From pahuang at redhat.com Wed Jul 8 20:39:12 2015 From: pahuang at redhat.com (Patrick Huang) Date: Wed, 8 Jul 2015 20:39:12 -0400 (EDT) Subject: [security-dev] How to map existing JPA entities to picketlink In-Reply-To: <1425084771.34631212.1436399277489.JavaMail.zimbra@redhat.com> Message-ID: <1794018569.34648873.1436402352186.JavaMail.zimbra@redhat.com> Hi all, I am in the process of migrating a seam 2 application to CDI and use PicketLink as the security library. I now understand how PicketLink works and I've read the custom IDM model [1]. However since we already have a data model in use and I couldn't find any reference on how to map PicketLink to use it. To make it easier to view and share to public I have posted a question on stackoverflow [2]. If anyone is able to help or point me to the right direction that will be great. Thanks a lot. [1] http://picketlink.org/gettingstarted/custom_idm_model/ [2] http://stackoverflow.com/questions/31306207/how-to-map-existing-jpa-entities-to-picketlink Patrick Huang Senior Software Engineer Engineering - Internationalisation Red Hat, Asia-Pacific Pty Ltd Level 1, 193 North Quay Brisbane 4000 Office: +61 7 3514 8278 Fax: +61 7 3514 8199 IRC: pahuang github: github.com/huangp Website: www.redhat.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/security-dev/attachments/20150708/4e3b617c/attachment.html From psilva at redhat.com Wed Jul 8 21:44:17 2015 From: psilva at redhat.com (Pedro Igor Silva) Date: Wed, 8 Jul 2015 21:44:17 -0400 (EDT) Subject: [security-dev] How to map existing JPA entities to picketlink In-Reply-To: <1794018569.34648873.1436402352186.JavaMail.zimbra@redhat.com> References: <1794018569.34648873.1436402352186.JavaMail.zimbra@redhat.com> Message-ID: <522801880.34673363.1436406257826.JavaMail.zimbra@redhat.com> Hey Patrick, I think you are missing some metadata and minor changes in your entities. Please, join #picketlink so I can better assist you on this one. Depending on the outcome, we can create an article or something about it. Regards. Pedro Igor ----- Original Message ----- From: "Patrick Huang" To: security-dev at lists.jboss.org Sent: Wednesday, July 8, 2015 9:39:12 PM Subject: [security-dev] How to map existing JPA entities to picketlink Hi all, I am in the process of migrating a seam 2 application to CDI and use PicketLink as the security library. I now understand how PicketLink works and I've read the custom IDM model [1]. However since we already have a data model in use and I couldn't find any reference on how to map PicketLink to use it. To make it easier to view and share to public I have posted a question on stackoverflow [2]. If anyone is able to help or point me to the right direction that will be great. Thanks a lot. [1] http://picketlink.org/gettingstarted/custom_idm_model/ [2] http://stackoverflow.com/questions/31306207/how-to-map-existing-jpa-entities-to-picketlink Patrick Huang Senior Software Engineer Engineering - Internationalisation Red Hat, Asia-Pacific Pty Ltd Level 1, 193 North Quay Brisbane 4000 Office: +61 7 3514 8278 Fax: +61 7 3514 8199 IRC: pahuang github: github.com/huangp Website: www.redhat.com _______________________________________________ security-dev mailing list security-dev at lists.jboss.org https://lists.jboss.org/mailman/listinfo/security-dev From pahuang at redhat.com Wed Jul 8 21:53:03 2015 From: pahuang at redhat.com (Patrick Huang) Date: Wed, 8 Jul 2015 21:53:03 -0400 (EDT) Subject: [security-dev] How to map existing JPA entities to picketlink In-Reply-To: <522801880.34673363.1436406257826.JavaMail.zimbra@redhat.com> References: <1794018569.34648873.1436402352186.JavaMail.zimbra@redhat.com> <522801880.34673363.1436406257826.JavaMail.zimbra@redhat.com> Message-ID: <567788903.34677525.1436406783940.JavaMail.zimbra@redhat.com> Thank you. I have joined and my nick is pahuang. The entities I put up there is in its original form. I tried putting on @Attribute and a few other annotations on but sometime I got error during picketlink configuration check on startup, sometimes it passes that but the entity is not being populated. Patrick Huang Senior Software Engineer Engineering - Internationalisation Red Hat ----- Original Message ----- > From: "Pedro Igor Silva" > To: "Patrick Huang" > Cc: security-dev at lists.jboss.org > Sent: Thursday, July 9, 2015 11:44:17 AM > Subject: