[keycloak-user] Security context not propagated to EJB Tier

[Manuel Waltschek]

Hello,

I know this has already been asked and the documentation of keycloak also has a short entry on this topic:
"To propagate the security context to the EJB tier you need to configure it to use the "keycloak" security domain. This can be achieved with the @SecurityDomain annotation:",
which is exactly what I did with all my EJBs. I even made my own quickstart/testproject, since I am trying to secure an EAR-Deployment with EJBs on Wildfly 10 and I just cannot get Keycloak SAML to work properly. I also annotated these beans with @PermitAll.

I am using the wildfly-saml-adapter to authenticate against an external IdP and I have been debugging the adapter to figure out what is happening.
I can see that in org.keycloak.adapters.saml.wildfly.SecurityInfoHelper.propagateSessionInfo(KeycloakAccount) the SubjectInfo is created and the Principal is propagated to org.jboss.security.SecurityContext.

I configured my war in my ear to have a jboss-web.xml which points to "keycloak" security-domain, but it does not make any difference.

I am trying to invoke EJBContext.getCallerPrincipal() in my stateless EJB which always returns a SimplePrincipal with name anonymous. This is only true for my real application. Everything is working as expected in my test application, since I inject the Beans directly in a Servlet Endpoint.
On my real application they are looked up by a jndi lookup on code I have in jar deployments too. Can you please point me to any other ideas on what else I can try to get this working?

Thank you in advance,

Manuel Waltschek