Webservices - Roles
67 views
Skip to first unread message
Chege Kĩnũthia
Jul 28, 2025, 10:19:28 AMJul 28
to WildFly
Hi,
I am trying to implement the code described here https://docs.wildfly.org/36/WildFly_Elytron_Security.html#webservices-subsystem
How do I add roles/groups?
NamePrincipal principal = new NamePrincipal("chege");
javax.security.auth.Subject mySubject = new javax.security.auth.Subject(true, Set.of(identity.getPrincipal()), Set.of(), Set.of());
securityDomainContext.pushSubjectContext(mySubject, principal, null);
javax.security.auth.Subject mySubject = new javax.security.auth.Subject(true, Set.of(identity.getPrincipal()), Set.of(), Set.of());
securityDomainContext.pushSubjectContext(mySubject, principal, null);
Chege
Bartosz Baranowski
Jul 30, 2025, 4:21:38 AMJul 30
to WildFly
Going to copy-paste since by mistake I sent it as DM:
https://www.ibm.com/docs/en/sdk-java-technology/8?topic=jaas-subject or https://docs.oracle.com/en/java/javase/13/security/java-authentication-and-authorization-service-jaas-reference-guide.html
Subject subject;
Principal principal;
Object credential;
// add a Principal and credential to the Subject
subject.getPrincipals().add(principal); <<-----
subject.getPublicCredentials().add(credential);
If you go into jdoc: https://docs.oracle.com/javase/8/docs/jre/api/security/jaas/spec/com/sun/security/auth/UserPrincipal.html
"After successful authentication, a user Principal can be associated with a particular Subject to augment that Subject with an additional identity. Authorization decisions can then be based upon the Principals that are associated with a Subject. "
Though Im not 100% how this translates into what you are trying to achieve, there are examples of custom login JAAS modules assigning roles, ie:
https://blog.frankel.ch/custom-loginmodule-in-tomcat/
or filter
https://stackoverflow.com/questions/4833781/tomcat-securityfilter-and-authorization
or modification of user after login in GF
https://stackoverflow.com/questions/9082208/programmatically-add-roles-after-authentication
refs:
https://forums.oracle.com/ords/apexds/post/jaas-loginpodule-exception-when-adding-principal-to-subject-6531
https://www.ibm.com/docs/en/sdk-java-technology/8?topic=jaas-subject or https://docs.oracle.com/en/java/javase/13/security/java-authentication-and-authorization-service-jaas-reference-guide.html
Subject subject;
Principal principal;
Object credential;
// add a Principal and credential to the Subject
subject.getPrincipals().add(principal); <<-----
subject.getPublicCredentials().add(credential);
If you go into jdoc: https://docs.oracle.com/javase/8/docs/jre/api/security/jaas/spec/com/sun/security/auth/UserPrincipal.html
"After successful authentication, a user Principal can be associated with a particular Subject to augment that Subject with an additional identity. Authorization decisions can then be based upon the Principals that are associated with a Subject. "
Though Im not 100% how this translates into what you are trying to achieve, there are examples of custom login JAAS modules assigning roles, ie:
https://blog.frankel.ch/custom-loginmodule-in-tomcat/
or filter
https://stackoverflow.com/questions/4833781/tomcat-securityfilter-and-authorization
or modification of user after login in GF
https://stackoverflow.com/questions/9082208/programmatically-add-roles-after-authentication
refs:
https://forums.oracle.com/ords/apexds/post/jaas-loginpodule-exception-when-adding-principal-to-subject-6531
John Saccoccio
Aug 11, 2025, 12:41:50 PMAug 11
to WildFly
Just finished migrating from legacy to Elytron and have the bruises. Elytron principal/role works off of class name.
Principal should be an instance of import org.wildfly.security.auth.principal.NamePrincipal;
Login success: this.principal = new NamePrincipal(userName);
Then you need a Roles object:
/**
* To assign roles for the identity, we implement a Principal interface with a class named Roles.
*/
private static class Roles implements Principal {
private final String name;
Roles(final String name) {
this.name = name;
}
public String getName() {
return this.name;
}
}
* To assign roles for the identity, we implement a Principal interface with a class named Roles.
