Hey Sean, You are right, PL is missing that feature. It was planned but now the PL and KC are merging I'm not sure if we are going to implement it in PL. Regarding your question, there is no easy way to specify your own Identity implementation. However, I'm wondering if you can use a custom CDI scope for that. PicketLink allows you to define a specific scope for the Identity bean. Regards. Pedro Igor ----- Original Message ----- From: "Sean Flanigan" <sflaniga(a)redhat.com&gt; To: security-dev(a)lists.jboss.org Sent: Friday, July 10, 2015 5:37:51 AM Subject: [security-dev] Replacing Seam RunAsOperation (impersonate) I was hoping I had missed an impersonation feature[1], but now I'm thinking there isn't one in PicketLink. Assuming I have to subclass and @Specialize org.picketlink.internal.DefaultIdentity, how would I go about convincing PicketLink to use my implementation? org.picketlink.extension.PicketLinkExtension seems to be vetoing my implementation. Is there some way of telling (or overriding) IdentityBeanDefinition to use my Identity bean class? [1] https://developer.jboss.org/thread/260993 Regards, Sean.

Hey Sean, You are right, PL is missing that feature. It was planned but now the PL and KC are merging I'm not sure if we are going to implement it in PL.

Regarding your question, there is no easy way to specify your own Identity implementation. However, I'm wondering if you can use a custom CDI scope for that. PicketLink allows you to define a specific scope for the Identity bean.

Regards. Pedro Igor ----- Original Message ----- From: "Sean Flanigan" <sflaniga(a)redhat.com&gt; To: security-dev(a)lists.jboss.org Sent: Friday, July 10, 2015 5:37:51 AM Subject: [security-dev] Replacing Seam RunAsOperation (impersonate) I was hoping I had missed an impersonation feature[1], but now I'm thinking there isn't one in PicketLink. Assuming I have to subclass and @Specialize org.picketlink.internal.DefaultIdentity, how would I go about convincing PicketLink to use my implementation? org.picketlink.extension.PicketLinkExtension seems to be vetoing my implementation. Is there some way of telling (or overriding) IdentityBeanDefinition to use my Identity bean class? [1] https://developer.jboss.org/thread/260993 Regards, Sean.

----- Original Message ----- > From: "Sean Flanigan" <sflaniga(a)redhat.com&gt; > To: "Pedro Igor Silva" <psilva(a)redhat.com&gt; > Cc: security-dev(a)lists.jboss.org > Sent: Monday, July 13, 2015 2:31:36 AM > Subject: Re: [security-dev] Replacing Seam RunAsOperation (impersonate) > > On 2015-07-10 22:27, Pedro Igor Silva wrote: >> Hey Sean, >> >> You are right, PL is missing that feature. It was planned but now the >> PL and KC are merging I'm not sure if we are going to implement it in >> PL. > > Ah yes, thanks for reminding me about the Keycloak merger. Sounds like > that might make it all moot. I don't suppose it has an impersonation > feature similar to the one in Seam? > >> Regarding your question, there is no easy way to specify your own >> Identity implementation. However, I'm wondering if you can use a >> custom CDI scope for that. PicketLink allows you to define a specific >> scope for the Identity bean. > > So, some sort of short-lived scope for Identity, plus login via a dummy > Authenticator? That might work, although it sounds more complex than > what I had in mind for modifying Identity.getAccount() to use a > ThreadLocal (ugly though it sounds). I'm wondering if you can try the window scope from Apache DeltaSpike. I remember an user doing something similar a long time ago using this scope. > > But how does one configure the Identity bean's scope? I found slides 6 > and 9 of http://www.slideshare.net/pigorcraveiro/jud-con-2014. Is there > a compiled example anywhere? http://docs.jboss.org/picketlink/2/latest/reference/html-single/#Defining... > > Would it be possible to change IdentityBeanDefinition to allow more > customisation, eg for getBeanClass()? > > Also, is there some way I can disable PicketLinkExtension, so that I can > replace it with one which uses a modified IdentityBeanDefinition? > I don't think CDI allows to disable an extension defined in a jar, like in our case. I believe this JIRA [1] is related with that. [1] https://issues.jboss.org/browse/CDI-157 > >> >> Regards. >> Pedro Igor >> >> ----- Original Message ----- >> From: "Sean Flanigan" <sflaniga(a)redhat.com&gt; >> To: security-dev(a)lists.jboss.org >> Sent: Friday, July 10, 2015 5:37:51 AM >> Subject: [security-dev] Replacing Seam RunAsOperation (impersonate) >> >> I was hoping I had missed an impersonation feature[1], but now I'm >> thinking there isn't one in PicketLink. Assuming I have to subclass and >> @Specialize org.picketlink.internal.DefaultIdentity, how would I go >> about convincing PicketLink to use my implementation? >> >> org.picketlink.extension.PicketLinkExtension seems to be vetoing my >> implementation. Is there some way of telling (or overriding) >> IdentityBeanDefinition to use my Identity bean class? >> >> [1] https://developer.jboss.org/thread/260993 >> >> Regards, >> >> Sean. >> > > > -- > Sean Flanigan > > Principal Software Engineer > Globalisation Tools Engineering > Red Hat > >