Load configured Elytron domain \ realm in code
43 views
Skip to first unread message
Elia Zaides
Apr 3, 2023, 11:49:49 PM4/3/23
to WildFly
Is it possible to load configured Elytron security domain in code, and the do something like
For example if I have configured two Security domains:
<security-domain name=domain1 ....
<security-domain name=domain2 ....
// Some code that eventually will get us domain2 into securityDomain2 variable.
And the do
securityDomain2.authenticate(....) ?
Thanks a lot, Elia
Darran Lofthouse
Apr 6, 2023, 5:38:55 AM4/6/23
to WildFly
At the moment no, the security domain would need to be assembled using the APIs - I do think however it could be interesting to have the option to configure the security domain outside of the management model but it doesn't exist today.
If you are running within WildFly one option may be to deploy an EJB where it's deployment is associated with a configured SecurityDomain, the EJB can then call SecurityDomain.getCurrent() and return it to the caller.
Elia Zaides
Apr 10, 2023, 2:28:22 AM4/10/23
to WildFly
Thanks Darran!
I was able to assemble the security domain by code, and then did the the authentication, using:
SecurityDomain securityDomain = SecurityDomain.builder() ... .build();
SecurityIdentity securityIdentity = securityDomain.authenticate(...);
Is there a way to set the received securty identity \ or the newly created security domain as the current security domain \ identity, so that it will be returned using
SecurityDomain.getCurrent() \ SecurityDomain.getCurrent().getCurrentSecurityIdentity() ?
Elia Zaides
Apr 10, 2023, 3:06:03 AM4/10/23
to WildFly
Adding a little bit context to the previous question, as to why I am asking the question in post above.
What we have currently in our application that we are migrating from older security system to Elytron is something like follows:
* User is connected as user X, having role R1.
* At some point, we check whether this user, can have role R2 by authenticating as user X+.
* If successful, some set of actions are being executed under the elevated permissions (including EJB invocation, which needs security identity propagation)
* Throughout the code the expectation is that SecurityDomain.getCurrent().getCurrentSecurityIdentity() will return the elevated user X+.
* After the block of code that needed higher permissions is completed, return back to the regular user X, meaning that SecurityDomain.getCurrent().getCurrentSecurityIdentity() will return user X, and it will have only the role R1.
Shawn White
Apr 25, 2023, 6:06:01 PM4/25/23
to WildFly
Was there any thoughts about Elia's follow on question? Namely can the current SecurityDomain be reconfigured or changed?
If a security domain is created programmatically via the builder APIs can it be set as active?
If a security domain is created programmatically via the builder APIs can it be set as active?
Reply all
Reply to author
Forward
0 new messages