<div dir="ltr">On the WildFly Elytron side if there is anything missing we can certainly consider it - I know on the KeyCloak side a KeyCloak specific realm was used but if we need something more generic for SAML we can certainly look at adding it if it is needed for this integration.<div><br></div><div>Regards,</div><div>Darran Lofthouse.</div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr">On Wed, 6 Jun 2018 at 06:30 Jim Ma <<a href="mailto:ema@redhat.com">ema@redhat.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div text="#000000" bgcolor="#FFFFFF">
<div class="m_5478807400153600684moz-cite-prefix">On 06/04/2018 09:31 PM, Pedro Igor
Silva wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">
<div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">In
Keycloak integration we have a specific security realm
implementation that expects a principal previously
authenticated by a keycloak adapter (e.g.: using SAML or
OIDC) and builds an authorized identity based on it.
Basically, what this security realm does is populate the
authorized idenitty with information from tokens.</div>
<div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><br>
</div>
</span></div>
<span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">Later
we complete authentication in Elytron and set the token as a
credential into the identity. It is worth mention that in
Keycloak integration, the adapter is a Elytron HTTP
Authentication Mechanism, so we don't deal directly with the
security domain but with the callback handler.</span>
<div><br>
</div>
<div>Regarding ElytronSecurityDomainContextImpl, is method
pushContext called after a call to isValid ? If so, the
security domain should be set with the security identity and
you don't even need to keep that ThreadLocal ...<br>
</div>
</div>
</blockquote>
<br></div><div text="#000000" bgcolor="#FFFFFF">
Thanks Pedro . Do you think the keycloak Elytron integration code
can be improved or changed to a common utility to convert the
principal to an Elytron identity?<br>
Can you please point me the integration code or some Elytron
example code snippet to build this authorized identity from a
authenticated principal ? <br></div><div text="#000000" bgcolor="#FFFFFF">
<br>
<blockquote type="cite">
<div dir="ltr">
<div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, May 31, 2018 at 7:03 AM,
Darran Lofthouse <span dir="ltr"><<a href="mailto:darran.lofthouse@redhat.com" target="_blank">darran.lofthouse@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">Just added Pedro in CC so see if he has
any suggestions - this is sounding similar to the
problems he would have needed to handle when he added
support for KeyCloak integration using the Elytron
APIs. </div>
</blockquote>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div><br>
</div>
<div>Although the reported problem we are working on
is in the context of access to the token it does
currently sound that there is a missing
pre-requisite step of tying the authentication to
Elytron to we can populate a SecurityIdentity. But
this does not sound like the first time we have
needed to approach this. </div>
</div>
</blockquote>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div><br>
</div>
<div>Regards,</div>
<div>Darran Lofthouse.</div>
<div>
<div class="m_5478807400153600684gmail-h5">
<div><br>
<br>
<div class="gmail_quote">
<div dir="ltr">On Thu, 31 May 2018 at 10:54
Jim Ma <<a href="mailto:ema@redhat.com" target="_blank">ema@redhat.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF">
<div class="m_5478807400153600684gmail-m_6817568120572316212m_6492737856986601187moz-cite-prefix">On
05/31/2018 05:37 PM, Darran Lofthouse
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">So the validation is
within Apache CXF - is there an end
result to this validation where you
have access to everything you need
where we could perform some additional
steps?
