Migrating from picketbox to elytron
521 views
Skip to first unread message
Rodrigo Ferrari
Nov 4, 2021, 10:20:06 AM11/4/21
to WildFly
Hello friends,
First of all, thanks for the help.
I have a legacy application using picketbox and now it's working the new domain and everything is really nice.
I just have one problem, I have a code that uses the Picketbox RunAsIdentity and this changes the identity at the security context, I need to do the same using Elytron, I just need to change the name of the principal, is there some option to do it using Elytron?
BR
Rodrigo Ferrari
Diana Krepinska
Nov 4, 2021, 12:42:02 PM11/4/21
to WildFly
Hello,
not sure if this is what you are looking for, but if you are using EJBs and want to switch the identity for the outgoing call, you can use org.jboss.ejb3.annotation.RunAsPrincipal annotation.
not sure if this is what you are looking for, but if you are using EJBs and want to switch the identity for the outgoing call, you can use org.jboss.ejb3.annotation.RunAsPrincipal annotation.
There are also principal transformers which take a name of the principal and map it to another name. You can configure eg. regex-principal-transformer, case-principal transformer, etc. The following blog post https://wildfly-security.github.io/wildfly-elytron/blog/case-principal-transformer/ uses case principal transformer as an example.
Rodrigo Ferrari
Nov 4, 2021, 5:35:46 PM11/4/21
to WildFly
Diana,
Thanks for your reply.
My problem is that I can authenticate with a user and password, but at runtime, I want to change this authenticated principal to another principal and use this new principal at my SecurityContext.
My application receives a csv file, uses a default user to authenticate, but during the program flow I need to change the Principal by data provided at this csv file.
With picketbox I was able to do something like this:
SecurityContextAssociation.getSecurityContext().setOutgoingRunAs(runAsIdentity);
I need to know if it's possible to do with Elytron, I tried doing it:
SecurityDomain securityDomain = SecurityDomain.getCurrent();
MembershipPrincipal membership = new MembershipPrincipal("ANYUSER_ID");
SecurityIdentity si = securityDomain.getCurrentSecurityIdentity();
si.createRunAsIdentity(membership, true);
MembershipPrincipal membership = new MembershipPrincipal("ANYUSER_ID");
SecurityIdentity si = securityDomain.getCurrentSecurityIdentity();
si.createRunAsIdentity(membership, true);
But this throw an unauthorized exception.
BR
Rodrigo
Farah Juma
Nov 5, 2021, 11:56:25 AM11/5/21
to WildFly
That's the correct approach.
Note that createRunAsIdentity will check if the current identity is authorized to run as a user with the given principal. This means that the current identity needs to have RunAsPrincipal permission for this to succeed.
There's some examples here on how to add the RunAsPrincipal permission for a user:
Rodrigo Ferrari
Nov 8, 2021, 11:20:36 AM11/8/21
to WildFly
Hello Farah,
Thanks for the answer, it's working partially now, I added the configurations at my active-profile, now I receive as response this message:
ElytronSecurityEventListener as SecurityAuthenticationFailedEvent, I don't know the reason why is falling to run as other principal. I tried to search about how to get the reason but did not find anything.
I also don't know how to check if my current user is authorized to do this change of principal.
BR
Rodrigo.
Farah Juma
Nov 9, 2021, 4:22:47 PM11/9/21
to WildFly
You could try to enable TRACE logging for org.wildfly.security to see if that provides more details on what's happening.
Rodrigo Ferrari
Nov 9, 2021, 7:20:46 PM11/9/21
to Farah Juma, WildFly
Farah, thanks for your reply.
Now it’s working and changing the user if I runAs some command with the new security identity.
My question is, how can I change my EJBContext to have this new security identity propagated through the ejb’s?
If I execute this command create run as before a ejbcontext getPrincipal, the principal does not change and keep the original principal.
BR
Rodrigo
--
You received this message because you are subscribed to the Google Groups "WildFly" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wildfly+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wildfly/beff6e38-ed6a-4ddf-99bc-a0c21ad86361n%40googlegroups.com.
Rodrigo
Ferrari
skype - rodrigoferra
(21) 99889 5720
skype - rodrigoferra
(21) 99889 5720
Farah Juma
Nov 10, 2021, 1:18:05 PM11/10/21
to WildFly
Have you configured an application-security-domain mapping in the EJB subsystem that maps the security domain name that's referenced in the deployment to your Elytron security domain? (More details on how to configure that can be found here.)
Rodrigo Ferrari
Nov 11, 2021, 4:01:28 AM11/11/21
to WildFly
Hello Farah,
Yes, it's configured, I added this instruction and my logged-in user, that I used a FORM, is working, but if I change the user with createRunAsIdentity this new created user is not being reproduced at the EJBContext, only the logged in first time user.
BR
Rodrigo
Reply all
Reply to author
Forward
0 new messages