*/
private static class Roles implements Principal {
private final String name;
Roles(final String name) {
this.name = name;
}
public String getName() {
return this.name;
}
}
Then for each role name:
subject.getPrincipals().add(new Roles(name));
Chege Kĩnũthia
Aug 12, 2025, 3:32:08 AMAug 12
to John Saccoccio, WildFly
I had seen something similar here https://wildfly-security.github.io/wildfly-elytron/blog/using-a-jaas-realm-in-elytron/ and attempted to created class Role as follows
public class Roles implements Principal {
private final String name;
public Roles(final String name) {
this.name = name;
}
@Override
private final String name;
public Roles(final String name) {
this.name = name;
}
@Override
then in my WSS4JInInterceptor
NamePrincipal principal = new NamePrincipal("chege");
Roles admin = new Roles("Admin");
javax.security.auth.Subject mySubject = new javax.security.auth.Subject();
mySubject.getPrincipals().add(principal);
mySubject.getPrincipals().add(admin);
securityDomainContext.pushSubjectContext(mySubject, principal, null);
javax.security.auth.Subject mySubject = new javax.security.auth.Subject();
mySubject.getPrincipals().add(principal);
mySubject.getPrincipals().add(admin);
securityDomainContext.pushSubjectContext(mySubject, principal, null);
in my POJO i have this
public class ServiceImpl implements ServiceIface {
@jakarta.annotation.Resource
private WebServiceContext webServiceContext;
@Override
public String sayHello(String input) {
//username is ok
String name = webServiceContext.getUserPrincipal().getName();
//this one is still false
boolean isAdmin = webServiceContext.isUserInRole("Admin");
System.out.println("*************************************");
System.out.println("name = " + name);//OK
System.out.println("isAdmin = " + isAdmin);//NOT OKAY
System.out.println("*************************************");
return "Ok!";
}
}
@jakarta.annotation.Resource
private WebServiceContext webServiceContext;
@Override
public String sayHello(String input) {
//username is ok
String name = webServiceContext.getUserPrincipal().getName();
//this one is still false
boolean isAdmin = webServiceContext.isUserInRole("Admin");
System.out.println("*************************************");
System.out.println("name = " + name);//OK
System.out.println("isAdmin = " + isAdmin);//NOT OKAY
System.out.println("*************************************");
return "Ok!";
}
}
What am I missing?
--
You received this message because you are subscribed to a topic in the Google Groups "WildFly" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wildfly/hCsUuft1MEQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wildfly+u...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wildfly/d4f0245e-c2f3-4dbb-a0e4-1196de0624a5n%40googlegroups.com.
Chege Kĩnũthia
Sep 15, 2025, 4:03:24 AMSep 15
to WildFly
Finally it has worked. I have created an adhoc identity with roles and added the identity to private credentials.
import java.security.Principal;
import javax.security.auth.Subject;
import org.apache.cxf.binding.soap.SoapMessage;
import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor;
import org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor;
import org.jboss.logging.Logger;
import org.jboss.wsf.spi.deployment.Endpoint;
import org.jboss.wsf.spi.security.SecurityDomainContext;
import org.wildfly.security.auth.server.SecurityIdentity;
import org.wildfly.security.auth.server.SecurityDomain;
/**
*
* @author chege
*/
public class PropagateSecurityInterceptor extends WSS4JInInterceptor {
private static final Logger logger = Logger.getLogger(PropagateSecurityInterceptor.class);
public PropagateSecurityInterceptor() {
super();
getAfter().add(PolicyBasedWSS4JInInterceptor.class.getName());
}
@Override
public void handleMessage(SoapMessage message) throws Fault {
final Endpoint endpoint = message.getExchange().get(Endpoint.class);
final SecurityDomainContext securityDomainContext = endpoint.getSecurityDomainContext();
final SecurityDomain securityDomain = securityDomainContext.getElytronSecurityDomain();
//TODO: Extract details from soap message / saml token
Principal p = new MyPrincipal("chege");
SecurityIdentity identity = securityDomain.createAdHocIdentity(p)
.withRoleMapper("ejb", r -> r.or(org.wildfly.security.authz.Roles.of("Admin")));
Subject mySubject = new Subject();
//identity must be part of private credentials
mySubject.getPrivateCredentials().add(identity);
securityDomainContext.pushSubjectContext(mySubject, p, null);
}
}
import javax.security.auth.Subject;
import org.apache.cxf.binding.soap.SoapMessage;
import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor;
import org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor;
import org.jboss.logging.Logger;
import org.jboss.wsf.spi.deployment.Endpoint;
import org.jboss.wsf.spi.security.SecurityDomainContext;
import org.wildfly.security.auth.server.SecurityIdentity;
import org.wildfly.security.auth.server.SecurityDomain;
/**
*
* @author chege
*/
public class PropagateSecurityInterceptor extends WSS4JInInterceptor {
private static final Logger logger = Logger.getLogger(PropagateSecurityInterceptor.class);
public PropagateSecurityInterceptor() {
super();
getAfter().add(PolicyBasedWSS4JInInterceptor.class.getName());
}
@Override
public void handleMessage(SoapMessage message) throws Fault {
final Endpoint endpoint = message.getExchange().get(Endpoint.class);
final SecurityDomainContext securityDomainContext = endpoint.getSecurityDomainContext();
final SecurityDomain securityDomain = securityDomainContext.getElytronSecurityDomain();
//TODO: Extract details from soap message / saml token
Principal p = new MyPrincipal("chege");
SecurityIdentity identity = securityDomain.createAdHocIdentity(p)
.withRoleMapper("ejb", r -> r.or(org.wildfly.security.authz.Roles.of("Admin")));
Subject mySubject = new Subject();
//identity must be part of private credentials
mySubject.getPrivateCredentials().add(identity);
securityDomainContext.pushSubjectContext(mySubject, p, null);
}
}
If no identity is added a new one is created by org.jboss.as.webservices.util.SubjectUtil without roles.
I can invoke ejbs annotated with @RolesAllowed
@Stateless
@RolesAllowed({"Admin"})
public class NewSessionBean {
@RolesAllowed({"Admin"})
public class NewSessionBean {
}
Chege
Reply all
Reply to author
Forward
0 new messages