2:48 p.m.
----- Original Message -----
From: "Sean Flanigan" <sflaniga(a)redhat.com>
To: "Pedro Igor Silva" <psilva(a)redhat.com>
Cc: security-dev(a)lists.jboss.org
Sent: Monday, July 13, 2015 2:31:36 AM
Subject: Re: [security-dev] Replacing Seam RunAsOperation (impersonate)
On 2015-07-10 22:27, Pedro Igor Silva wrote:
> Hey Sean,
>
> You are right, PL is missing that feature. It was planned but now the
> PL and KC are merging I'm not sure if we are going to implement it in
> PL.
Ah yes, thanks for reminding me about the Keycloak merger. Sounds like
that might make it all moot. I don't suppose it has an impersonation
feature similar to the one in Seam?
> Regarding your question, there is no easy way to specify your own
> Identity implementation. However, I'm wondering if you can use a
> custom CDI scope for that. PicketLink allows you to define a specific
> scope for the Identity bean.
So, some sort of short-lived scope for Identity, plus login via a dummy
Authenticator? That might work, although it sounds more complex than
what I had in mind for modifying Identity.getAccount() to use a
ThreadLocal (ugly though it sounds).
I'm wondering if you can try the window scope from Apache DeltaSpike. I remember an
user doing something similar a long time ago using this scope.
But how does one configure the Identity bean's scope? I found slides 6
and 9 of http://www.slideshare.net/pigorcraveiro/jud-con-2014. Is there
a compiled example anywhere?
http://docs.jboss.org/picketlink/2/latest/reference/html-single/#Defining...
Would it be possible to change IdentityBeanDefinition to allow more
customisation, eg for getBeanClass()?
Also, is there some way I can disable PicketLinkExtension, so that I can
replace it with one which uses a modified IdentityBeanDefinition?
I don't think CDI allows to disable an extension defined in a jar, like in our case. I
believe this JIRA [1] is related with that.
[1] https://issues.jboss.org/browse/CDI-157
>
> Regards.
> Pedro Igor
>
> ----- Original Message -----
> From: "Sean Flanigan" <sflaniga(a)redhat.com>
> To: security-dev(a)lists.jboss.org
> Sent: Friday, July 10, 2015 5:37:51 AM
> Subject: [security-dev] Replacing Seam RunAsOperation (impersonate)
>
> I was hoping I had missed an impersonation feature[1], but now I'm
> thinking there isn't one in PicketLink. Assuming I have to subclass and
> @Specialize org.picketlink.internal.DefaultIdentity, how would I go
> about convincing PicketLink to use my implementation?
>
> org.picketlink.extension.PicketLinkExtension seems to be vetoing my
> implementation. Is there some way of telling (or overriding)
> IdentityBeanDefinition to use my Identity bean class?
>
> [1] https://developer.jboss.org/thread/260993
>
> Regards,
>
> Sean.
>
--
Sean Flanigan
Principal Software Engineer
Globalisation Tools Engineering
Red Hat