I'm looking for help with custom Principal used in custom LoginModule on Wildfly10/Jboss 7.
I would like to put some additional data into my custom principal connected with authorization as well as audit data such as sessionId gathered from HttpRequest in my custom LoginModule.
In EJB implementation i'm getting my custom principal object from sessionContext.getCallerPrincipal() and it works pretty well when user is authenticated by my LoginModule (where i produce desired principal object).
Problem starts when i turn off BASIC authentication on any webservice or when i'm using #RunAs implementation in my EJB call stack.
In case with authentication turned off im getting "anonymous" SimlePrincipal object from getCallerPrincipal() and SimplePrincipal with one role in case with #RunAs.
Is there any way to force Jboss to use my custom LoginModule or any other module
where i can produce my custom principal and put in into sessionContextCaller principal?
Related
I have installed WSO2 IS 5.2.0 and I have problem to retrieve custom created claims.
I've added new claims to dialect http://wso2.org/claims and I also added new claims that map the same attribute to dialect http://wso2.org/oidc/claim that worked with version 5.1.0 but in version 5.2.0 not working.
All fields are present in database attribute table. I am using Oauth2 OpenID connect userInfo for fetching user data.
Here is claims configuration for my Service Provider:
With this configuration in 5.1.0 I got all requested claims from image, but in 5.2.0 I get only claims that are not custom - that was already present in both dialects by default.
The reason for this behaviour is the introduction of OpenIDConnect claim scopes in 5.2.0. So basically when you are requesting for a OIDC token you can specify a scope value that is bound to a set of claims. So when you send that OIDC token to the userinfo endpoint only those claims which are common in both OIDC scope config and SP claim configuration (ie. intersection of claim in both these configs) will be returned.
Let's take an example,
consider the default required scope need to get an OIDC token which is 'openid'
openid scope is bound to the following schemes.
sub, email, email_verified, name, family_name,given_name,middle_name,nickname,preferred_username,profile,picture,website,gender,birthdate,zoneinfo,locale,updated_at,phone_number,phone_number_verified,address,street
(you can configure this using 'oidc' file found in the registry at /_system/config/oidc)
So in your case please add the custom claims slotCentreURL,role, slotCentre into the mapped claims for this scope by editing the oidc file.
Alternatively you can add a new scope say 'customSPScope1' with claims that you need, send it when getting the OIDC token in addition to the mandatory openid scope.
You also need to configure the required claims at Service Provider configuration. The logic here is that only the intersection of claims configured at OIDC scope level and claims configured at SP level are returned.
The reason could be the mapped attribute. You need to configure same maapped attribute in both OIDC dialect and wso2 dialect for custom claims
I am using IBM MobileFirst Studio Plugin 7.0 and was following the tutorials for adapter based authentication here Documentation.
I see that the isInternalUserID is not used to create the userIdentity object unlike the form base authenticator Dcumentation . Can it be used? Or is it specifially so that the code to create the userIDentity needs to be done in the adapter?
There are two parts to the answer:
a) When using a custom security test, "isInternalUserID" is used to identify a particular realm as the one that will be used for creating user identity. If a realm is marked with "isInternalUserID" it means that only this realm is used for user identification.
There must be exactly one such realm for every security configuration that is applied to a mobile or web resource.
b) Adapter based authentication allows the flexibility to develop custom authentication logic within a MobileFirst adapter. This is why you see that userIdentity is created and assigned with adapter logic ( unlike the form based sample).
However, you will note that the generated identity is still assigned to the realm , that is marked "isInternalUserId" in the security test.
More details:
Understanding predefined Worklight authentication realms and security tests
Security Tests
Implementing adapter-based authenticators
We are planning to use ejbs for our service layer. We have http clients and EJB clients.
We want to authorise a user action based on his roles. There are two kinds of users, admins and non admins.
We configured a realm in the server and in the web tier the SecurityContext is populated by the server.
We want to basically write an interceptor and add it on the service methods. Whenever an ejb method is called, irrespective of from which client layer the method is called, the interceptor should be able to get the user name/id so that it can check for authorization.
Can anyone help me how to solve this?
We have an existing Java EE application running under WebLogic and I want to authenticate a user programmatically as though the user was logged in via the existing web login process. That is to say, in the end, I want to have a valid session (cookie) that can be returned to the caller and later returned back the server without re-authentication. (This is to enable JAX-WS stateful Web Service calls).
We have a custom LoginModule that, when the user logs in via Forms Authentication, is eventually called via j_security_check. I guess what I'd like to do is to somehow get WebLogic to invoke that LoginModule on my behalf, ask me for the credentials, and yield an authenticated session and a valid subject etc. (i.e. all the JAAS goodness).
Is this a JAAS thing? Is there a WebLogic call?
You can do this using the HttpServletRequest#login method. This will trigger the same kind of login chain that would otherwise be executed if your used accessed a protected resource.
WebLogic security uses a security service plug-in (SSPI) architecture that allows you to implement security providers. Container (such as servlet) authentication is handled by authentication providers that use the SSPI. An authentication provider wraps a JAAS login module.
Writing and configuring security providers is extensively documented.
If you implement an authentication provider to wrap your login module and configure it for the WebLogic domain, it will be called automatically by the WebLogic security framework for all container authentication.
Is there an apache module that implements Kerberos authentication for use by Tomcat and also supports Kerberos delegation?
I've already looked at mod_spnego and it throws away the SSPI context it creates only keeping the principal name. Instead, I'm looking for a module that would allow for the delegation of the ticket sent to Tomcat - that is, taking the service ticket sent for authentication and using it server side to access another service on behalf of the user.
EDIT: To clarify, I need to impersonate under Win32 using the GSS/SSPI context so when legacy code connects to another server, the delegated credentials are used.
WAFFLE (Windows Authentication Functional Framework) now provides that feature starting from v1.4beta.
It provides a ServletFilter that uses native Windows APIs to authenticate the user, either using Basic or Negotiate authentication. The user then can be impersonated, and native APIs calls will be performed with the access token of the impersonated user.
How about using the JAAS realm and using the kerberos 5 JAAS module?
http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#JAASRealm
http://java.sun.com/j2se/1.4.2/docs/guide/security/jaas/spec/com/sun/security/auth/module/Krb5LoginModule.html
Looks like it might require a little coding, but the pieces should be there.
Here's a http://spnego.sourceforge.net/credential_delegation.html tutorial. It implements Kerberos/SPNEGO as an HTTP Servlet Filter and supports credential delegation.