<div><br>
</div>
</div>
</blockquote>
<br>
</div>
<div bgcolor="#FFFFFF"> After Apache CXF
validation, we can get a LoginContext from
CXF's exchange message :
<a class="m_5478807400153600684gmail-m_6817568120572316212m_6492737856986601187moz-txt-link-freetext" href="https://github.com/apache/cxf/blob/master/core/src/main/java/org/apache/cxf/security/LoginSecurityContext.java" target="_blank">https://github.com/apache/cxf/blob/master/core/src/main/java/org/apache/cxf/security/LoginSecurityContext.java</a><br>
Can we do something to convert it to an
Elytron authenticated identity ? <br>
Or we have to hook/replace something with
Elytron in CXF's validation to make this
work ?</div>
<div bgcolor="#FFFFFF"><br>
<br>
<blockquote type="cite"><br>
<div class="gmail_quote">
<div dir="ltr">On Thu, 31 May 2018 at
10:34 Jim Ma <<a href="mailto:ema@redhat.com" target="_blank">ema@redhat.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF">
<div class="m_5478807400153600684gmail-m_6817568120572316212m_6492737856986601187m_399130190808493830moz-cite-prefix">The
saml validation is now Apache
CXF's SAML functionality. We
can't port the CXF's security to
rely on <br>
our Elytron. <br>
</div>
</div>
<div bgcolor="#FFFFFF">
<div class="m_5478807400153600684gmail-m_6817568120572316212m_6492737856986601187m_399130190808493830moz-cite-prefix">
<br>
On 05/31/2018 05:07 PM, Darran
Lofthouse wrote:<br>
</div>
</div>
<div bgcolor="#FFFFFF">
<blockquote type="cite">
<div dir="ltr">It sounds to me
then that the place to start
is within the SAML validation,
this is effectively an
authentication step so should
be ported over to an Elytron
based authentication - the end
result of the authentication
would then be the required
SecurityIdentity to propagate
from container to container.
<div><br>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr">On Thu, 31 May
2018 at 03:57 Jim Ma <<a href="mailto:ema@redhat.com" target="_blank">ema@redhat.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF">
<div class="m_5478807400153600684gmail-m_6817568120572316212m_6492737856986601187m_399130190808493830m_5946244944197837763moz-cite-prefix">On
05/30/2018 09:47 PM,
Darran Lofthouse wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">I am
currently gathering
together some
information regarding
how the JCA subsystem
handles the
requirement of
populating a Subject
for propagation into a
resource adapter,
however there is a
general question about
what is attempting to
be achieved here.
<div><br>
</div>
<div>Once an EJB is
secured using
WildFly Elytron the
associated identity
is not accessed as a
Subject instead it
is accessed a
SecurityIdentity the
current
SecurityIdentity can
always be retrieved
by calling the
current
SecurityDomain: -</div>
<div><br>
</div>
<div><a href="http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityDomain.html#getCurrent--" target="_blank">http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityDomain.html#getCurrent--</a></div>
<div><a href="http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityDomain.html#getCurrentSecurityIdentity--" target="_blank">http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityDomain.html#getCurrentSecurityIdentity--</a></div>
<div><br>
</div>
<div>The
SecurityIdentity has
some similarity with
the Subject in that
amongst other things
it also contains a
collection of public
credentials and a
collection of
private credentials:
-</div>
<div><br>
</div>
<div><a href="http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityIdentity.html#getPublicCredentials--" target="_blank">http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityIdentity.html#getPublicCredentials--</a></div>
<div><a href="http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityIdentity.html#getPrivateCredentials--" target="_blank">http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityIdentity.html#getPrivateCredentials--</a></div>
<div><br>
</div>
<div>So I think the
very first question
is has the
SecurityIdentity
been correctly
populated with any
delegated
credentials? If not
that is going to be
a pre-requisite for
any follow on steps
regardless.</div>
<div><br>
</div>
<div>Then secondly
what is it that is
making use of this
identity? Why can't
it be ported to make
use of the Elytron
authentication
client APIs which
amongst other things
provide support for
delegation from the
current identity.</div>
</div>
</blockquote>
<blockquote type="cite">
<div dir="ltr">
