<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <div class="moz-cite-prefix">On 05/31/2018 05:37 PM, Darran
      Lofthouse wrote:<br>
    </div>
    <blockquote type="cite"
cite="mid:CAMxVf4OjZQwqND3Q0rbMtORuatdMS1sR057JZ3_Y4D2Opjo=9A@mail.gmail.com">
      <div dir="ltr">So the validation is within Apache CXF - is there
        an end result to this validation where you have access to
        everything you need where we could perform some additional
        steps?
        <div><br>
        </div>
      </div>
    </blockquote>
    <br>
     After Apache CXF validation, we can get a LoginContext from CXF's
    exchange message :
<a class="moz-txt-link-freetext" href="https://github.com/apache/cxf/blob/master/core/src/main/java/org/apache/cxf/security/LoginSecurityContext.java">https://github.com/apache/cxf/blob/master/core/src/main/java/org/apache/cxf/security/LoginSecurityContext.java</a><br>
     Can we do something to convert it to an Elytron authenticated
    identity ? <br>
     Or we have to hook/replace something with Elytron in CXF's
    validation to make this work ?<br>
    <br>
    <blockquote type="cite"
cite="mid:CAMxVf4OjZQwqND3Q0rbMtORuatdMS1sR057JZ3_Y4D2Opjo=9A@mail.gmail.com"><br>
      <div class="gmail_quote">
        <div dir="ltr">On Thu, 31 May 2018 at 10:34 Jim Ma &lt;<a
            href="mailto:ema@redhat.com" moz-do-not-send="true">ema@redhat.com</a>&gt;
          wrote:<br>
        </div>
        <blockquote class="gmail_quote" style="margin:0 0 0
          .8ex;border-left:1px #ccc solid;padding-left:1ex">
          <div text="#000000" bgcolor="#FFFFFF">
            <div class="m_399130190808493830moz-cite-prefix">The saml
              validation is now Apache CXF's SAML functionality. We
              can't port the CXF's security to rely on <br>
              our Elytron.   <br>
            </div>
          </div>
          <div text="#000000" bgcolor="#FFFFFF">
            <div class="m_399130190808493830moz-cite-prefix"> <br>
              On 05/31/2018 05:07 PM, Darran Lofthouse wrote:<br>
            </div>
          </div>
          <div text="#000000" bgcolor="#FFFFFF">
            <blockquote type="cite">
              <div dir="ltr">It sounds to me then that the place to
                start is within the SAML validation, this is effectively
                an authentication step so should be ported over to an
                Elytron based authentication - the end result of the
                authentication would then be the required
                SecurityIdentity to propagate from container to
                container.
                <div><br>
                </div>
              </div>
              <br>
              <div class="gmail_quote">
                <div dir="ltr">On Thu, 31 May 2018 at 03:57 Jim Ma &lt;<a
                    href="mailto:ema@redhat.com" target="_blank"
                    moz-do-not-send="true">ema@redhat.com</a>&gt; wrote:<br>
                </div>
                <blockquote class="gmail_quote" style="margin:0 0 0
                  .8ex;border-left:1px #ccc solid;padding-left:1ex">
                  <div text="#000000" bgcolor="#FFFFFF">
                    <div
                      class="m_399130190808493830m_5946244944197837763moz-cite-prefix">On
                      05/30/2018 09:47 PM, Darran Lofthouse wrote:<br>
                    </div>
                    <blockquote type="cite">
                      <div dir="ltr">I am currently gathering together
                        some information regarding how the JCA subsystem
                        handles the requirement of populating a Subject
                        for propagation into a resource adapter, however
                        there is a general question about what is
                        attempting to be achieved here.
                        <div><br>
                        </div>
                        <div>Once an EJB is secured using WildFly
                          Elytron the associated identity is not
                          accessed as a Subject instead it is accessed a
                          SecurityIdentity the current SecurityIdentity
                          can always be retrieved by calling the current
                          SecurityDomain: -</div>
                        <div><br>
                        </div>
                        <div><a
href="http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityDomain.html#getCurrent--"
                            target="_blank" moz-do-not-send="true">http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityDomain.html#getCurrent--</a></div>
                        <div><a
href="http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityDomain.html#getCurrentSecurityIdentity--"
                            target="_blank" moz-do-not-send="true">http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityDomain.html#getCurrentSecurityIdentity--</a></div>
                        <div><br>
                        </div>
                        <div>The SecurityIdentity has some similarity
                          with the Subject in that amongst other things
                          it also contains a collection of public
                          credentials and a collection of private
                          credentials: -</div>
                        <div><br>
                        </div>
                        <div><a
href="http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityIdentity.html#getPublicCredentials--"
                            target="_blank" moz-do-not-send="true">http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityIdentity.html#getPublicCredentials--</a></div>
                        <div><a
href="http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityIdentity.html#getPrivateCredentials--"
                            target="_blank" moz-do-not-send="true">http://wildfly-security.github.io/wildfly-elytron/1.3.x/api-javadoc/org/wildfly/security/auth/server/SecurityIdentity.html#getPrivateCredentials--</a></div>
                        <div><br>
                        </div>
                        <div>So I think the very first question is has
                          the SecurityIdentity been correctly populated
                          with any delegated credentials?  If not that
                          is going to be a pre-requisite for any follow
                          on steps regardless.</div>
                        <div><br>
                        </div>
                        <div>Then secondly what is it that is making use
                          of this identity?  Why can't it be ported to
                          make use of the Elytron authentication client
                          APIs which amongst other things provide
                          support for delegation from the current
                          identity.</div>
                      </div>
                    </blockquote>
                    <blockquote type="cite">
                      <div dir="ltr">
                        <div><br>
                        </div>
                        <div>If we need to we can look at a conversion
                          to a Subject but we are only doing that where
                          it is really required.</div>
                      </div>
                    </blockquote>
                    <br>
                  </div>
                  <div text="#000000" bgcolor="#FFFFFF">   We don't have
                    the SecurityIdentity populated, there is only
                    principal and subject created by jbossws/CXF's saml
                    validator. <br>
                      We need to convert the subject/principal to
                    Elytron's SecurityIdentity or something else, then
                    later on EJB subystem with Elytron <br>
                      security can retrieve this authenticated info
                    without check it twice. So we'd like to know how can
                    we convert a subject/principal <br>
                      to Elytron's SecurityIdentity and let Elytron know
                    this is already authenticated and authorized. <br>
                    <br>
                    Thanks,<br>
                    Jim   <br>
                  </div>
                  <div text="#000000" bgcolor="#FFFFFF"> <br>
                    <br>
                    <blockquote type="cite">
                      <div dir="ltr">
                        <div><br>
                        </div>
                        <div>Regards,</div>
                        <div>Darran Lofthouse.</div>
                        <div><br>
                          <br>
                          <div class="gmail_quote">
                            <div dir="ltr">On Wed, 30 May 2018 at 10:27
                              Alessio Soldano &lt;<a
                                href="mailto:asoldano@redhat.com"
                                target="_blank" moz-do-not-send="true">asoldano@redhat.com</a>&gt;
                              wrote:<br>
                            </div>
                            <blockquote class="gmail_quote"
                              style="margin:0 0 0 .8ex;border-left:1px
                              #ccc solid;padding-left:1ex">
                              <div dir="ltr">
                                <div>As suggested by Darran, I'm
                                  forwarding the message below to the
                                  list on behalf of Jim.<br>
                                </div>
                                The classes Jim is referring to are at <a
href="https://github.com/wildfly/wildfly/tree/master/webservices/server-integration/src/main/java/org/jboss/as/webservices/security"
                                  target="_blank" moz-do-not-send="true">https://github.com/wildfly/wildfly/tree/master/webservices/server-integration/src/main/java/org/jboss/as/webservices/security</a>
                                <br>
                                <br>
                                <div><br>
                                  <div class="gmail_quote">----------
                                    Forwarded message ----------<br>
                                    From: <b class="gmail_sendername">Jim
                                      Ma</b> <span dir="ltr">&lt;<a
                                        href="mailto:ema@redhat.com"
                                        target="_blank"
                                        moz-do-not-send="true">ema@redhat.com</a>&gt;</span><br>
