<div dir="ltr">Exactly. In addition to a security domain referencing the realm and a http-authentication-factory referencing the domain.</div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Jun 7, 2018 at 6:17 AM, Jim Ma <span dir="ltr"><<a href="mailto:ema@redhat.com" target="_blank">ema@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<div class="m_6129916239530327338moz-cite-prefix">Just to understand. I saw the
SecurityIdentiy will be called by
KeycloakHttpServerAuthenticati<wbr>onMechanism, and this will finally
trigger<br>
the KeycloakSecurityRealm to create identity. To make this all
work, we need to <br>
configure KeycloakSecurityRealm and
KeycloakHttpServerAuthenticati<wbr>onMechanism under Elytron subsystem,
right?<div><div class="h5"><br>
<br>
<br>
06/07/2018 12:25 AM, Pedro Igor Silva wrote:<br>
</div></div></div><div><div class="h5">
<blockquote type="cite">
<div dir="ltr">I don't think Keycloak integration code can be
worked to be a common utility.
<div><br>
</div>
<div>It seems to me that you would need a specific security
realm implementation from where you could just return an
authorized identity as a result of parsing the SAML assertion.
Here is what we have in Keycloak [1]. As you can see, we are
basically trusting a KeycloakPrincipal, previously created by
the keycloak adapter, and creating an authorization identity
from it. We don't re-authenticate the user.</div>
<div><br>
</div>
<div>So when pushContext is called, you could use
serverauthenticationcontext and the CBH to ask Elytron for a
security identity. See [2]. In this last example, we pass the
previously authenticated principal via <span style="color:rgb(36,41,46);font-family:SFMono-Regular,Consolas,"Liberation Mono",Menlo,Courier,monospace;font-size:12px;white-space:pre-wrap;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">EvidenceVerifyCallback.</span></div>
<div><span style="color:rgb(36,41,46);font-family:SFMono-Regular,Consolas,"Liberation Mono",Menlo,Courier,monospace;font-size:12px;white-space:pre-wrap;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">
</span></div>
<div><span style="font-size:small;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">I
think this might work for you.</span><br>
</div>
<div><br>
</div>
<div>[1] <a href="https://github.com/pedroigor/keycloak/blob/d3e559453b7dcf6f0d9f32c5a9a7f8c49403bb3a/adapters/oidc/wildfly-elytron/src/main/java/org/keycloak/adapters/elytron/KeycloakSecurityRealm.java#L83" target="_blank">https://github.com/<wbr>pedroigor/keycloak/blob/<wbr>d3e559453b7dcf6f0d9f32c5a9a7f8<wbr>c49403bb3a/adapters/oidc/<wbr>wildfly-elytron/src/main/java/<wbr>org/keycloak/adapters/elytron/<wbr>KeycloakSecurityRealm.java#L83</a></div>
<div>[2] <a href="https://github.com/pedroigor/keycloak/blob/d3dee07956be8d0ac69466ac9367984ab0ea072d/adapters/oidc/wildfly-elytron/src/main/java/org/keycloak/adapters/elytron/SecurityIdentityUtil.java#L45" target="_blank">https://github.com/<wbr>pedroigor/keycloak/blob/<wbr>d3dee07956be8d0ac69466ac936798<wbr>4ab0ea072d/adapters/oidc/<wbr>wildfly-elytron/src/main/java/<wbr>org/keycloak/adapters/elytron/<wbr>SecurityIdentityUtil.java#L45</a></div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, Jun 6, 2018 at 12:30 AM, Jim Ma
<span dir="ltr"><<a href="mailto:ema@redhat.com" target="_blank">ema@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"><span>
<div class="m_6129916239530327338m_-520751116552800486moz-cite-prefix">On
06/04/2018 09:31 PM, Pedro Igor Silva wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">
<div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">In
Keycloak integration we have a specific
security realm implementation that expects a
principal previously authenticated by a
keycloak adapter (e.g.: using SAML or OIDC)
and builds an authorized identity based on it.
