I want to implement custom authorization in Glassfish 4. So I must implemented Realm class and LoginModule class extends AppservPasswordLoginModule. But I need to store in the principal class not only name of the principal but also id from database. How can I use my own implementation of Principal class?
Related
I have two custom authentication method on Keycloak.
One of them is custom implemented user federation. I configured it for X realm. System uses this implementation for login with username / password method. This implementation calls my federation service and it validates sent user. It works successfully and authenticates federated users.
Second one is an identity broking (openid connect). I configured a custom openid provider to Y realm. It works successfully and validates provider's users.
I configured both of them to same realm. When i try to use login with custom identity provider, authentication flow works correctly. In the end of flow, configured user federation (custom implemented user federation) triggers with username which comes from identity broking (custom identity provider) login process and it calls my federation service again.
When i try to login with identity providers, i do not want the user federation (custom implemented user federation) to work. It must work only when i try to login with username / password login.
How can i block working of user federation on this scenario?
Please share your experience.
Thanks
I had the same issue of the identity provider and custom user federation not both working at the same time. My solution wasn't to block user federation but to change my custom user federation code. The implementation of the method that returns the user from the UserLookupProvider interface (getUserByEmail/Username/Id) must be coded to return a AbstractUserAdapterFederatedStorage. This implementation of UserModel provides implementation for methods needed by keycloak to internalize users from identity providers. Additionally I implemented UserQueryProvider interface along with UserStorageProvider, UserLookupProvider, CredentialInputValidator to be able to see these users from the keycloak admin console.
From their documentation:
Keycloak comes with a helper class org.keycloak.storage.adapter.AbstractUserAdapterFederatedStorage that will delegate every single UserModel method except get/set of username to user federated storage.
...interface UserQueryProvider. If you do not implement this interface, then users will not be viewable in the admin console. You’ll still be able to login though.
Ref: https://www.keycloak.org/docs/latest/server_development/#_user-storage-spi
Code:
note: A custom keycloak user storage should have at least two classes. One main one that does the heavy lifting that must implement at least UserStorageProvider. And another that is a factory that calls this class. More on this on their Server Development guide. The following code goes in the main class (not the factory):
#Override
public UserModel getUserByUsername(String username, RealmModel realm) {
[...]
userModel = createUserModel(username, realm);
[...]
return userModel;
}
protected UserModel createUserModel( String username, RealmModel realm) {
return new AbstractUserAdapterFederatedStorage(session, realm, model) {
#Override
public String getUsername() {
return username;
}
#Override
public void setUsername(String username) {
//retrieves user through repository and sets the keycloak user to its username. (Seems redundant but works!)
usersService.getUserDetails(username).setUsername(username);
}
};
}
I'm looking for help with custom Principal used in custom LoginModule on Wildfly10/Jboss 7.
I would like to put some additional data into my custom principal connected with authorization as well as audit data such as sessionId gathered from HttpRequest in my custom LoginModule.
In EJB implementation i'm getting my custom principal object from sessionContext.getCallerPrincipal() and it works pretty well when user is authenticated by my LoginModule (where i produce desired principal object).
Problem starts when i turn off BASIC authentication on any webservice or when i'm using #RunAs implementation in my EJB call stack.
In case with authentication turned off im getting "anonymous" SimlePrincipal object from getCallerPrincipal() and SimplePrincipal with one role in case with #RunAs.
Is there any way to force Jboss to use my custom LoginModule or any other module
where i can produce my custom principal and put in into sessionContextCaller principal?
I am using IBM MobileFirst Studio Plugin 7.0 and was following the tutorials for adapter based authentication here Documentation.
I see that the isInternalUserID is not used to create the userIdentity object unlike the form base authenticator Dcumentation . Can it be used? Or is it specifially so that the code to create the userIDentity needs to be done in the adapter?
There are two parts to the answer:
a) When using a custom security test, "isInternalUserID" is used to identify a particular realm as the one that will be used for creating user identity. If a realm is marked with "isInternalUserID" it means that only this realm is used for user identification.
There must be exactly one such realm for every security configuration that is applied to a mobile or web resource.
b) Adapter based authentication allows the flexibility to develop custom authentication logic within a MobileFirst adapter. This is why you see that userIdentity is created and assigned with adapter logic ( unlike the form based sample).
However, you will note that the generated identity is still assigned to the realm , that is marked "isInternalUserId" in the security test.
More details:
Understanding predefined Worklight authentication realms and security tests
Security Tests
Implementing adapter-based authenticators
How can i access http session and request/response from openam custom authentication module? Any one has idea?
I am trying openam sample auth module, but no where i found a way to access httpservletrequest etc.
I have a requirement to access httpsession as i am working on challenge/signature authentication. I store the challenge in session on Login.jsp and client signs it. Now inside custom auth module, i need access to that challenge in session to verify.
Is it passed somewhere in init
public void init(Subject subject, Map sharedState, Map options)
Every custom auth module extends from AMLoginModule which has HttpServletReequest :)
I already have an existing user base (user, roles,user_roles table in database). How could I create custom authentication and authorization module to use this to interact with Jackrabbit repository which is file system transient repository.
I can create a custom login module extending the AbstractLoginModule but principal, usermanager, userimpl etc how will I get these?
User, Roles etc are nodes in repository so how can I use my user base from data base to create access control based nodes and files ?
Will I able able to achieve this at all?
This is JAAS authentication and Authorizations.
You can take a look in https://github.com/ehsavoie/Silverpeas-Core/tree/master/lib-core/src/main/java/com/stratelia/webactiv/jaas where we did ourown implementation.