-----Original Message-----
From: Marek Posolda [mailto:mposolda@redhat.com]
Sent: Friday, March 10, 2017 2:35 AM
To: Amat, Juan (Nokia - US) <juan.amat(a)nokia.com>; keycloak-
user(a)lists.jboss.org
Subject: Re: [keycloak-user] JAAS plugin and roles
On 09/03/17 15:33, Amat, Juan (Nokia - US) wrote:
> Thank you for the pointer.
>
> I would have expected that this would be supported out of the box.
If there is enough people asking for it, we can add it though. Feel free to create
JIRA.
>
> Another comment.
> In the logout method of AbstractKeycloakLoginModule.java, we remove the
RolePrincipal.class principals from the subject's principals.
> We can though configure the class used for the 'role' principal. Should
this
class be used instead?
Yes, good point. Feel free to add that into the JIRA too.
Marek
>
> Juan.
>> -----Original Message-----
>> From: Marek Posolda [mailto:mposolda@redhat.com]
>> Sent: Thursday, March 09, 2017 12:23 AM
>> To: Amat, Juan (Nokia - US) <juan.amat(a)nokia.com>; keycloak-
>> user(a)lists.jboss.org
>> Subject: Re: [keycloak-user] JAAS plugin and roles
>>
>> I recently did some example of the remote EJB client. You're right,
>> there are special groups on Wildfly, which JAAS Subject needs to be member
of.
>>
>> See the example here [1] . Especially take a look at the
>> security-domain configuration and the
>> "ConvertKEycloakRolesLoginModule", which needs to be put to the chain
after DirectAccessGrantsLoginModule.
>>
>> Btv. if you are using web (HttpServletRequest etc), you should maybe
>> rather use our OIDC/SAML adapters? But maybe I am missing something in
your setup...
>>
>> [1]
https://github.com/mposolda/keycloak-remote-ejb
>>
>> Marek
>>
>> On 08/03/17 20:10, Amat, Juan (Nokia - US) wrote:
>>> I was trying to use this login module with an application deployed
>>> on Wildfly
>> 10:
>>> org.keycloak.adapters.jaas.DirectAccessGrantsLoginModule
>>> And it kind of worked.
>>> By that I mean that when you log in, you are authenticated fine but
>>> then calling
>>> HttpServletRequest.isUserInRole(xxx) did not work.
>>>
>>> The reason is that JBoss (EAP and Wildfly I think) expects the roles
>>> in a specific
>> group.
>>> This page
>>
https://docs.jboss.org/jbosssecurity/docs/6.0/security_guide/html/Log
>> in_Modu
>> les.html says:
>>> "The JBossSX framework uses two well-known role sets with the names
>>> Roles
>> and CallerPrincipal.
>>> The Roles group is the collection of Principals for the named roles
>>> as known in
>> the application domain under which the Subject has been
>> authenticated. This role set is used by methods like the
>> EJBContext.isCallerInRole(String), which EJBs can use to see if the
>> current caller belongs to the named application domain role. The
>> security interceptor logic that performs method permission checks also uses
this role set.
>>> The CallerPrincipalGroup consists of the single Principal identity
>>> assigned to
>> the user in the application domain. The
>> EJBContext.getCallerPrincipal() method uses the CallerPrincipal to
>> allow the application domain to map from the operation environment
>> identity to a user identity suitable for the application. If a
>> Subject does not have a CallerPrincipalGroup, the application identity is the
same used for login."
>>> A q&d patch of AbstractKeycloakLoginModule.java makes the whole
>>> thing
>> work.
>>> Am I doing something wrong?
>>>
>>> Thank you.
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user