Re: [keycloak-user] Arquillian / Remote Container / EJB Security
I'm looking for s/th like this:
https://developer.jboss.org/wiki/TestingSecuredEJBsOnWildFly81xWithArquil...
This could possibly be combined with:
https://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#...
org.keycloak.adapters.jaas.DirectAccessGrantsLoginModule
But I can not change the "keycloak" security-domain for testing...
Ok. Approaching a solution...
I adopted the JBossLoginContextFactory from the link above:
https://gist.github.com/anonymous/892d957dfdf289158ccc
LoginContext loginContext =
JBossLoginContextFactory.createLoginContext("markus.lauer(a)co-met.info",
"********");
loginContext.login();
log.info("principals: " + loginContext.getSubject().getPrincipals());
Set<Principal> principals = loginContext.getSubject().getPrincipals();
for ( Principal p : principals ) {
log.info("name: " + p.getName() + ", type: " + p.getClass());
}
Output:
principals: [40fe2bc5-fc55-496a-b438-0783c7473b90, view-master-data,
user, manage-master-data, markus.lauer(a)co-met.info]
name: 40fe2bc5-fc55-496a-b438-0783c7473b90, type: class
org.keycloak.KeycloakPrincipal
name: view-master-data, type: class
org.keycloak.adapters.jaas.RolePrincipal
name: user, type: class org.keycloak.adapters.jaas.RolePrincipal
name: manage-master-data, type: class
org.keycloak.adapters.jaas.RolePrincipal
name: markus.lauer(a)co-met.info, type: class
org.jboss.security.SimplePrincipal
Login works!
But unfortunately I still can not access the secured EJB:
Subject.doAs(loginContext.getSubject(), new PrivilegedAction<Void>() {
@Override
public Void run() {
log.info("count: " + securedEJB.count());
return null;
}
});
This throws an exception:
javax.ejb.EJBAccessException: WFLYSEC0027: Invalid User
Here is a snippet of SecuredEJB:
@Stateless
@SecurityDomain("keycloak")
@DeclareRoles({ "view-master-data", "manage-master-data" })
public class SecuredEJB {
@RolesAllowed({"view-master-data"})
public int count() {
....
}
}
Any ideas how to deal with the "Invalid User"?
Perhaps the keycloak UUID vs. username?
Regards,
Markus.
________________________________
Zum Lesen der rechtlichen Hinweise dieser Mail, kopieren Sie bitte die aufgeführte URL in
Ihren Browser oder folgen Sie dem Link.
http://disclaimer.tec-saar.de/co-met.htm
Attachments:
- smime.p7s (application/x-pkcs7-signature — 4.5 KB)