[keycloak-user] JAAS plugin and roles

Amat, Juan (Nokia - US) juan.amat at nokia.com
Wed Mar 8 14:10:13 EST 2017


I was trying to use this login module with an application deployed on Wildfly 10:
org.keycloak.adapters.jaas.DirectAccessGrantsLoginModule
And it kind of worked.
By that I mean that when you log in, you are authenticated fine but then calling
HttpServletRequest.isUserInRole(xxx) did not work.

The reason is that JBoss (EAP and Wildfly I think) expects the roles in a specific group.

This page https://docs.jboss.org/jbosssecurity/docs/6.0/security_guide/html/Login_Modules.html says:

"The JBossSX framework uses two well-known role sets with the names Roles and CallerPrincipal.
The Roles group is the collection of Principals for the named roles as known in the application domain under which the Subject has been authenticated. This role set is used by methods like the EJBContext.isCallerInRole(String), which EJBs can use to see if the current caller belongs to the named application domain role. The security interceptor logic that performs method permission checks also uses this role set.
The CallerPrincipalGroup consists of the single Principal identity assigned to the user in the application domain. The EJBContext.getCallerPrincipal() method uses the CallerPrincipal to allow the application domain to map from the operation environment identity to a user identity suitable for the application. If a Subject does not have a CallerPrincipalGroup, the application identity is the same used for login."

A q&d patch of AbstractKeycloakLoginModule.java makes the whole thing work.

Am I doing something wrong?

Thank you.


More information about the keycloak-user mailing list