2:09 a.m.
Am Donnerstag, den 24.03.2016, 09:55 +0000 schrieb Lauer Markus:
>
> I'm looking for s/th like this:
> https://developer.jboss.org/wiki/TestingSecuredEJBsOnWildFly81xWithArquil...
>
> This could possibly be combined with:
>
https://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#...
>
> org.keycloak.adapters.jaas.DirectAccessGrantsLoginModule
>
> But I can not change the "keycloak" security-domain for testing...
>
Ok. Approaching a solution...
I adopted the JBossLoginContextFactory from the link above:
https://gist.github.com/anonymous/892d957dfdf289158ccc
LoginContext loginContext =
JBossLoginContextFactory.createLoginContext("markus.lauer(a)co-met.info",
"********");
loginContext.login();
log.info("principals: " + loginContext.getSubject().getPrincipals());
Set<Principal> principals = loginContext.getSubject().getPrincipals();
for ( Principal p : principals ) {
log.info("name: " + p.getName() + ", type: " + p.getClass());
}
Output:
principals: [40fe2bc5-fc55-496a-b438-0783c7473b90, view-master-data,
user, manage-master-data, markus.lauer(a)co-met.info]
name: 40fe2bc5-fc55-496a-b438-0783c7473b90, type: class
org.keycloak.KeycloakPrincipal
name: view-master-data, type: class
org.keycloak.adapters.jaas.RolePrincipal
name: user, type: class org.keycloak.adapters.jaas.RolePrincipal
name: manage-master-data, type: class
org.keycloak.adapters.jaas.RolePrincipal
name: markus.lauer(a)co-met.info, type: class
org.jboss.security.SimplePrincipal
Login works!
But unfortunately I still can not access the secured EJB:
Subject.doAs(loginContext.getSubject(), new PrivilegedAction<Void>() {
@Override
public Void run() {
log.info("count: " + securedEJB.count());
return null;
}
});
This throws an exception:
javax.ejb.EJBAccessException: WFLYSEC0027: Invalid User
Here is a snippet of SecuredEJB:
@Stateless
@SecurityDomain("keycloak")
@DeclareRoles({ "view-master-data", "manage-master-data" })
public class SecuredEJB {
@RolesAllowed({"view-master-data"})
public int count() {
....
}
}
Any ideas how to deal with the "Invalid User"?
Perhaps the keycloak UUID vs. username?
Regards,
Markus.
No ideas? No comment?
Another possible problem:
The configured security domain in Wildfly is called "keycloak" and uses
the default LoginModule "KeycloakLoginModule".
Now I'm trying to access secured EJBs in this security domain
("keycloak") with another LoginModule: DirectAccessGrantsLoginModule.
Is this possible at least?
There is also a bug report in this context:
https://issues.jboss.org/browse/WFLY-4626
Is this the same bug here?
To recap: The only thing I'm trying to accomplish is to access secured
EJBs from automated tests (arquillian). The @RunAs solution (see above /
last mails in this thread) is not sufficient.
Is there an easier way? (Stripping @RolesAllowed annotations in tests,
deactivating security in tests, etc.)
Regards,
Markus.
________________________________
Zum Lesen der rechtlichen Hinweise dieser Mail, kopieren Sie bitte die aufgeführte URL in
Ihren Browser oder folgen Sie dem Link.
http://disclaimer.tec-saar.de/co-met.htm