[keycloak-user] JAAS plugin and roles

Marek Posolda mposolda at redhat.com
Thu Mar 9 03:23:03 EST 2017 

I recently did some example of the remote EJB client. You're right, 
there are special groups on Wildfly, which JAAS Subject needs to be 
member of.

See the example here [1] . Especially take a look at the security-domain 
configuration and the "ConvertKEycloakRolesLoginModule", which needs to 
be put to the chain after DirectAccessGrantsLoginModule.

Btv. if you are using web (HttpServletRequest etc), you should maybe 
rather use our OIDC/SAML adapters? But maybe I am missing something in 
your setup...

[1] https://github.com/mposolda/keycloak-remote-ejb

Marek

On 08/03/17 20:10, Amat, Juan (Nokia - US) wrote:
> I was trying to use this login module with an application deployed on Wildfly 10:
> org.keycloak.adapters.jaas.DirectAccessGrantsLoginModule
> And it kind of worked.
> By that I mean that when you log in, you are authenticated fine but then calling
> HttpServletRequest.isUserInRole(xxx) did not work.
>
> The reason is that JBoss (EAP and Wildfly I think) expects the roles in a specific group.
>
> This page https://docs.jboss.org/jbosssecurity/docs/6.0/security_guide/html/Login_Modules.html says:
>
> "The JBossSX framework uses two well-known role sets with the names Roles and CallerPrincipal.
> The Roles group is the collection of Principals for the named roles as known in the application domain under which the Subject has been authenticated. This role set is used by methods like the EJBContext.isCallerInRole(String), which EJBs can use to see if the current caller belongs to the named application domain role. The security interceptor logic that performs method permission checks also uses this role set.
> The CallerPrincipalGroup consists of the single Principal identity assigned to the user in the application domain. The EJBContext.getCallerPrincipal() method uses the CallerPrincipal to allow the application domain to map from the operation environment identity to a user identity suitable for the application. If a Subject does not have a CallerPrincipalGroup, the application identity is the same used for login."
>
> A q&d patch of AbstractKeycloakLoginModule.java makes the whole thing work.
>
> Am I doing something wrong?
>
> Thank you.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list