[keycloak-user] JAAS plugin and roles
Marek Posolda
mposolda at redhat.com
Fri Mar 10 05:34:36 EST 2017
On 09/03/17 15:33, Amat, Juan (Nokia - US) wrote:
> Thank you for the pointer.
>
> I would have expected that this would be supported out of the box.
If there is enough people asking for it, we can add it though. Feel free
to create JIRA.
>
> Another comment.
> In the logout method of AbstractKeycloakLoginModule.java, we remove the RolePrincipal.class principals from the subject's principals.
> We can though configure the class used for the 'role' principal. Should this class be used instead?
Yes, good point. Feel free to add that into the JIRA too.
Marek
>
> Juan.
>> -----Original Message-----
>> From: Marek Posolda [mailto:mposolda at redhat.com]
>> Sent: Thursday, March 09, 2017 12:23 AM
>> To: Amat, Juan (Nokia - US) <juan.amat at nokia.com>; keycloak-
>> user at lists.jboss.org
>> Subject: Re: [keycloak-user] JAAS plugin and roles
>>
>> I recently did some example of the remote EJB client. You're right, there are
>> special groups on Wildfly, which JAAS Subject needs to be member of.
>>
>> See the example here [1] . Especially take a look at the security-domain
>> configuration and the "ConvertKEycloakRolesLoginModule", which needs to be
>> put to the chain after DirectAccessGrantsLoginModule.
>>
>> Btv. if you are using web (HttpServletRequest etc), you should maybe rather use
>> our OIDC/SAML adapters? But maybe I am missing something in your setup...
>>
>> [1] https://github.com/mposolda/keycloak-remote-ejb
>>
>> Marek
>>
>> On 08/03/17 20:10, Amat, Juan (Nokia - US) wrote:
>>> I was trying to use this login module with an application deployed on Wildfly
>> 10:
>>> org.keycloak.adapters.jaas.DirectAccessGrantsLoginModule
>>> And it kind of worked.
>>> By that I mean that when you log in, you are authenticated fine but
>>> then calling
>>> HttpServletRequest.isUserInRole(xxx) did not work.
>>>
>>> The reason is that JBoss (EAP and Wildfly I think) expects the roles in a specific
>> group.
>>> This page
>> https://docs.jboss.org/jbosssecurity/docs/6.0/security_guide/html/Login_Modu
>> les.html says:
>>> "The JBossSX framework uses two well-known role sets with the names Roles
>> and CallerPrincipal.
>>> The Roles group is the collection of Principals for the named roles as known in
>> the application domain under which the Subject has been authenticated. This
>> role set is used by methods like the EJBContext.isCallerInRole(String), which EJBs
>> can use to see if the current caller belongs to the named application domain
>> role. The security interceptor logic that performs method permission checks also
>> uses this role set.
>>> The CallerPrincipalGroup consists of the single Principal identity assigned to
>> the user in the application domain. The EJBContext.getCallerPrincipal() method
>> uses the CallerPrincipal to allow the application domain to map from the
>> operation environment identity to a user identity suitable for the application. If a
>> Subject does not have a CallerPrincipalGroup, the application identity is the
>> same used for login."
>>> A q&d patch of AbstractKeycloakLoginModule.java makes the whole thing
>> work.
>>> Am I doing something wrong?
>>>
>>> Thank you.
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list