Paul Moore created SECURITY-789: ----------------------------------- Summary: Credential stored in Subject is not propagated to the CredentialIdentity Key: SECURITY-789 URL: https://issues.jboss.org/browse/SECURITY-789 Project: PicketBox Issue Type: Enhancement Security Level: Public (Everyone can see) Components: JBossSX Affects Versions: PicketBox_4_0_20.Final Environment: Darwin 13.0.2 Darwin Kernel Version 13.0.2: Sun Sep 29 19:38:57 PDT 2013; root:xnu-2422.75.4~1/RELEASE_X86_64 java version "1.7.0_15" Java(TM) SE Runtime Environment (build 1.7.0_15-b03) Java HotSpot(TM) 64-Bit Server VM (build 23.7-b01, mixed mode) Wildfly-8.0.0.Final-SNAPSHOT Reporter: Paul Moore Assignee: Stefan Guilhen h4. Use case JASPI ServerAuthModule authenticates user in web layer (OAuth 2 Bearer token) and stores a "BearerCredential" in the Subject. Authentication works in the Servlet container, but fails at the service tier (EJB) because the credential is not part of the CredentialIdentity. h4. Root cause [JBossCallbackHandler|http://anonsvn.jboss.org/repos/picketbox/tags/4.0.20...] manages the mapping of Subject to Identity, but does not use credentials stored in Subject as part of the Identity creation process (PasswordValidationCallback uses callback properties directly). Authentication at the EJB (service) tier fails because the Credential is not stored in the CredentialIdentity and is therefore unavailable to JBossSecurityContextUtil.getCredential(). h4. Approach In discussion with asaldhan and sguilhen on IRC (#picketbox), it was agreed that: # PicketBox source code would be (re)migrated to GitHub - asaldhan # JASPICallbackHandler would be modified to obtain a Credential from the Subject (if available) during the CallerPrincipalCallback handling - paulkmoore h4. Note(s) # There is inherent tension in the mapping between Subject and Identity (SecurityContext) which may require a larger piece of work to resolve (i.e. Subject can have many Principals, many public credentials and many private credentials). -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira