<div dir="ltr">I am currently gathering together some information regarding how the JCA subsystem handles the requirement of populating a Subject for propagation into a resource adapter, however there is a general question about what is attempting to be achieved here.<div><br></div><div>Once an EJB is secured using WildFly Elytron the associated identity is not accessed as a Subject instead it is accessed a SecurityIdentity the current SecurityIdentity can always be retrieved by calling the current SecurityDomain: -</div><div><br></div><div><a href="http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityDomain.html#getCurrent--">http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityDomain.html#getCurrent--</a></div><div><a href="http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityDomain.html#getCurrentSecurityIdentity--">http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityDomain.html#getCurrentSecurityIdentity--</a></div><div><br></div><div>The SecurityIdentity has some similarity with the Subject in that amongst other things it also contains a collection of public credentials and a collection of private credentials: -</div><div><br></div><div><a href="http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityIdentity.html#getPublicCredentials--">http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityIdentity.html#getPublicCredentials--</a></div><div><a href="http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityIdentity.html#getPrivateCredentials--">http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityIdentity.html#getPrivateCredentials--</a></div><div><br></div><div>So I think the very first question is has the SecurityIdentity been correctly populated with any delegated credentials? If not that is going to be a pre-requisite for any follow on steps regardless.</div><div><br></div><div>Then secondly what is it that is making use of this identity? Why can't it be ported to make use of the Elytron authentication client APIs which amongst other things provide support for delegation from the current identity.</div><div><br></div><div>If we need to we can look at a conversion to a Subject but we are only doing that where it is really required.</div><div><br></div><div>Regards,</div><div>Darran Lofthouse.</div><div><br><br><div class="gmail_quote"><div dir="ltr">On Wed, 30 May 2018 at 10:27 Alessio Soldano <<a href="mailto:asoldano@redhat.com">asoldano@redhat.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>As suggested by Darran, I'm forwarding the message below to the list on behalf of Jim.<br></div>The classes Jim is referring to are at <a href="https://github.com/wildfly/wildfly/tree/master/webservices/server-integration/src/main/java/org/jboss/as/webservices/security" target="_blank">https://github.com/wildfly/wildfly/tree/master/webservices/server-integration/src/main/java/org/jboss/as/webservices/security</a> <br><br><div><br><div class="gmail_quote">---------- Forwarded message ----------<br>From: <b class="gmail_sendername">Jim Ma</b> <span dir="ltr"><<a href="mailto:ema@redhat.com" target="_blank">ema@redhat.com</a>></span><br>Date: Wed, May 30, 2018 at 9:03 AM<br>Subject: Set an authorized identity to EltyronSecurity Context<br>To: Darran Lofthouse <<a href="mailto:darran.lofthouse@redhat.com" target="_blank">darran.lofthouse@redhat.com</a>><br>Cc: Alessio Soldano <<a href="mailto:asoldano@redhat.com" target="_blank">asoldano@redhat.com</a>><br><br><br>Hi Darran,<br>
<br>
We are helping look at a customer issue which requires propagate the authenticated subject from webservice subsystem to<br>
<br>
ejb subystem. With old security domain , we can do this with creating a subject :<br>
<br>
@Override<br>
public void pushSubjectContext(final Subject subject, final Principal principal, final Object credential) {<br>
AccessController.doPrivileged(new PrivilegedAction<Void>() {<br>
<br>
public Void run() {<br>
SecurityContext securityContext = SecurityContextAssociation.getSecurityContext();<br>
if (securityContext == null) {<br>
securityContext = createSecurityContext(getSecurityDomain());<br>
setSecurityContextOnAssociation(securityContext);<br>
}<br>
securityContext.getUtil().createSubjectInfo(principal, credential, subject);<br>
return null;<br>
}<br>
});<br>
}<br>
<br>
<br>
After Elytron, what is the equivalent thing to do this then ejb can retrieve this security without check this twice ?<br>
<br>
Thanks,<br>
<br>
Jim<br>
<br>
</div></div></div><div dir="ltr"><div><br><br clear="all"><br>-- <br><div class="m_-7102110169809177803gmail_signature"><div dir="ltr"><div>
<p style="font-weight:bold;margin:0px;padding:0px;font-size:14px;text-transform:uppercase"><span>Alessio</span> <span>Soldano</span></p>
<p style="font-weight:normal;font-size:10px;margin:0px 0px 4px;text-transform:uppercase"><span>Associate Manager</span><span style="font-weight:normal;color:rgb(170,170,170);margin:0px"></span></p>
<p style="font-weight:normal;margin:0px;font-size:10px;color:rgb(153,153,153)"><a style="color:rgb(0,136,206);font-size:10px;margin:0px;text-decoration:none;font-family:"overpass",sans-serif" href="https://www.redhat.com" target="_blank">Red Hat <span><br><br></span></a></p>
<table border="0"><tbody><tr><td width="100px"><a href="https://red.ht/sig" target="_blank"> <img src="https://www.redhat.com/files/brand/email/sig-redhat.png" width="90" height="auto"></a> </td>
</tr></tbody></table>
</div></div></div>
</div></div></blockquote></div></div></div>