <div bgcolor="#FFFFFF"> <br>
                                              <br>
                                              <blockquote type="cite">
                                                <div dir="ltr">
                                                  <div><br>
                                                  </div>
                                                  <div>Regards,</div>
                                                  <div>Darran Lofthouse.</div>
                                                  <div><br>
                                                    <br>
                                                    <div class="gmail_quote">
                                                      <div dir="ltr">On
                                                        Wed, 30 May 2018
                                                        at 10:27 Alessio
                                                        Soldano &lt;<a href="mailto:asoldano@redhat.com" target="_blank">asoldano@redhat.com</a>&gt;
                                                        wrote:<br>
                                                      </div>
                                                      <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
                                                        <div dir="ltr">
                                                          <div>As
                                                          suggested by
                                                          Darran, I&#39;m
                                                          forwarding the
                                                          message below
                                                          to the list on
                                                          behalf of Jim.<br>
                                                          </div>
                                                          The classes
                                                          Jim is
                                                          referring to
                                                          are at <a href="https://github.com/wildfly/wildfly/tree/master/webservices/server-integration/src/main/java/org/jboss/as/webservices/security" target="_blank">https://github.com/wildfly/wildfly/tree/master/webservices/server-integration/src/main/java/org/jboss/as/webservices/security</a>
                                                          <br>
                                                          <br>
                                                          <div><br>
                                                          <div class="gmail_quote">----------
                                                          Forwarded
                                                          message
                                                          ----------<br>
                                                          From: <b class="gmail_sendername">Jim
                                                          Ma</b> <span dir="ltr">&lt;<a href="mailto:ema@redhat.com" target="_blank">ema@redhat.com</a>&gt;</span><br>
                                                          Date: Wed, May
                                                          30, 2018 at
                                                          9:03 AM<br>
                                                          Subject: Set
                                                          an authorized
                                                          identity to
                                                          EltyronSecurity
                                                          Context<br>
                                                          To: Darran
                                                          Lofthouse &lt;<a href="mailto:darran.lofthouse@redhat.com" target="_blank">darran.lofthouse@redhat.com</a>&gt;<br>
                                                          Cc: Alessio
                                                          Soldano &lt;<a href="mailto:asoldano@redhat.com" target="_blank">asoldano@redhat.com</a>&gt;<br>
                                                          <br>
                                                          <br>
                                                          Hi Darran,<br>
                                                          <br>
                                                          We are helping
                                                          look at a
                                                          customer issue
                                                          which requires
                                                          propagate the
                                                          authenticated
                                                          subject from
                                                          webservice
                                                          subsystem to<br>
                                                          <br>
                                                          ejb subystem.
                                                          With old
                                                          security
                                                          domain , we
                                                          can do this
                                                          with creating
                                                          a subject :<br>
                                                          <br>
                                                              @Override<br>
                                                              public
                                                          void
                                                          pushSubjectContext(final
                                                          Subject
                                                          subject, final
                                                          Principal
                                                          principal,
                                                          final Object
                                                          credential) {<br>
                                                                 
                                                          AccessController.doPrivileged(new
PrivilegedAction&lt;Void&gt;() {<br>
                                                          <br>
                                                                     
                                                          public Void
                                                          run() {<br>
                SecurityContext securityContext =
                                                          SecurityContextAssociation.getSecurityContext();<br>
                if (securityContext == null) {<br>
                    securityContext = createSecurityContext(getSecurityDomain());<br>
setSecurityContextOnAssociation(securityContext);<br>
                }<br>
securityContext.getUtil().createSubjectInfo(principal, credential,
                                                          subject);<br>
                return null;<br>
                                                                      }<br>
                                                                  });<br>
                                                              }<br>
                                                          <br>
                                                          <br>
                                                          After
                                                          Elytron,  what
                                                          is the
                                                          equivalent
                                                          thing to do
                                                          this  then ejb
                                                          can retrieve
                                                          this security
                                                          without check
                                                          this twice ?<br>
                                                          <br>
                                                          Thanks,<br>
                                                          <br>
                                                          Jim<br>
                                                          <br>
                                                          </div>
                                                          </div>
                                                        </div>
                                                        <div dir="ltr">
                                                          <div><br>
                                                          <br clear="all">
                                                          <br>
                                                          -- <br>
                                                          <div class="m_5478807400153600684gmail-m_6817568120572316212m_6492737856986601187m_399130190808493830m_5946244944197837763m_-7102110169809177803gmail_signature">
                                                          <div dir="ltr">
                                                          <div>
                                                          <p style="font-weight:bold;margin:0px;padding:0px;font-size:14px;text-transform:uppercase"><span>Alessio</span>
                                                          <span>Soldano</span></p>
                                                          <p style="font-weight:normal;font-size:10px;margin:0px 0px 4px;text-transform:uppercase"><span>Associate
                                                          Manager</span><span style="font-weight:normal;color:rgb(170,170,170);margin:0px"></span></p>
                                                          <p style="font-weight:normal;margin:0px;font-size:10px;color:rgb(153,153,153)"><a style="color:rgb(0,136,206);font-size:10px;margin:0px;text-decoration:none;font-family:overpass,sans-serif" href="https://www.redhat.com" target="_blank">Red
                                                          Hat <span><br>
                                                          <br>
                                                          </span></a></p>
                                                          <table border="0">
                                                          <tbody>
                                                          <tr>
                                                          <td width="100px"><a href="https://red.ht/sig" target="_blank"> <img src="https://www.redhat.com/files/brand/email/sig-redhat.png" height="auto" width="90"></a>
                                                          </td>
                                                          </tr>
                                                          </tbody>
                                                          </table>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </div>
                                                        </div>
                                                      </blockquote>
                                                    </div>
                                                  </div>
                                                </div>
                                              </blockquote>
                                              <p><br>
                                              </p>
                                            </div>
                                          </blockquote>
                                        </div>
                                      </blockquote>
                                      <p><br>
                                      </p>
                                    </div>
                                  </blockquote>
                                </div>
                              </blockquote>
                              <p><br>
                              </p>
                            </div>
                          </blockquote>
                        </div>
                      </div>
                    </div>
                  </div>
                </div>
              </blockquote>
            </div>
            <br>
          </div>
        </div>
      </div>
    </blockquote>
    <p><br>
    </p>
  </div></blockquote></div>