How to set security context information like principal manually in wildfly 26?
1,178 views
Skip to first unread message
Arulkumar Ponnusamy
Jan 13, 2022, 10:36:42 AM1/13/22
to WildFly
Hi all,
we are in the process of migrating our legacy security subsystem(wildfly 24) to elytron security subsystem(wildfly 26).
we have certain daemon threads which required EJB access. So, we set the security principal(default) programmatically using Picket box "SecurityContextAssociation" class.
is there any similar way of setting the principal without picketbox library in latest wildfly?
any reference/guide would be great help!!
Thanks
Arulkumar Ponnusamy!!
Darran Lofthouse
Jan 15, 2022, 6:29:56 AM1/15/22
to WildFly
Where WildFly Elytron is in use once you have a reference to a SecurityIdentity you will see it has a set of runAs methods which take some for of action or runnable:
This is how threads associate the identity to be used for the task being executed.
Elsewhere in your code the APIs on the SecurityDomain can be used to obtain the SecurityIdentity:
Depending on your requirements you can either authenticate against the SecurityDomain or create an adHoc identity.
Within a deployment code can obtain the SecurityIdentity using the getCurrent() method:
Arulkumar Ponnusamy
Jan 17, 2022, 11:06:55 AM1/17/22
to WildFly
Thanks Darran for the pointer. However, i always getting SecurityDomain as null when I use SecurityDomain.getCurrent(). About my deployment, am using "Jaas-realm" and am trying to access this securityDomain from war which is deployed under the ear.
any input why am not able to get the current securityDomain?
Arulkumar Ponnusamy
Jan 20, 2022, 12:36:49 PM1/20/22
to WildFly
can some one provide some insight on my Security.getCurrent() method returns null issues? whereas, am able to get the principal using legacy security systems.
My elytron configuration
<security-domains>
<security-domain name="testingmigration" default-realm="migrationRealm" permission-mapper="default-permission-mapper">
<realm name="testingjaasRealm"/>
</security-domain>
</security-domains>
<security-domain name="testingmigration" default-realm="migrationRealm" permission-mapper="default-permission-mapper">
<realm name="testingjaasRealm"/>
</security-domain>
</security-domains>
<security-realms>
<identity-realm name="local" identity="$local"/>
<jaas-realm name=" testingjaasRealm " entry="test" module="path">
<file path="path tojaaslogin.conf"/>
</jaas-realm>
</security-realms>
<identity-realm name="local" identity="$local"/>
<jaas-realm name=" testingjaasRealm " entry="test" module="path">
<file path="path tojaaslogin.conf"/>
</jaas-realm>
</security-realms>
any input on this would be great help!!
Diana Krepinska
Jan 20, 2022, 12:51:57 PM1/20/22
to WildFly
Hello, it should not matter which security realm you are using for the Security.getCurrent() method. If the class where you are calling this method is in the web deployment then it sounds more like the the security domain is not associated with said web deployment. Maybe your ejb deployment is secured but your web deployment is not.
Arulkumar Ponnusamy
Jan 20, 2022, 1:15:07 PM1/20/22
to WildFly
Hi Diana,
Thanks for quick reply. However, it is secured and my web.xml configuration is
<login-config>
<realm-name> testingjaasRealm </realm-name>
</login-config>
<realm-name> testingjaasRealm </realm-name>
</login-config>
and jboss-web.xml also
<security-domain flushOnSessionInvalidation="true">
testingmigration</security-domain>
anything wrong on this?
Arulkumar Ponnusamy
Jan 20, 2022, 1:49:52 PM1/20/22
to WildFly
Hi All,
The am able to get the SecurityDomain using SecurityDomain.getCurrent() Methods. Seems, some mis configuration on my standAlone.xml.
However, Now, am seeing, the getCurrent() Always returns anonymous user even after i login into application. Seems, am still missing some configuration. Any input on what would be the reason for this?
Diana Krepinska
Jan 21, 2022, 5:03:48 AM1/21/22
to WildFly
You can try to look at this example for EJB security https://github.com/wildfly-security-incubator/elytron-examples/tree/master/ejb-security to see whether something is missing in your configuration. There is also corresponding blog post https://wildfly-security.github.io/wildfly-elytron/blog/advanced-ejb-security/ .
Arulkumar Ponnusamy
Jan 31, 2022, 11:12:14 AM1/31/22
to WildFly
Thanks Darran for your quick reply on my new thread. As you suggested, am continuing on this.
Our application flow is:
User launch the application url->servletFilter->check for session validation-> if invalid->redirect to login screen->invoke the login module->Authenticate->set the principal->continue to access the application.
Both our ejb and web application are configured to use the default security domain.
The current problems are,
1.
The SecurityDomain.getCurrent() returns null object when i try to get
SecurityDomain.getCurrent() either from war or sar. As per my
understanding this is happening because, our web.xml does not contains
security domains. I can't get the securityIdentity since,
securitycontext is empty and i don't see any other way to get the
securityIdentity.
2. Getting SecurityDomain object when it is accessed
from EJB. However, the
principal comes as anonymous.
Am accessing using the below code.
@Resource
private SessionContext
The only way am seeing is, create the new
securityDomain if it is null and tried to create the adhocIdentity.
However, this also throwing error saying unable to authenticate which i
need to further investigate on the reason. Also, not sure, this is
correct way of doing.
Thanks
Arulkumar P
Arulkumar Ponnusamy
Feb 3, 2022, 5:24:04 AM2/3/22
to WildFly
Any other suggestions?
below code set the principal, however, the principal not getting propagated to application level.So, unable to get the logged in user info.
SecurityDomain securityDomain = SecurityDomain.builder().setDefaultRealmName("default").addRealm("default", new JaasSecurityRealm("testlogin")).build()
.setPermissionMapper(((permissionMappable, roles) -> LoginPermission.getInstance()))
.build();
.setPermissionMapper(((permissionMappable, roles) -> LoginPermission.getInstance()))
.build();
identity = securityDomain.createAdHocIdentity(tp);
identity = identity.createRunAsIdentity(tp, false);
identity = identity.createRunAsIdentity(tp, false);
Need to create new SecurityDomain everytime since, SecurityDomain.getCurrent() returns null when called from war.
Diana Krepinska
Feb 21, 2022, 6:54:06 AM2/21/22
to WildFly
Hello, do you have application-security-domain in ejb3 subsystem associated with Elytron's security domain? But it is difficult to know why the security information is not getting propagated to application without a reproducer or specific configuration. You can create ELY jira issue https://issues.redhat.com/projects/ELY with reproducer as well if you prefer.
Reply all
Reply to author
Forward
0 new messages