Re: [security-dev] How to map existing JPA entities to picketlink > > Hey Patrick, > > I think you are missing some metadata and minor changes in your entities. > Please, join #picketlink so I can better assist you on this one. > > Depending on the outcome, we can create an article or something about it. > > Regards. > Pedro Igor > > > ----- Original Message ----- > From: "Patrick Huang" > To: security-dev at lists.jboss.org > Sent: Wednesday, July 8, 2015 9:39:12 PM > Subject: [security-dev] How to map existing JPA entities to picketlink > > Hi all, > > I am in the process of migrating a seam 2 application to CDI and use > PicketLink as the security library. I now understand how PicketLink works > and I've read the custom IDM model [1]. However since we already have a data > model in use and I couldn't find any reference on how to map PicketLink to > use it. > > To make it easier to view and share to public I have posted a question on > stackoverflow [2]. If anyone is able to help or point me to the right > direction that will be great. Thanks a lot. > > [1] http://picketlink.org/gettingstarted/custom_idm_model/ > [2] > http://stackoverflow.com/questions/31306207/how-to-map-existing-jpa-entities-to-picketlink > > Patrick Huang > Senior Software Engineer > Engineering - Internationalisation > Red Hat, Asia-Pacific Pty Ltd > Level 1, 193 North Quay > Brisbane 4000 > Office: +61 7 3514 8278 > Fax: +61 7 3514 8199 > IRC: pahuang > github: github.com/huangp > Website: www.redhat.com > > > _______________________________________________ > security-dev mailing list > security-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/security-dev > From sflaniga at redhat.com Fri Jul 10 04:37:51 2015 From: sflaniga at redhat.com (Sean Flanigan) Date: Fri, 10 Jul 2015 18:37:51 +1000 Subject: [security-dev] Replacing Seam RunAsOperation (impersonate) Message-ID: <559F845F.6040105@redhat.com> I was hoping I had missed an impersonation feature[1], but now I'm thinking there isn't one in PicketLink. Assuming I have to subclass and @Specialize org.picketlink.internal.DefaultIdentity, how would I go about convincing PicketLink to use my implementation? org.picketlink.extension.PicketLinkExtension seems to be vetoing my implementation. Is there some way of telling (or overriding) IdentityBeanDefinition to use my Identity bean class? [1] https://developer.jboss.org/thread/260993 Regards, Sean. -- Sean Flanigan Principal Software Engineer Globalisation Tools Engineering Red Hat -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 213 bytes Desc: OpenPGP digital signature Url : http://lists.jboss.org/pipermail/security-dev/attachments/20150710/1d37c834/attachment.bin From psilva at redhat.com Fri Jul 10 08:27:27 2015 From: psilva at redhat.com (Pedro Igor Silva) Date: Fri, 10 Jul 2015 08:27:27 -0400 (EDT) Subject: [security-dev] Replacing Seam RunAsOperation (impersonate) In-Reply-To: <559F845F.6040105@redhat.com> References: <559F845F.6040105@redhat.com> Message-ID: <1968274549.35654577.1436531247901.JavaMail.zimbra@redhat.com> Hey Sean, You are right, PL is missing that feature. It was planned but now the PL and KC are merging I'm not sure if we are going to implement it in PL. Regarding your question, there is no easy way to specify your own Identity implementation. However, I'm wondering if you can use a custom CDI scope for that. PicketLink allows you to define a specific scope for the Identity bean. Regards. Pedro Igor ----- Original Message ----- From: "Sean Flanigan" To: security-dev at lists.jboss.org Sent: Friday, July 10, 2015 5:37:51 AM Subject: [security-dev] Replacing Seam RunAsOperation (impersonate) I was hoping I had missed an impersonation feature[1], but now I'm thinking there isn't one in PicketLink. Assuming I have to subclass and @Specialize org.picketlink.internal.DefaultIdentity, how would I go about convincing PicketLink to use my implementation? org.picketlink.extension.PicketLinkExtension seems to be vetoing my implementation. Is there some way of telling (or overriding) IdentityBeanDefinition to use my Identity bean class? [1] https://developer.jboss.org/thread/260993 Regards, Sean. -- Sean Flanigan Principal Software Engineer Globalisation Tools Engineering Red Hat _______________________________________________ security-dev mailing list security-dev at lists.jboss.org