Re: [wildfly-dev] How to set an authorized identity to EltyronSecurity Context

So the validation is within Apache CXF - is there an end result to this validation where you have access to everything you need where we could perform some additional steps?

On Thu, 31 May 2018 at 10:34 Jim Ma <ema(a)redhat.com <mailto:ema@redhat.com>> wrote: The saml validation is now Apache CXF's SAML functionality. We can't port the CXF's security to rely on our Elytron. On 05/31/2018 05:07 PM, Darran Lofthouse wrote: > It sounds to me then that the place to start is within the SAML > validation, this is effectively an authentication step so should > be ported over to an Elytron based authentication - the end > result of the authentication would then be the required > SecurityIdentity to propagate from container to container. > > > On Thu, 31 May 2018 at 03:57 Jim Ma <ema(a)redhat.com > <mailto:ema@redhat.com>> wrote: > > On 05/30/2018 09:47 PM, Darran Lofthouse wrote: >> I am currently gathering together some information regarding >> how the JCA subsystem handles the requirement of populating >> a Subject for propagation into a resource adapter, however >> there is a general question about what is attempting to be >> achieved here. >> >> Once an EJB is secured using WildFly Elytron the associated >> identity is not accessed as a Subject instead it is accessed >> a SecurityIdentity the current SecurityIdentity can always >> be retrieved by calling the current SecurityDomain: - >> >> http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/w... >> http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/w... >> >> The SecurityIdentity has some similarity with the Subject in >> that amongst other things it also contains a collection of >> public credentials and a collection of private credentials: - >> >> http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/w... >> http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/w... >> >> So I think the very first question is has the >> SecurityIdentity been correctly populated with any delegated >> credentials?  If not that is going to be a pre-requisite for >> any follow on steps regardless. >> >> Then secondly what is it that is making use of this >> identity?  Why can't it be ported to make use of the Elytron >> authentication client APIs which amongst other things >> provide support for delegation from the current identity. >> >> If we need to we can look at a conversion to a Subject but >> we are only doing that where it is really required. > >   We don't have the SecurityIdentity populated, there is only > principal and subject created by jbossws/CXF's saml validator. >   We need to convert the subject/principal to Elytron's > SecurityIdentity or something else, then later on EJB > subystem with Elytron >   security can retrieve this authenticated info without check > it twice. So we'd like to know how can we convert a > subject/principal >   to Elytron's SecurityIdentity and let Elytron know this is > already authenticated and authorized. > > Thanks, > Jim > > >> >> Regards, >> Darran Lofthouse. >> >> >> On Wed, 30 May 2018 at 10:27 Alessio Soldano >> <asoldano(a)redhat.com <mailto:asoldano@redhat.com>> wrote: >> >> As suggested by Darran, I'm forwarding the message below >> to the list on behalf of Jim. >> The classes Jim is referring to are at >> https://github.com/wildfly/wildfly/tree/master/webservices/server-integra... >> >> >> >> ---------- Forwarded message ---------- >> From: *Jim Ma* <ema(a)redhat.com <mailto:ema@redhat.com>> >> Date: Wed, May 30, 2018 at 9:03 AM >> Subject: Set an authorized identity to EltyronSecurity >> Context >> To: Darran Lofthouse <darran.lofthouse(a)redhat.com >> <mailto:darran.lofthouse@redhat.com>> >> Cc: Alessio Soldano <asoldano(a)redhat.com >> <mailto:asoldano@redhat.com>> >> >> >> Hi Darran, >> >> We are helping look at a customer issue which requires >> propagate the authenticated subject from webservice >> subsystem to >> >> ejb subystem. With old security domain , we can do this >> with creating a subject : >> >>     @Override >>     public void pushSubjectContext(final Subject >> subject, final Principal principal, final Object >> credential) { >> AccessController.doPrivileged(new PrivilegedAction<Void>() { >> >>             public Void run() { >>                 SecurityContext securityContext = >> SecurityContextAssociation.getSecurityContext(); >>                 if (securityContext == null) { >>                     securityContext = >> createSecurityContext(getSecurityDomain()); >> setSecurityContextOnAssociation(securityContext); >>                 } >> securityContext.getUtil().createSubjectInfo(principal, >> credential, subject); >>                 return null; >>             } >>         }); >>     } >> >> >> After Elytron,  what is the equivalent thing to do this  >> then ejb can retrieve this security without check this >> twice ? >> >> Thanks, >> >> Jim >> >> >> >> >> -- >> >> Alessio Soldano >> >> Associate Manager >> >> Red Hat >> >> <https://www.redhat.com> >> >> <https://red.ht/sig> >> >