Basically, what this security realm does is
populate the authorized idenitty with
information from tokens.</div>
<div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><br>
</div>
</span></div>
<span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">Later
we complete authentication in Elytron and set the
token as a credential into the identity. It is
worth mention that in Keycloak integration, the
adapter is a Elytron HTTP Authentication
Mechanism, so we don't deal directly with the
security domain but with the callback handler.</span>
<div><br>
</div>
<div>Regarding ElytronSecurityDomainContextIm<wbr>pl,
is method pushContext called after a call to
isValid ? If so, the security domain should be set
with the security identity and you don't even need
to keep that ThreadLocal ...<br>
</div>
</div>
</blockquote>
<br>
</span> Thanks Pedro . Do you think the keycloak Elytron
integration code can be improved or changed to a common
utility to convert the principal to an Elytron identity?<br>
Can you please point me the integration code or some
Elytron example code snippet to build this authorized
identity from a authenticated principal ? <br>
<div>
<div class="m_6129916239530327338h5"> <br>
<blockquote type="cite">
<div dir="ltr">
<div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, May 31, 2018
at 7:03 AM, Darran Lofthouse <span dir="ltr"><<a href="mailto:darran.lofthouse@redhat.com" target="_blank">darran.lofthouse@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">Just added Pedro in CC so
see if he has any suggestions - this is
sounding similar to the problems he
would have needed to handle when he
added support for KeyCloak integration
using the Elytron APIs. </div>
</blockquote>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div><br>
</div>
<div>Although the reported problem we
are working on is in the context of
access to the token it does currently
sound that there is a missing
pre-requisite step of tying the
authentication to Elytron to we can
populate a SecurityIdentity. But this
does not sound like the first time we
have needed to approach this. </div>
</div>
</blockquote>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div><br>
</div>
<div>Regards,</div>
<div>Darran Lofthouse.</div>
<div>
<div class="m_6129916239530327338m_-520751116552800486gmail-h5">
<div><br>
<br>
<div class="gmail_quote">
<div dir="ltr">On Thu, 31 May
2018 at 10:54 Jim Ma <<a href="mailto:ema@redhat.com" target="_blank">ema@redhat.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF">
<div class="m_6129916239530327338m_-520751116552800486gmail-m_6817568120572316212m_6492737856986601187moz-cite-prefix">On
05/31/2018 05:37 PM,
Darran Lofthouse wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">So the
validation is within
Apache CXF - is there an
end result to this
validation where you
have access to
everything you need
where we could perform
some additional steps?
<div><br>
</div>
</div>
</blockquote>
<br>
</div>
<div bgcolor="#FFFFFF"> After
Apache CXF validation, we
can get a LoginContext from
CXF's exchange message : <a class="m_6129916239530327338m_-520751116552800486gmail-m_6817568120572316212m_6492737856986601187moz-txt-link-freetext" href="https://github.com/apache/cxf/blob/master/core/src/main/java/org/apache/cxf/security/LoginSecurityContext.java" target="_blank">https://github.com/apache/cxf/<wbr>blob/master/core/src/main/java<wbr>/org/apache/cxf/security/Login<wbr>SecurityContext.java</a><br>
Can we do something to
convert it to an Elytron
authenticated identity ? <br>
Or we have to hook/replace
something with Elytron in
CXF's validation to make
this work ?</div>
<div bgcolor="#FFFFFF"><br>
<br>
<blockquote type="cite"><br>
<div class="gmail_quote">
<div dir="ltr">On Thu,
31 May 2018 at 10:34
Jim Ma <<a href="mailto:ema@redhat.com" target="_blank">ema@redhat.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF">
<div class="m_6129916239530327338m_-520751116552800486gmail-m_6817568120572316212m_6492737856986601187m_399130190808493830moz-cite-prefix">The
saml validation is
now Apache CXF's
SAML
functionality. We
can't port the
CXF's security to
rely on <br>
our Elytron. <br>
</div>
</div>
<div bgcolor="#FFFFFF">
<div class="m_6129916239530327338m_-520751116552800486gmail-m_6817568120572316212m_6492737856986601187m_399130190808493830moz-cite-prefix">
<br>
On 05/31/2018
05:07 PM, Darran
Lofthouse wrote:<br>
</div>
</div>
<div bgcolor="#FFFFFF">
<blockquote type="cite">
<div dir="ltr">It
sounds to me
then that the
place to start
is within the
SAML validation,
this is
effectively an
authentication
step so should
be ported over
to an Elytron
based
authentication -
the end result
of the
authentication
would then be
the required
SecurityIdentity
to propagate
from container
to container.