https://lists.jboss.org/mailman/listinfo/security-dev From mcirioli at redhat.com Fri Jul 10 09:07:10 2015 From: mcirioli at redhat.com (Mike Cirioli) Date: Fri, 10 Jul 2015 09:07:10 -0400 Subject: [security-dev] Replacing Seam RunAsOperation (impersonate) In-Reply-To: <1968274549.35654577.1436531247901.JavaMail.zimbra@redhat.com> References: <559F845F.6040105@redhat.com> <1968274549.35654577.1436531247901.JavaMail.zimbra@redhat.com> Message-ID: <559FC37E.5000707@redhat.com> Sean - I have implemented a user impersonation functionality with PL for the redhat.com's customer facing IdP using picketlink. Its not what I would call pretty, but it does allow our customer service team to authenticate and access any SAML service providers with the identity of the customer having issues. I'm not sure if this is the same sort of functionality your looking for, but i'd be happy to describe how we did it if your interested. -mike cirioli On 7/10/15 8:27 AM, Pedro Igor Silva wrote: > Hey Sean, > > You are right, PL is missing that feature. It was planned but now the PL and KC are merging I'm not sure if we are going to implement it in PL. > > Regarding your question, there is no easy way to specify your own Identity implementation. However, I'm wondering if you can use a custom CDI scope for that. PicketLink allows you to define a specific scope for the Identity bean. > > Regards. > Pedro Igor > > ----- Original Message ----- > From: "Sean Flanigan" > To: security-dev at lists.jboss.org > Sent: Friday, July 10, 2015 5:37:51 AM > Subject: [security-dev] Replacing Seam RunAsOperation (impersonate) > > I was hoping I had missed an impersonation feature[1], but now I'm > thinking there isn't one in PicketLink. Assuming I have to subclass and > @Specialize org.picketlink.internal.DefaultIdentity, how would I go > about convincing PicketLink to use my implementation? > > org.picketlink.extension.PicketLinkExtension seems to be vetoing my > implementation. Is there some way of telling (or overriding) > IdentityBeanDefinition to use my Identity bean class? > > [1] https://developer.jboss.org/thread/260993 > > Regards, > > Sean. > From sflaniga at redhat.com Sun Jul 12 20:21:11 2015 From: sflaniga at redhat.com (Sean Flanigan) Date: Mon, 13 Jul 2015 10:21:11 +1000 Subject: [security-dev] Replacing Seam RunAsOperation (impersonate) In-Reply-To: <559FC37E.5000707@redhat.com> References: <559F845F.6040105@redhat.com> <1968274549.35654577.1436531247901.JavaMail.zimbra@redhat.com> <559FC37E.5000707@redhat.com> Message-ID: <55A30477.6000302@redhat.com> Hi Mike, If the solution is completely SAML-specific, I don't think it will do me any good, but if you think the general approach could work for other types, then yes, I'm certainly interested, thanks! Sean. On 2015-07-10 23:07, Mike Cirioli wrote: > Sean - > I have implemented a user impersonation functionality with PL for the redhat.com's customer facing IdP using picketlink. Its not what I would call pretty, but it does allow our customer service team to authenticate and access any SAML service providers with the identity of the customer having issues. > > I'm not sure if this is the same sort of functionality your looking for, but i'd be happy to describe how we did it if your interested. > > -mike cirioli > > > On 7/10/15 8:27 AM, Pedro Igor Silva wrote: >> Hey Sean, >> >> You are right, PL is missing that feature. It was planned but now the PL and KC are merging I'm not sure if we are going to implement it in PL. >> >> Regarding your question, there is no easy way to specify your own Identity implementation. However, I'm wondering if you can use a custom CDI scope for that. PicketLink allows you to define a specific scope for the Identity bean. >> >> Regards. >> Pedro Igor >> >> ----- Original Message ----- >> From: "Sean Flanigan" >> To: security-dev at lists.jboss.org >> Sent: Friday, July 10, 2015 5:37:51 AM >> Subject: [security-dev] Replacing Seam RunAsOperation (impersonate) >> >> I was hoping I had missed an impersonation feature[1], but now I'm >> thinking there isn't one in PicketLink. Assuming I have to subclass and >> @Specialize org.picketlink.internal.DefaultIdentity, how would I go >> about convincing PicketLink to use my implementation? >> >> org.picketlink.extension.PicketLinkExtension seems to be vetoing my >> implementation. Is there some way of