How to create a adhoc/runas SecurityIdentity with role association
178 views
Skip to first unread message
kumaran L
Jul 14, 2023, 6:08:11 AM7/14/23
to WildFly
I am wondering how to create a adhoc/runas SecurityIdentity with a role. The only way I could get it created is by using the API SecurityDomain.getCurrent().authenticate(Principal, Evidence). The other available options SecurityDomain.getCurrent().createAdHocIdentity() and SecurityDomain.getCurrent().getCurrentSecurityIdentity().createRunAsIdentity() takes only the user principal as argument. I don't see any api like like SecurityDomain.getCurrent().createAdHocIdentity(Principal principal, String role). Is there a way to create a SecurityIdentity with role association?. This will enable us to migrate from Picketbox to Elytron. Here's an example of how we use Picketbox lib
RunAsIdentity identity = new RunAsIdentity(role, principal);
SecurityContext securityContext = SecurityContextAssociation.getSecurityContext();
securityContext.setOutgoingRunAs(identity);
SecurityContext securityContext = SecurityContextAssociation.getSecurityContext();
securityContext.setOutgoingRunAs(identity);
securityContext.setIncomingRunAs(identity);
Regards,
Kumaran
Sayantan Ganguly
Jul 17, 2023, 3:56:45 AM7/17/23
to WildFly
Same question, facing exactly the same issue with Picketbox to Elytron migration.
Any pointer is highly appreciated!
Thanks,
Sayantan
Darran Lofthouse
Jul 17, 2023, 6:33:56 AM7/17/23
to WildFly
I think we might need a feature request raising to consider this further.
At the outset the architecture was very much for the underlying security realm to be the definitive source of the identity but we have also ourselves had cases where we have needed more and more dynamic security identities.
One strategy we have been using within WildFly is to use a RoleMapper on the new SecurityIdentity and configure this with a constant role mapper which has a pre-defined set of roles, this does cover a lot of cases but it still doesn't taking these roles into account for permission mapping which is an area we also needed recently.
However one other challenge is being able to create ad-hoc security identities is quite sensitive, the methods we already make available are protected by security manager permission checks. An ideal solution could be a more complete API to define the identity all back by security manager permission checks but as the security manager is deprecated any API we provide would be open to all so we may want to see if we can find an alternative approach to restrict how these APIs can be used.
eng.dan...@gmail.com
Oct 30, 2023, 8:05:30 AM10/30/23
to WildFly
Hi Darran,
Can you give an example how to create the identity with a constant role mapper?
SecurityIdentity identity = currentSecurityDomain.createAdHocIdentity("MyAdHocUser");
Probably i should use the method withDefaultRoleMapper passing my constant role mapper? But how can i get the role mapper?
identity.withDefaultRoleMapper()
Thanks
Daniel Novo
Oct 31, 2023, 5:03:05 AM10/31/23
to WildFly
Hi,
I think i found the solution:
SecurityIdentity identity = currentSecurityDomain.createAdHocIdentity("MyUser");
RoleMapper roleMapper = RoleMapper.constant(Roles.of("MyRole"));
identity = identity.withDefaultRoleMapper(roleMapper);
RoleMapper roleMapper = RoleMapper.constant(Roles.of("MyRole"));
identity = identity.withDefaultRoleMapper(roleMapper);
Not sure if it is the right way but it's working.
Thanks
--
You received this message because you are subscribed to the Google Groups "WildFly" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wildfly+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wildfly/85d5da31-3827-49a4-8089-6ac0c43741b2n%40googlegroups.com.
--------------
Daniel NovoReply all
Reply to author
Forward
0 new messages