<div><br>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr">On
Thu, 31 May
2018 at 03:57
Jim Ma <<a href="mailto:ema@redhat.com" target="_blank">ema@redhat.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF">
<div class="m_6129916239530327338m_-520751116552800486gmail-m_6817568120572316212m_6492737856986601187m_399130190808493830m_5946244944197837763moz-cite-prefix">On
05/30/2018
09:47 PM,
Darran
Lofthouse
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">I
am currently
gathering
together some
information
regarding how
the JCA
subsystem
handles the
requirement of
populating a
Subject for
propagation
into a
resource
adapter,
however there
is a general
question about
what is
attempting to
be achieved
here.
<div><br>
</div>
<div>Once an
EJB is secured
using WildFly
Elytron the
associated
identity is
not accessed
as a Subject
instead it is
accessed a
SecurityIdentity
the current
SecurityIdentity
can always be
retrieved by
calling the
current
SecurityDomain:
-</div>
<div><br>
</div>
<div><a href="http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityDomain.html#getCurrent--" target="_blank">http://wildfly-security.github<wbr>.io/wildfly-elytron/1.3.x/api-<wbr>javadoc/org/wildfly/security/a<wbr>uth/server/SecurityDomain.html<wbr>#getCurrent--</a></div>
<div><a href="http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityDomain.html#getCurrentSecurityIdentity--" target="_blank">http://wildfly-security.github<wbr>.io/wildfly-elytron/1.3.x/api-<wbr>javadoc/org/wildfly/security/a<wbr>uth/server/SecurityDomain.html<wbr>#getCurrentSecurityIdentity--</a></div>
<div><br>
</div>
<div>The
SecurityIdentity
has some
similarity
with the
Subject in
that amongst
other things
it also
contains a
collection of
public
credentials
and a
collection of
private
credentials: -</div>
<div><br>
</div>
<div><a href="http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityIdentity.html#getPublicCredentials--" target="_blank">http://wildfly-security.github<wbr>.io/wildfly-elytron/1.3.x/api-<wbr>javadoc/org/wildfly/security/a<wbr>uth/server/SecurityIdentity.ht<wbr>ml#getPublicCredentials--</a></div>
<div><a href="http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityIdentity.html#getPrivateCredentials--" target="_blank">http://wildfly-security.github<wbr>.io/wildfly-elytron/1.3.x/api-<wbr>javadoc/org/wildfly/security/a<wbr>uth/server/SecurityIdentity.ht<wbr>ml#getPrivateCredentials--</a></div>
<div><br>
</div>
<div>So I
think the very
first question
is has the
SecurityIdentity
been correctly
populated with
any delegated
credentials?
If not that is
going to be a
pre-requisite
for any follow
on steps
regardless.</div>
<div><br>
</div>
<div>Then
secondly what
is it that is
making use of
this
identity? Why
can't it be
ported to make
use of the
Elytron
authentication
client APIs
which amongst
other things
provide
support for
delegation
from the
current
identity.</div>
</div>
</blockquote>
<blockquote type="cite">
<div dir="ltr">
<div><br>
</div>
<div>If we
need to we can
look at a
conversion to
a Subject but
we are only
doing that
where it is
really
required.</div>
</div>
</blockquote>
<br>
</div>
<div bgcolor="#FFFFFF">
We don't
have the
SecurityIdentity
populated,
there is only
principal and
subject
created by
jbossws/CXF's
saml
validator. <br>
We need to
convert the
subject/principal
to Elytron's
SecurityIdentity
or something
else, then
later on EJB
subystem with
Elytron <br>
security can
retrieve this
authenticated
info without
check it
twice. So we'd
like to know
how can we
convert a
subject/principal
<br>
to Elytron's
SecurityIdentity and let Elytron know this is already authenticated and
authorized. <br>
<br>
Thanks,<br>
Jim <br>
</div>
<div bgcolor="#FFFFFF">
<br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div><br>