telling (or overriding) >> IdentityBeanDefinition to use my Identity bean class? >> >> [1] https://developer.jboss.org/thread/260993 >> >> Regards, >> >> Sean. >> -- Sean Flanigan Principal Software Engineer Globalisation Tools Engineering Red Hat -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 213 bytes Desc: OpenPGP digital signature Url : http://lists.jboss.org/pipermail/security-dev/attachments/20150713/b08bb416/attachment.bin From mcirioli at redhat.com Sun Jul 12 22:48:30 2015 From: mcirioli at redhat.com (Michael Cirioli) Date: Sun, 12 Jul 2015 22:48:30 -0400 (EDT) Subject: [security-dev] Replacing Seam RunAsOperation (impersonate) Message-ID: <1793074558.67084681.1436755710400.JavaMail.zimbra@zmail09.collab.prod.int.phx2.redhat.com> i am on PTO this week, but if you want to set up some time on my calendar the following week I'd be happy to talk about options with you. -mikeOn Jul 12, 2015 8:21 PM, Sean Flanigan wrote: > > Hi Mike, > > If the solution is completely SAML-specific, I don't think it will do me > any good, but if you think the general approach could work for other > types, then yes, I'm certainly interested, thanks! > > Sean. > > > On 2015-07-10 23:07, Mike Cirioli wrote: > > Sean - > > I have implemented a user impersonation functionality with PL for the redhat.com's customer facing IdP using picketlink.? Its not what I would call pretty, but it does allow our customer service team to authenticate and access any SAML service providers with the identity of the customer having issues. > > > > I'm not sure if this is the same sort of functionality your looking for, but i'd be happy to describe how we did it if your interested. > > > > -mike cirioli > > > > > > On 7/10/15 8:27 AM, Pedro Igor Silva wrote: > >> Hey Sean, > >> > >>????? You are right, PL is missing that feature. It was planned but now the PL and KC are merging I'm not sure if we are going to implement it in PL. > >> > >>????? Regarding your question, there is no easy way to specify your own Identity implementation. However, I'm wondering if you can use a custom CDI scope for that. PicketLink allows you to define a specific scope for the Identity bean. > >> > >> Regards. > >> Pedro Igor > >> > >> ----- Original Message ----- > >> From: "Sean Flanigan" > >> To: security-dev at lists.jboss.org > >> Sent: Friday, July 10, 2015 5:37:51 AM > >> Subject: [security-dev] Replacing Seam RunAsOperation (impersonate) > >> > >> I was hoping I had missed an impersonation feature[1], but now I'm > >> thinking there isn't one in PicketLink.? Assuming I have to subclass and > >> @Specialize org.picketlink.internal.DefaultIdentity, how would I go > >> about convincing PicketLink to use my implementation? > >> > >> org.picketlink.extension.PicketLinkExtension seems to be vetoing my > >> implementation.? Is there some way of telling (or overriding) > >> IdentityBeanDefinition to use my Identity bean class? > >> > >> [1] https://developer.jboss.org/thread/260993 > >> > >> Regards, > >> > >> Sean. > >> > > > -- > Sean Flanigan > > Principal Software Engineer > Globalisation Tools Engineering > Red Hat > From sflaniga at redhat.com Mon Jul 13 01:31:36 2015 From: sflaniga at redhat.com (Sean Flanigan) Date: Mon, 13 Jul 2015 15:31:36 +1000 Subject: [security-dev] Replacing Seam RunAsOperation (impersonate) In-Reply-To: <1968274549.35654577.1436531247901.JavaMail.zimbra@redhat.com> References: <559F845F.6040105@redhat.com> <1968274549.35654577.1436531247901.JavaMail.zimbra@redhat.com> Message-ID: <55A34D38.7030400@redhat.com> On 2015-07-10 22:27, Pedro Igor Silva wrote: > Hey Sean, > > You are right, PL is missing that feature. It was planned but now the > PL and KC are merging I'm not sure if we are going to implement it in > PL. Ah yes, thanks for reminding me about the Keycloak merger. Sounds like that might make it all moot. I don't suppose it has an impersonation feature similar to the one in Seam? > Regarding your question, there is no easy way to specify your own > Identity implementation. However, I'm wondering if you can use a > custom CDI scope for that. PicketLink allows you to define a specific > scope for the Identity bean. So, some sort of short-lived scope for Identity, plus login via a dummy Authenticator? That might work, although it sounds more complex than what I had in mind for modifying Identity.getAccount() to