[keycloak-user] Arquillian / Remote Container / EJB Security
Lauer Markus
Markus.Lauer at co-met.info
Thu Mar 24 05:55:17 EDT 2016
>
> I'm looking for s/th like this:
> https://developer.jboss.org/wiki/TestingSecuredEJBsOnWildFly81xWithArquillian
>
> This could possibly be combined with:
> https://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#jaas-adapter
>
> org.keycloak.adapters.jaas.DirectAccessGrantsLoginModule
>
> But I can not change the "keycloak" security-domain for testing...
>
Ok. Approaching a solution...
I adopted the JBossLoginContextFactory from the link above:
https://gist.github.com/anonymous/892d957dfdf289158ccc
LoginContext loginContext =
JBossLoginContextFactory.createLoginContext("markus.lauer at co-met.info",
"********");
loginContext.login();
log.info("principals: " + loginContext.getSubject().getPrincipals());
Set<Principal> principals = loginContext.getSubject().getPrincipals();
for ( Principal p : principals ) {
log.info("name: " + p.getName() + ", type: " + p.getClass());
}
Output:
principals: [40fe2bc5-fc55-496a-b438-0783c7473b90, view-master-data,
user, manage-master-data, markus.lauer at co-met.info]
name: 40fe2bc5-fc55-496a-b438-0783c7473b90, type: class
org.keycloak.KeycloakPrincipal
name: view-master-data, type: class
org.keycloak.adapters.jaas.RolePrincipal
name: user, type: class org.keycloak.adapters.jaas.RolePrincipal
name: manage-master-data, type: class
org.keycloak.adapters.jaas.RolePrincipal
name: markus.lauer at co-met.info, type: class
org.jboss.security.SimplePrincipal
Login works!
But unfortunately I still can not access the secured EJB:
Subject.doAs(loginContext.getSubject(), new PrivilegedAction<Void>() {
@Override
public Void run() {
log.info("count: " + securedEJB.count());
return null;
}
});
This throws an exception:
javax.ejb.EJBAccessException: WFLYSEC0027: Invalid User
Here is a snippet of SecuredEJB:
@Stateless
@SecurityDomain("keycloak")
@DeclareRoles({ "view-master-data", "manage-master-data" })
public class SecuredEJB {
@RolesAllowed({"view-master-data"})
public int count() {
....
}
}
Any ideas how to deal with the "Invalid User"?
Perhaps the keycloak UUID vs. username?
Regards,
Markus.
________________________________
Zum Lesen der rechtlichen Hinweise dieser Mail, kopieren Sie bitte die aufgeführte URL in Ihren Browser oder folgen Sie dem Link.
http://disclaimer.tec-saar.de/co-met.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4628 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160324/681872a5/attachment-0001.bin
More information about the keycloak-user
mailing list