Re: [keycloak-user] JAAS plugin and roles

-----Original Message----- From: Marek Posolda [mailto:mposolda@redhat.com] Sent: Thursday, March 09, 2017 12:23 AM To: Amat, Juan (Nokia - US) <juan.amat(a)nokia.com>; keycloak- user(a)lists.jboss.org Subject: Re: [keycloak-user] JAAS plugin and roles I recently did some example of the remote EJB client. You're right, there are special groups on Wildfly, which JAAS Subject needs to be member of. See the example here [1] . Especially take a look at the security-domain configuration and the "ConvertKEycloakRolesLoginModule", which needs to be put to the chain after DirectAccessGrantsLoginModule. Btv. if you are using web (HttpServletRequest etc), you should maybe rather use our OIDC/SAML adapters? But maybe I am missing something in your setup... [1] https://github.com/mposolda/keycloak-remote-ejb Marek On 08/03/17 20:10, Amat, Juan (Nokia - US) wrote: > I was trying to use this login module with an application deployed on Wildfly 10: > org.keycloak.adapters.jaas.DirectAccessGrantsLoginModule > And it kind of worked. > By that I mean that when you log in, you are authenticated fine but > then calling > HttpServletRequest.isUserInRole(xxx) did not work. > > The reason is that JBoss (EAP and Wildfly I think) expects the roles in a specific group. > > This page https://docs.jboss.org/jbosssecurity/docs/6.0/security_guide/html/Login_Modu les.html says: > > "The JBossSX framework uses two well-known role sets with the names Roles and CallerPrincipal. > The Roles group is the collection of Principals for the named roles as known in the application domain under which the Subject has been authenticated. This role set is used by methods like the EJBContext.isCallerInRole(String), which EJBs can use to see if the current caller belongs to the named application domain role. The security interceptor logic that performs method permission checks also uses this role set. > The CallerPrincipalGroup consists of the single Principal identity assigned to the user in the application domain. The EJBContext.getCallerPrincipal() method uses the CallerPrincipal to allow the application domain to map from the operation environment identity to a user identity suitable for the application. If a Subject does not have a CallerPrincipalGroup, the application identity is the same used for login." > > A q&d patch of AbstractKeycloakLoginModule.java makes the whole thing work. > > Am I doing something wrong? > > Thank you. > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user