use a ThreadLocal (ugly though it sounds). But how does one configure the Identity bean's scope? I found slides 6 and 9 of http://www.slideshare.net/pigorcraveiro/jud-con-2014. Is there a compiled example anywhere? Would it be possible to change IdentityBeanDefinition to allow more customisation, eg for getBeanClass()? Also, is there some way I can disable PicketLinkExtension, so that I can replace it with one which uses a modified IdentityBeanDefinition? > > Regards. > Pedro Igor > > ----- Original Message ----- > From: "Sean Flanigan" > To: security-dev at lists.jboss.org > Sent: Friday, July 10, 2015 5:37:51 AM > Subject: [security-dev] Replacing Seam RunAsOperation (impersonate) > > I was hoping I had missed an impersonation feature[1], but now I'm > thinking there isn't one in PicketLink. Assuming I have to subclass and > @Specialize org.picketlink.internal.DefaultIdentity, how would I go > about convincing PicketLink to use my implementation? > > org.picketlink.extension.PicketLinkExtension seems to be vetoing my > implementation. Is there some way of telling (or overriding) > IdentityBeanDefinition to use my Identity bean class? > > [1] https://developer.jboss.org/thread/260993 > > Regards, > > Sean. > -- Sean Flanigan Principal Software Engineer Globalisation Tools Engineering Red Hat -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 213 bytes Desc: OpenPGP digital signature Url : http://lists.jboss.org/pipermail/security-dev/attachments/20150713/6aa3cb71/attachment.bin From psilva at redhat.com Tue Jul 14 08:48:17 2015 From: psilva at redhat.com (Pedro Igor Silva) Date: Tue, 14 Jul 2015 08:48:17 -0400 (EDT) Subject: [security-dev] Replacing Seam RunAsOperation (impersonate) In-Reply-To: <55A34D38.7030400@redhat.com> References: <559F845F.6040105@redhat.com> <1968274549.35654577.1436531247901.JavaMail.zimbra@redhat.com> <55A34D38.7030400@redhat.com> Message-ID: <420135826.38112775.1436878097485.JavaMail.zimbra@redhat.com> ----- Original Message ----- > From: "Sean Flanigan" > To: "Pedro Igor Silva" > Cc: security-dev at lists.jboss.org > Sent: Monday, July 13, 2015 2:31:36 AM > Subject: Re: [security-dev] Replacing Seam RunAsOperation (impersonate) > > On 2015-07-10 22:27, Pedro Igor Silva wrote: > > Hey Sean, > > > > You are right, PL is missing that feature. It was planned but now the > > PL and KC are merging I'm not sure if we are going to implement it in > > PL. > > Ah yes, thanks for reminding me about the Keycloak merger. Sounds like > that might make it all moot. I don't suppose it has an impersonation > feature similar to the one in Seam? > > > Regarding your question, there is no easy way to specify your own > > Identity implementation. However, I'm wondering if you can use a > > custom CDI scope for that. PicketLink allows you to define a specific > > scope for the Identity bean. > > So, some sort of short-lived scope for Identity, plus login via a dummy > Authenticator? That might work, although it sounds more complex than > what I had in mind for modifying Identity.getAccount() to use a > ThreadLocal (ugly though it sounds). I'm wondering if you can try the window scope from Apache DeltaSpike. I remember an user doing something similar a long time ago using this scope. > > But how does one configure the Identity bean's scope? I found slides 6 > and 9 of http://www.slideshare.net/pigorcraveiro/jud-con-2014. Is there > a compiled example anywhere? http://docs.jboss.org/picketlink/2/latest/reference/html-single/#Defining_a_Custom_Scope > > Would it be possible to change IdentityBeanDefinition to allow more > customisation, eg for getBeanClass()? > > Also, is there some way I can disable PicketLinkExtension, so that I can > replace it with one which uses a modified IdentityBeanDefinition? > I don't think CDI allows to disable an extension defined in a jar, like in our case. I believe this JIRA [1] is related with that. [1] https://issues.jboss.org/browse/CDI-157 > > > > > Regards. > > Pedro Igor > > > > ----- Original Message ----- > > From: "Sean Flanigan" > > To: security-dev at lists.jboss.org > > Sent: Friday, July 10, 2015 5:37:51 AM > > Subject: [security-dev] Replacing Seam RunAsOperation (impersonate) > > > > I was hoping I had missed an impersonation feature[1], but now I'm > > thinking there isn't one in PicketLink. Assuming I have to subclass