SecurityContext not being propagated with remote EJB calls

[Miha Štemberger]

Hello everyone!

We have ran into an issue that has been giving us some hard time.

We are currently using the Keycloak Adapter subsystem to work with our application security. While trying to migrate to Wildfly 26.1.3.we switched to the out of the box Wildfly Elytron system with OIDC. We are not sure, if we are missing some configuration for this to work as needed, but at this time we are unable to propagate the already resolved security context over remote EJB calls(from one war deployment to another war deployment). When we reintroduced the Keycloak Adapter this does not seem to be an issue.

The full example with both(keycloak adapter and oidc) configurations can be found at: https://github.com/MihaStemberger/elytron-security-context-propagation-to-remote-ejb

It is also a bit confusing while reading some information about the adapter being deprecated but still having documentation mention it(https://docs.wildfly.org/26.1/WildFly_Elytron_Security.html#Keycloak_Integration).

When executing the test it is visible that there is an anonymous principal

-------------------------------------------------------
 T E S T S
-------------------------------------------------------
Running com.mihas.security.tests.ServletTest
Sending request to: http://localhost:8080/service-one/
HTTP Status: 200
HTTP principal: Name: 9302f4a1-5f37-4699-9971-ca6ff56bebc6, Type: org.wildfly.security.http.oidc.OidcPrincipal
Local EJB principal: Name: 9302f4a1-5f37-4699-9971-ca6ff56bebc6, Type: org.wildfly.security.http.oidc.OidcPrincipal
Remote EJB principal: Name: anonymous, Type: org.wildfly.security.auth.principal.AnonymousPrincipal

Sending request to: http://localhost:8081/service-one/
HTTP Status: 200
HTTP principal: Name: 9302f4a1-5f37-4699-9971-ca6ff56bebc6, Type: org.keycloak.KeycloakPrincipal
Local EJB principal: Name: 9302f4a1-5f37-4699-9971-ca6ff56bebc6, Type: org.keycloak.KeycloakPrincipal
Remote EJB principal: Name: 9302f4a1-5f37-4699-9971-ca6ff56bebc6, Type: org.keycloak.KeycloakPrincipal

Best regards,

Miha

[Farah Juma]

Currently, with the elytron-oidc-client subsystem, it's only possible to propagate the identity from the web layer to the EJB layer when the EJB is contained in the same WAR. If the EJB is located outside the WAR, the identity won't be propagated.

However, the ability to propagate the identity when the EJB is located in another deployment is something that we are in the process of adding. Please keep an eye on WFLY-16793 (and https://github.com/wildfly/wildfly/pull/16552) for updates.

We have also just recently updated the documentation to remove the section you mentioned about the Keycloak adapter:

https://github.com/wildfly/wildfly/pull/16415/files

[Miha Štemberger]

Thank you for a quick reply, Farah Juma. I see that the pull request(https://github.com/wildfly/wildfly/pull/16552) is set to the main branch, are there any intentions of these additions being present in new releases of 26.x version?

Best regards,

Miha

četrtek, 9. marec 2023 ob 21:21:00 UTC+1 je oseba Farah Juma napisala:

[Farah Juma]

This will only be added to the main branch.

Best regards,

Farah