<div><br>
</div>
<div>If we need to we
can look at a
conversion to a
Subject but we are
only doing that
where it is really
required.</div>
</div>
</blockquote>
<br>
</div>
<div bgcolor="#FFFFFF"> We
don't have the
SecurityIdentity
populated, there is only
principal and subject
created by jbossws/CXF's
saml validator. <br>
We need to convert the
subject/principal to
Elytron's SecurityIdentity
or something else, then
later on EJB subystem with
Elytron <br>
security can retrieve
this authenticated info
without check it twice. So
we'd like to know how can
we convert a
subject/principal <br>
to Elytron's
SecurityIdentity and let
Elytron know this is
already authenticated and
authorized. <br>
<br>
Thanks,<br>
Jim <br>
</div>
<div bgcolor="#FFFFFF"> <br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div><br>
</div>
<div>Regards,</div>
<div>Darran Lofthouse.</div>
<div><br>
<br>
<div class="gmail_quote">
<div dir="ltr">On
Wed, 30 May 2018
at 10:27 Alessio
Soldano <<a href="mailto:asoldano@redhat.com" target="_blank">asoldano@redhat.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div>As
suggested by
Darran, I'm
forwarding the
message below
to the list on
behalf of Jim.<br>
</div>
The classes
Jim is
referring to
are at <a href="https://github.com/wildfly/wildfly/tree/master/webservices/server-integration/src/main/java/org/jboss/as/webservices/security" target="_blank">https://github.com/wildfly/wildfly/tree/master/webservices/server-integration/src/main/java/org/jboss/as/webservices/security</a>
<br>
<br>
<div><br>
<div class="gmail_quote">----------
Forwarded
message
----------<br>
From: <b class="gmail_sendername">Jim
Ma</b> <span dir="ltr"><<a href="mailto:ema@redhat.com" target="_blank">ema@redhat.com</a>></span><br>
Date: Wed, May
30, 2018 at
9:03 AM<br>
Subject: Set
an authorized
identity to
EltyronSecurity
Context<br>
To: Darran
Lofthouse <<a href="mailto:darran.lofthouse@redhat.com" target="_blank">darran.lofthouse@redhat.com</a>><br>
Cc: Alessio
Soldano <<a href="mailto:asoldano@redhat.com" target="_blank">asoldano@redhat.com</a>><br>
<br>
<br>
Hi Darran,<br>
<br>
We are helping
look at a
customer issue
which requires
propagate the
authenticated
subject from
webservice
subsystem to<br>
<br>
ejb subystem.
With old
security
domain , we
can do this
with creating
a subject :<br>
<br>
@Override<br>
public
void
pushSubjectContext(final
Subject
subject, final
Principal
principal,
final Object
credential) {<br>
AccessController.doPrivileged(new
PrivilegedAction<Void>() {<br>
<br>
public Void
run() {<br>
SecurityContext securityContext =
SecurityContextAssociation.getSecurityContext();<br>
if (securityContext == null) {<br>
securityContext = createSecurityContext(getSecurityDomain());<br>
setSecurityContextOnAssociation(securityContext);<br>
}<br>
securityContext.getUtil().createSubjectInfo(principal, credential,
subject);<br>
return null;<br>
}<br>
});<br>
}<br>
<br>
<br>
After
Elytron, what
is the
equivalent
thing to do
this then ejb
can retrieve
this security
without check
this twice ?<br>
<br>
Thanks,<br>
<br>
Jim<br>
<br>
</div>
</div>
</div>
<div dir="ltr">
<div><br>
<br clear="all">
<br>
-- <br>
<div class="m_5478807400153600684gmail-m_6817568120572316212m_6492737856986601187m_399130190808493830m_5946244944197837763m_-7102110169809177803gmail_signature">
<div dir="ltr">
<div>
<p style="font-weight:bold;margin:0px;padding:0px;font-size:14px;text-transform:uppercase"><span>Alessio</span>
<span>Soldano</span></p>
<p style="font-weight:normal;font-size:10px;margin:0px 0px 4px;text-transform:uppercase"><span>Associate
Manager</span><span style="font-weight:normal;color:rgb(170,170,170);margin:0px"></span></p>
<p style="font-weight:normal;margin:0px;font-size:10px;color:rgb(153,153,153)"><a style="color:rgb(0,136,206);font-size:10px;margin:0px;text-decoration:none;font-family:overpass,sans-serif" href="https://www.redhat.com" target="_blank">Red
Hat <span><br>
<br>
</span></a></p>
<table border="0">
<tbody>
<tr>
<td width="100px"><a href="https://red.ht/sig" target="_blank"> <img src="https://www.redhat.com/files/brand/email/sig-redhat.png" height="auto" width="90"></a>
</td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</div>
</blockquote>
<p><br>
</p>
</div>
</blockquote>
</div>
</blockquote>
<p><br>
</p>
</div>
</blockquote>
</div>
</blockquote>
<p><br>
</p>
</div>
</blockquote>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
<p><br>
</p>
</div></blockquote></div>