and > > @Specialize org.picketlink.internal.DefaultIdentity, how would I go > > about convincing PicketLink to use my implementation? > > > > org.picketlink.extension.PicketLinkExtension seems to be vetoing my > > implementation. Is there some way of telling (or overriding) > > IdentityBeanDefinition to use my Identity bean class? > > > > [1] https://developer.jboss.org/thread/260993 > > > > Regards, > > > > Sean. > > > > > -- > Sean Flanigan > > Principal Software Engineer > Globalisation Tools Engineering > Red Hat > > From sflaniga at redhat.com Tue Jul 14 21:18:20 2015 From: sflaniga at redhat.com (Sean Flanigan) Date: Wed, 15 Jul 2015 11:18:20 +1000 Subject: [security-dev] Replacing Seam RunAsOperation (impersonate) In-Reply-To: <420135826.38112775.1436878097485.JavaMail.zimbra@redhat.com> References: <559F845F.6040105@redhat.com> <1968274549.35654577.1436531247901.JavaMail.zimbra@redhat.com> <55A34D38.7030400@redhat.com> <420135826.38112775.1436878097485.JavaMail.zimbra@redhat.com> Message-ID: <55A5B4DC.1020408@redhat.com> Thanks, Pedro. On 2015-07-14 22:48, Pedro Igor Silva wrote: > ----- Original Message ----- >> From: "Sean Flanigan" >> To: "Pedro Igor Silva" >> Cc: security-dev at lists.jboss.org >> Sent: Monday, July 13, 2015 2:31:36 AM >> Subject: Re: [security-dev] Replacing Seam RunAsOperation (impersonate) >> >> On 2015-07-10 22:27, Pedro Igor Silva wrote: >>> Hey Sean, >>> >>> You are right, PL is missing that feature. It was planned but now the >>> PL and KC are merging I'm not sure if we are going to implement it in >>> PL. >> >> Ah yes, thanks for reminding me about the Keycloak merger. Sounds like >> that might make it all moot. I don't suppose it has an impersonation >> feature similar to the one in Seam? >> >>> Regarding your question, there is no easy way to specify your own >>> Identity implementation. However, I'm wondering if you can use a >>> custom CDI scope for that. PicketLink allows you to define a specific >>> scope for the Identity bean. >> >> So, some sort of short-lived scope for Identity, plus login via a dummy >> Authenticator? That might work, although it sounds more complex than >> what I had in mind for modifying Identity.getAccount() to use a >> ThreadLocal (ugly though it sounds). > > I'm wondering if you can try the window scope from Apache DeltaSpike. I remember an user doing something similar a long time ago using this scope. > >> >> But how does one configure the Identity bean's scope? I found slides 6 >> and 9 of http://www.slideshare.net/pigorcraveiro/jud-con-2014. Is there >> a compiled example anywhere? > > http://docs.jboss.org/picketlink/2/latest/reference/html-single/#Defining_a_Custom_Scope > >> >> Would it be possible to change IdentityBeanDefinition to allow more >> customisation, eg for getBeanClass()? >> >> Also, is there some way I can disable PicketLinkExtension, so that I can >> replace it with one which uses a modified IdentityBeanDefinition? >> > > I don't think CDI allows to disable an extension defined in a jar, like in our case. I believe this JIRA [1] is related with that. > > [1] https://issues.jboss.org/browse/CDI-157 > >> >>> >>> Regards. >>> Pedro Igor >>> >>> ----- Original Message ----- >>> From: "Sean Flanigan" >>> To: security-dev at lists.jboss.org >>> Sent: Friday, July 10, 2015 5:37:51 AM >>> Subject: [security-dev] Replacing Seam RunAsOperation (impersonate) >>> >>> I was hoping I had missed an impersonation feature[1], but now I'm >>> thinking there isn't one in PicketLink. Assuming I have to subclass and >>> @Specialize org.picketlink.internal.DefaultIdentity, how would I go >>> about convincing PicketLink to use my implementation? >>> >>> org.picketlink.extension.PicketLinkExtension seems to be vetoing my >>> implementation. Is there some way of telling (or overriding) >>> IdentityBeanDefinition to use my Identity bean class? >>> >>> [1] https://developer.jboss.org/thread/260993 >>> >>> Regards, >>> >>> Sean. >>> >> >> >> -- >> Sean Flanigan >> >> Principal Software Engineer >> Globalisation Tools Engineering >> Red Hat >> >> -- Sean Flanigan Principal Software Engineer Globalisation Tools Engineering Red Hat -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 213 bytes Desc: OpenPGP digital signature Url : http://lists.jboss.org/pipermail/security-dev/attachments/20150715/5ae20c60/attachment.bin