[security-dev] Replacing Seam RunAsOperation (impersonate)
Sean Flanigan
sflaniga at redhat.com
Tue Jul 14 21:18:20 EDT 2015
Thanks, Pedro.
On 2015-07-14 22:48, Pedro Igor Silva wrote:
> ----- Original Message -----
>> From: "Sean Flanigan" <sflaniga at redhat.com>
>> To: "Pedro Igor Silva" <psilva at redhat.com>
>> Cc: security-dev at lists.jboss.org
>> Sent: Monday, July 13, 2015 2:31:36 AM
>> Subject: Re: [security-dev] Replacing Seam RunAsOperation (impersonate)
>>
>> On 2015-07-10 22:27, Pedro Igor Silva wrote:
>>> Hey Sean,
>>>
>>> You are right, PL is missing that feature. It was planned but now the
>>> PL and KC are merging I'm not sure if we are going to implement it in
>>> PL.
>>
>> Ah yes, thanks for reminding me about the Keycloak merger. Sounds like
>> that might make it all moot. I don't suppose it has an impersonation
>> feature similar to the one in Seam?
>>
>>> Regarding your question, there is no easy way to specify your own
>>> Identity implementation. However, I'm wondering if you can use a
>>> custom CDI scope for that. PicketLink allows you to define a specific
>>> scope for the Identity bean.
>>
>> So, some sort of short-lived scope for Identity, plus login via a dummy
>> Authenticator? That might work, although it sounds more complex than
>> what I had in mind for modifying Identity.getAccount() to use a
>> ThreadLocal (ugly though it sounds).
>
> I'm wondering if you can try the window scope from Apache DeltaSpike. I remember an user doing something similar a long time ago using this scope.
>
>>
>> But how does one configure the Identity bean's scope? I found slides 6
>> and 9 of http://www.slideshare.net/pigorcraveiro/jud-con-2014. Is there
>> a compiled example anywhere?
>
> http://docs.jboss.org/picketlink/2/latest/reference/html-single/#Defining_a_Custom_Scope
>
>>
>> Would it be possible to change IdentityBeanDefinition to allow more
>> customisation, eg for getBeanClass()?
>>
>> Also, is there some way I can disable PicketLinkExtension, so that I can
>> replace it with one which uses a modified IdentityBeanDefinition?
>>
>
> I don't think CDI allows to disable an extension defined in a jar, like in our case. I believe this JIRA [1] is related with that.
>
> [1] https://issues.jboss.org/browse/CDI-157
>
>>
>>>
>>> Regards.
>>> Pedro Igor
>>>
>>> ----- Original Message -----
>>> From: "Sean Flanigan" <sflaniga at redhat.com>
>>> To: security-dev at lists.jboss.org
>>> Sent: Friday, July 10, 2015 5:37:51 AM
>>> Subject: [security-dev] Replacing Seam RunAsOperation (impersonate)
>>>
>>> I was hoping I had missed an impersonation feature[1], but now I'm
>>> thinking there isn't one in PicketLink. Assuming I have to subclass and
>>> @Specialize org.picketlink.internal.DefaultIdentity, how would I go
>>> about convincing PicketLink to use my implementation?
>>>
>>> org.picketlink.extension.PicketLinkExtension seems to be vetoing my
>>> implementation. Is there some way of telling (or overriding)
>>> IdentityBeanDefinition to use my Identity bean class?
>>>
>>> [1] https://developer.jboss.org/thread/260993
>>>
>>> Regards,
>>>
>>> Sean.
>>>
>>
>>
>> --
>> Sean Flanigan
>>
>> Principal Software Engineer
>> Globalisation Tools Engineering
>> Red Hat
>>
>>
--
Sean Flanigan
Principal Software Engineer
Globalisation Tools Engineering
Red Hat
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 213 bytes
Desc: OpenPGP digital signature
Url : http://lists.jboss.org/pipermail/security-dev/attachments/20150715/5ae20c60/attachment.bin
More information about the security-dev
mailing list