                                    Date: Wed, May 30, 2018 at 9:03 AM<br>
                                    Subject: Set an authorized identity
                                    to EltyronSecurity Context<br>
                                    To: Darran Lofthouse &lt;<a
                                      href="mailto:darran.lofthouse@redhat.com"
                                      target="_blank"
                                      moz-do-not-send="true">darran.lofthouse@redhat.com</a>&gt;<br>
                                    Cc: Alessio Soldano &lt;<a
                                      href="mailto:asoldano@redhat.com"
                                      target="_blank"
                                      moz-do-not-send="true">asoldano@redhat.com</a>&gt;<br>
                                    <br>
                                    <br>
                                    Hi Darran,<br>
                                    <br>
                                    We are helping look at a customer
                                    issue which requires propagate the
                                    authenticated subject from
                                    webservice subsystem to<br>
                                    <br>
                                    ejb subystem. With old security
                                    domain , we can do this with
                                    creating a subject :<br>
                                    <br>
                                        @Override<br>
                                        public void
                                    pushSubjectContext(final Subject
                                    subject, final Principal principal,
                                    final Object credential) {<br>
                                           
                                    AccessController.doPrivileged(new
                                    PrivilegedAction&lt;Void&gt;() {<br>
                                    <br>
                                                public Void run() {<br>
                                                    SecurityContext
                                    securityContext =
                                    SecurityContextAssociation.getSecurityContext();<br>
                                                    if (securityContext
                                    == null) {<br>
                                                        securityContext
                                    =
                                    createSecurityContext(getSecurityDomain());<br>
setSecurityContextOnAssociation(securityContext);<br>
                                                    }<br>
securityContext.getUtil().createSubjectInfo(principal, credential,
                                    subject);<br>
                                                    return null;<br>
                                                }<br>
                                            });<br>
                                        }<br>
                                    <br>
                                    <br>
                                    After Elytron,  what is the
                                    equivalent thing to do this  then
                                    ejb can retrieve this security
                                    without check this twice ?<br>
                                    <br>
                                    Thanks,<br>
                                    <br>
                                    Jim<br>
                                    <br>
                                  </div>
                                </div>
                              </div>
                              <div dir="ltr">
                                <div><br>
                                  <br clear="all">
                                  <br>
                                  -- <br>
                                  <div
class="m_399130190808493830m_5946244944197837763m_-7102110169809177803gmail_signature">
                                    <div dir="ltr">
                                      <div>
                                        <p
style="font-weight:bold;margin:0px;padding:0px;font-size:14px;text-transform:uppercase"><span>Alessio</span>
                                          <span>Soldano</span></p>
                                        <p
                                          style="font-weight:normal;font-size:10px;margin:0px
                                          0px
                                          4px;text-transform:uppercase"><span>Associate
                                            Manager</span><span
                                            style="font-weight:normal;color:rgb(170,170,170);margin:0px"></span></p>
                                        <p
style="font-weight:normal;margin:0px;font-size:10px;color:rgb(153,153,153)"><a
style="color:rgb(0,136,206);font-size:10px;margin:0px;text-decoration:none;font-family:&quot;overpass&quot;,sans-serif"
href="https://www.redhat.com" target="_blank" moz-do-not-send="true">Red
                                            Hat <span><br>
                                              <br>
                                            </span></a></p>
                                        <table border="0">
                                          <tbody>
                                            <tr>
                                              <td width="100px"><a
                                                  href="https://red.ht/sig"
                                                  target="_blank"
                                                  moz-do-not-send="true">
                                                  <img
                                                    src="https://www.redhat.com/files/brand/email/sig-redhat.png"
moz-do-not-send="true" height="auto" width="90"></a> </td>
                                            </tr>
                                          </tbody>
                                        </table>
                                      </div>
                                    </div>
                                  </div>
                                </div>
                              </div>
                            </blockquote>
                          </div>
                        </div>
                      </div>
                    </blockquote>
                    <p><br>
                    </p>
                  </div>
                </blockquote>
              </div>
            </blockquote>
            <p><br>
            </p>
          </div>
        </blockquote>
      </div>
    </blockquote>
    <p><br>
    </p>
  </body>
</html>