Propagate authenticated subject in ElytronSecurityDomainContextImpl
Overview
Where an application is deployed using WildFly Elytron security components the Apache CXF integration for the verification of SAML messages is handling this independently of the underlying security infrastructure in use by the application server. This obviously has the issue that WildFly Elytron is not involved in the actual processing but this also leads to the following issues:
-
No WildFly Elytron SecurityIdentity is established for the current request based on the authentication.
-
Without a SecurityIdentity there is no identity to associate any SAML token as a delegated credential.
-
Without the SecurityIdentity as the request propagates to other containers within the application server there is no identity propagated to nothing to hold the SAML token.
With the RFE here we should fill in the gap with the existing Apache CXF / WebServices subsystem and the legacy security system; that means allowing propagating the subject authenticated in the WS/application layer to the Elytron security system in the ElytronSecurityDomainContextImpl. That way an EJB belonging to the same application that processed the SAML message can e.g. access to the proper principal through the SessionContext.
Issue Metadata
Issue:
Related Issues:
Dev Contacts:
QE Contacts:
Affected Projects or Components:
-
WildFly
Requirements
-
Convert CXF’s SAMLTokenPrincial to WildFly Elytron SecurityIdentity
-
Propagate authenticated object to EJB subsystem
Non Requirements
-
New Realm or SAML token support in Elytron could be a long term plan
-
At the moment only SAML token type/integration is required.
Community documentation
Design Details
Wildfly Elytron SecurityDomain provides createAdHocIdentity(pincipal) to create a SecurityIdentity from principal. Public/private principals can be converted to Elytron’s identityCredentials and attach to SecurityIdentity. The group or roles from Subject will be mapped to securityIdentity with SecurityIdentity.withRoleMapper(). To propagate this SecurityIdentity to EJB subystem, the jaxws ejb invocation handler and ejb interceptor chains should be executed under SecurityIdentity.runAs() block.
To make all these works, convert JAAS subject to Elytron SecurityIdentity in ElytronSecurityDomainContextImpl and set this new created securityIdentity to ThreadLocal currentIdentity to allow the runAs be called in EJB webservice invocation handler.
Test Plan
Add test to WildFly testsuite with the scenario that brought to discovering the issue.