[wildfly-dev] How to set an authorized identity to EltyronSecurity Context

Jim Ma ema at redhat.com
Thu May 31 05:34:41 EDT 2018


The saml validation is now Apache CXF's SAML functionality. We can't 
port the CXF's security to rely on
our Elytron.

On 05/31/2018 05:07 PM, Darran Lofthouse wrote:
> It sounds to me then that the place to start is within the SAML 
> validation, this is effectively an authentication step so should be 
> ported over to an Elytron based authentication - the end result of the 
> authentication would then be the required SecurityIdentity to 
> propagate from container to container.
>
>
> On Thu, 31 May 2018 at 03:57 Jim Ma <ema at redhat.com 
> <mailto:ema at redhat.com>> wrote:
>
>     On 05/30/2018 09:47 PM, Darran Lofthouse wrote:
>>     I am currently gathering together some information regarding how
>>     the JCA subsystem handles the requirement of populating a Subject
>>     for propagation into a resource adapter, however there is a
>>     general question about what is attempting to be achieved here.
>>
>>     Once an EJB is secured using WildFly Elytron the associated
>>     identity is not accessed as a Subject instead it is accessed a
>>     SecurityIdentity the current SecurityIdentity can always be
>>     retrieved by calling the current SecurityDomain: -
>>
>>     http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityDomain.html#getCurrent--
>>     http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityDomain.html#getCurrentSecurityIdentity--
>>
>>     The SecurityIdentity has some similarity with the Subject in that
>>     amongst other things it also contains a collection of public
>>     credentials and a collection of private credentials: -
>>
>>     http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityIdentity.html#getPublicCredentials--
>>     http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityIdentity.html#getPrivateCredentials--
>>
>>     So I think the very first question is has the SecurityIdentity
>>     been correctly populated with any delegated credentials?  If not
>>     that is going to be a pre-requisite for any follow on steps
>>     regardless.
>>
>>     Then secondly what is it that is making use of this identity? 
>>     Why can't it be ported to make use of the Elytron authentication
>>     client APIs which amongst other things provide support for
>>     delegation from the current identity.
>>
>>     If we need to we can look at a conversion to a Subject but we are
>>     only doing that where it is really required.
>
>       We don't have the SecurityIdentity populated, there is only
>     principal and subject created by jbossws/CXF's saml validator.
>       We need to convert the subject/principal to Elytron's
>     SecurityIdentity or something else, then later on EJB subystem
>     with Elytron
>       security can retrieve this authenticated info without check it
>     twice. So we'd like to know how can we convert a subject/principal
>       to Elytron's SecurityIdentity and let Elytron know this is
>     already authenticated and authorized.
>
>     Thanks,
>     Jim
>
>
>>
>>     Regards,
>>     Darran Lofthouse.
>>
>>
>>     On Wed, 30 May 2018 at 10:27 Alessio Soldano <asoldano at redhat.com
>>     <mailto:asoldano at redhat.com>> wrote:
>>
>>         As suggested by Darran, I'm forwarding the message below to
>>         the list on behalf of Jim.
>>         The classes Jim is referring to are at
>>         https://github.com/wildfly/wildfly/tree/master/webservices/server-integration/src/main/java/org/jboss/as/webservices/security
>>
>>
>>
>>         ---------- Forwarded message ----------
>>         From: *Jim Ma* <ema at redhat.com <mailto:ema at redhat.com>>
>>         Date: Wed, May 30, 2018 at 9:03 AM
>>         Subject: Set an authorized identity to EltyronSecurity Context
>>         To: Darran Lofthouse <darran.lofthouse at redhat.com
>>         <mailto:darran.lofthouse at redhat.com>>
>>         Cc: Alessio Soldano <asoldano at redhat.com
>>         <mailto:asoldano at redhat.com>>
>>
>>
>>         Hi Darran,
>>
>>         We are helping look at a customer issue which requires
>>         propagate the authenticated subject from webservice subsystem to
>>
>>         ejb subystem. With old security domain , we can do this with
>>         creating a subject :
>>
>>             @Override
>>             public void pushSubjectContext(final Subject subject,
>>         final Principal principal, final Object credential) {
>>                 AccessController.doPrivileged(new
>>         PrivilegedAction<Void>() {
>>
>>                     public Void run() {
>>                         SecurityContext securityContext =
>>         SecurityContextAssociation.getSecurityContext();
>>                         if (securityContext == null) {
>>                             securityContext =
>>         createSecurityContext(getSecurityDomain());
>>         setSecurityContextOnAssociation(securityContext);
>>                         }
>>         securityContext.getUtil().createSubjectInfo(principal,
>>         credential, subject);
>>                         return null;
>>                     }
>>                 });
>>             }
>>
>>
>>         After Elytron,  what is the equivalent thing to do this  then
>>         ejb can retrieve this security without check this twice ?
>>
>>         Thanks,
>>
>>         Jim
>>
>>
>>
>>
>>         -- 
>>
>>         Alessio Soldano
>>
>>         Associate Manager
>>
>>         Red Hat
>>
>>         <https://www.redhat.com>
>>
>>         <https://red.ht/sig>
>>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/wildfly-dev/attachments/20180531/f752184a/attachment.html 


More information about the wildfly-dev mailing list