[security-dev] Replacing Seam RunAsOperation (impersonate)

Sean Flanigan sflaniga at redhat.com
Mon Jul 13 01:31:36 EDT 2015


On 2015-07-10 22:27, Pedro Igor Silva wrote:
> Hey Sean,
> 
> You are right, PL is missing that feature. It was planned but now the
> PL and KC are merging I'm not sure if we are going to implement it in
> PL.

Ah yes, thanks for reminding me about the Keycloak merger.  Sounds like
that might make it all moot.  I don't suppose it has an impersonation
feature similar to the one in Seam?

> Regarding your question, there is no easy way to specify your own
> Identity implementation. However, I'm wondering if you can use a
> custom CDI scope for that. PicketLink allows you to define a specific
> scope for the Identity bean.

So, some sort of short-lived scope for Identity, plus login via a dummy
Authenticator?  That might work, although it sounds more complex than
what I had in mind for modifying Identity.getAccount() to use a
ThreadLocal (ugly though it sounds).

But how does one configure the Identity bean's scope?  I found slides 6
and 9 of http://www.slideshare.net/pigorcraveiro/jud-con-2014.  Is there
a compiled example anywhere?

Would it be possible to change IdentityBeanDefinition to allow more
customisation, eg for getBeanClass()?

Also, is there some way I can disable PicketLinkExtension, so that I can
replace it with one which uses a modified IdentityBeanDefinition?


> 
> Regards.
> Pedro Igor
> 
> ----- Original Message -----
> From: "Sean Flanigan" <sflaniga at redhat.com>
> To: security-dev at lists.jboss.org
> Sent: Friday, July 10, 2015 5:37:51 AM
> Subject: [security-dev] Replacing Seam RunAsOperation (impersonate)
> 
> I was hoping I had missed an impersonation feature[1], but now I'm
> thinking there isn't one in PicketLink.  Assuming I have to subclass and
> @Specialize org.picketlink.internal.DefaultIdentity, how would I go
> about convincing PicketLink to use my implementation?
> 
> org.picketlink.extension.PicketLinkExtension seems to be vetoing my
> implementation.  Is there some way of telling (or overriding)
> IdentityBeanDefinition to use my Identity bean class?
> 
> [1] https://developer.jboss.org/thread/260993
> 
> Regards,
> 
> Sean.
> 


-- 
Sean Flanigan

Principal Software Engineer
Globalisation Tools Engineering
Red Hat

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 213 bytes
Desc: OpenPGP digital signature
Url : http://lists.jboss.org/pipermail/security-dev/attachments/20150713/6aa3cb71/attachment.bin 


More information about the security-dev mailing list