</div>
<div>Regards,</div>
<div>Darran
Lofthouse.</div>
<div><br>
<br>
<div class="gmail_quote">
<div dir="ltr">On
Wed, 30 May
2018 at 10:27
Alessio
Soldano <<a href="mailto:asoldano@redhat.com" target="_blank">asoldano@redhat.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div>As
suggested by
Darran, I'm
forwarding the
message below
to the list on
behalf of Jim.<br>
</div>
The classes
Jim is
referring to
are at <a href="https://github.com/wildfly/wildfly/tree/master/webservices/server-integration/src/main/java/org/jboss/as/webservices/security" target="_blank">https://github.com/wildfly/wil<wbr>dfly/tree/master/webservices/s<wbr>erver-integration/src/main/jav<wbr>a/org/jboss/as/webservices/sec<wbr>urity</a>
<br>
<br>
<div><br>
<div class="gmail_quote">----------
Forwarded
message
----------<br>
From: <b class="gmail_sendername">Jim
Ma</b> <span dir="ltr"><<a href="mailto:ema@redhat.com" target="_blank">ema@redhat.com</a>></span><br>
Date: Wed, May
30, 2018 at
9:03 AM<br>
Subject: Set
an authorized
identity to
EltyronSecurity
Context<br>
To: Darran
Lofthouse <<a href="mailto:darran.lofthouse@redhat.com" target="_blank">darran.lofthouse@redhat.com</a>><br>
Cc: Alessio
Soldano <<a href="mailto:asoldano@redhat.com" target="_blank">asoldano@redhat.com</a>><br>
<br>
<br>
Hi Darran,<br>
<br>
We are helping
look at a
customer issue
which requires
propagate the
authenticated
subject from
webservice
subsystem to<br>
<br>
ejb subystem.
With old
security
domain , we
can do this
with creating
a subject :<br>
<br>
@Override<br>
public
void
pushSubjectContext(final
Subject
subject, final
Principal
principal,
final Object
credential) {<br>
AccessController.doPrivileged(<wbr>new
PrivilegedAction<Void>() {<br>
<br>
public Void
run() {<br>
SecurityContext securityContext =
SecurityContextAssociation.get<wbr>SecurityContext();<br>
if (securityContext == null) {<br>
securityContext = createSecurityContext(getSecur<wbr>ityDomain());<br>
setSecurityContextOnAssociatio<wbr>n(securityContext);<br>
}<br>
securityContext.getUtil().crea<wbr>teSubjectInfo(principal, credential,
subject);<br>
return null;<br>
}<br>
});<br>
}<br>
<br>
<br>
After
Elytron, what
is the
equivalent
thing to do
this then ejb
can retrieve
this security
without check
this twice ?<br>
<br>
Thanks,<br>
<br>
Jim<br>
<br>
</div>
</div>
</div>
<div dir="ltr">
<div><br>
<br clear="all">
<br>
-- <br>
<div class="m_6129916239530327338m_-520751116552800486gmail-m_6817568120572316212m_6492737856986601187m_399130190808493830m_5946244944197837763m_-7102110169809177803gmail_signature">
<div dir="ltr">
<div>
<p style="font-weight:bold;margin:0px;padding:0px;font-size:14px;text-transform:uppercase"><span>Alessio</span>
<span>Soldano</span></p>
<p style="font-weight:normal;font-size:10px;margin:0px 0px 4px;text-transform:uppercase"><span>Associate
Manager</span><span style="font-weight:normal;color:rgb(170,170,170);margin:0px"></span></p>
<p style="font-weight:normal;margin:0px;font-size:10px;color:rgb(153,153,153)"><a style="color:rgb(0,136,206);font-size:10px;margin:0px;text-decoration:none;font-family:overpass,sans-serif" href="https://www.redhat.com" target="_blank">Red
Hat <span><br>
<br>
</span></a></p>
<table border="0">
<tbody>
<tr>
<td width="100px"><a href="https://red.ht/sig" target="_blank"> <img src="https://www.redhat.com/files/brand/email/sig-redhat.png" height="auto" width="90"></a>
</td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</div>
</blockquote>
<p><br>
</p>
</div>
</blockquote>
</div>
</blockquote>
<p><br>
</p>
</div>
</blockquote>
</div>
</blockquote>
<p><br>
</p>
</div>
</blockquote>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
<p><br>
</p>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<p><br>
</p>
</div></div></div>
</blockquote></div><br></div>