We are moving to Wildfly 26 from v.22. Using Keycloak v18 for authentication.
I switched from keycloak adapter to openid-connect/OIDC following
http://www.mastertheboss.com/jbossas/jboss-security/secure-wildfly-applications-with-openid-connect/
After login I get org.wildfly.security.http.oidc.OidcSecurityContext as http request attribute and I can see an authenticated user name and the roles.
But when I inject #Resource SessionContext in Stateless bean, sessionContext.getCallerPrincipal() is returned as org.wildfly.security.auth.principal.AnonymousPrincipal. Keycloak adapter used to return a KeycloakPrincipal with full info.
Any other configuration needed to propagate security to EJB level?
Might be similar to Wildfly 26.1.0 final + elytron-oidc-client + wont propagate user to EJB + user become anonymous but I have everyting in a single WAR - just a servlet and a Stateless bean
Thanks
As long as the EJB is part of the same deployment, the identity will be propagated. However, the EJB does need to be secured (i.e., it needs to have a security annotation).
Related
We are moving to JDK 17 and it is now supported by Redhat in EAP 7.4.7. In EAP 7.4.7, Redhat has disabled the legacy security approach to utilize Elytron. I have migrated my configurations to 7.4.7 with the supplied elytron migration scripts and the server starts without problems.
Access to parts of the web application and managed by spring security and http basic authentication. If I disable spring security, the application can be accessed and works as expected. However, when I enable spring security I see the browser dialog for user id and password. The validation of the userid and password appears to be intercepted by elytron because I see this in the logs and my breakpoint in our password validation does not get called.
2022-11-09 09:10:47,202 DEBUG [org.wildfly.security.http.password] (default task-2) Username authentication. Realm: [null], Username: [admin].
2022-11-09 09:10:47,202 DEBUG [org.wildfly.security.http.basic] (default task-2) User admin authentication failed.
The identical war file deploys and works as expected with Wildfly 26.12. I have tried making the configuration as much as possible with no differences. So there must be some differences between EAP 7.4.7 configuration that is causing the problem.
Any suggestions ?
I'm integrating the alfresco rest API with an external application. using the latest version of Alfresco configured with Keyclok as an identity server with the open-source module provided by alfresco-keycloak.
Keycloak has been configured with 2 different realms each one with its user provider and roles and Alfresco has been configured with 2 Authentication subsystems and different Keycloak adapters:
-Dauthentication.chain=keycloak1:keycloak,keycloak2:keycloak
-Dsynchronization.import.cron=\"0 0 0/4 ? * * *\"
-Dsynchronization.allowDeletions=true"
This configuration works well when logging in through Alfresco Share, chaining across each subsystem until the user logs in successfully.
But the same configuration won't work with the Alfresco public API. When my external application calls an endpoint with a valid Bearer token Alfresco uses just the first of two adapters configured so if my token has been released by the last keycloak realm it always fails and a 401 error is returned.
I can't find any solution to this problem or any documentation about that. I can't understand if the authorization mechanism used to authorize for rest-API doesn't use the same security chain as Alfresco Share.
Does anybody else have the same problem and found a solution to fix it?
Thanks in advance.
Stefano
I have managed to set up a Keycloak server embedded in a Spring Boot Application successfully, following this tutorial:
Keycloak Embedded in a Spring Boot Application
in order to avoid setting it up manually.
Since I am dealing with an old implementation that already has it's own DB, I decided to use Keycloak's User Storage SPI to connect to an external postgresql DB and use this for authentication instead of Keycloak DB.
To do this, I followed the tutorial on Keycloak documentation, but it envolves a standalone Keycloak server, creating a .jar with the custom provider and injecting it to <pathToKeycloak>/standalone/deployments/.
I have created an implementation that works with a standalone Keycloak server, but now I want to include it to the embedded one. Is it possible to use a Keycloak server Embedded in a Spring Boot Application and also have an embedded custom User Storage Provider, to avoid setting up manually?
If you have already implemented the provider and the provider factory, you only need to declare the provider factory class in the resources/META-INF/services/org.keycloak.storage.UserStorageProviderFactory file.
Then you can log in to the administration console and enable user storage provider on the User Federation page.
I'm running a Spring Boot Admin server (2.2.2) and using Spring Cloud Kubernetes discovery (with specific service labels to filter) to detect my client apps. None of my client apps are using the explicit Spring Boot Admin Client dependency mechanism.
One of my client apps has a non-standard actuator URL and uses different security credentials to access those endpoints. I understand that I could use static spring cloud discovery with instance metadata to achieve this, but I'd rather use the kubernetes discovery process for all my client apps.
I think by using a custom ServiceInstanceConverter I might be able to override the management context path, but I couldn't see a way to inject custom security credentials via that route.
Is there a better way to customise this kubernetes-driven discovery process? (e.g. can I declare instance metadata somewhere in the client app so that it's picked up even though I'm using Kubernetes discovery - I got the sense from the Spring Boot Admin docs that setting admin properties in clients applied only to the "push registration from client to server" case rather than the "server discovers" case.)
As a related general question, Spring Boot Admin is presumably using some default credential values for accessing actuator endpoints - where are they set up?
Thanks in advance
Alan
I think I figured this out for myself, but in case it's useful to anyone else here is what I did:
Declared custom values for the instance metadata management.context-path, user.name and user.password under the annotations section of the Kubernetes service for my client application.
e.g.
kind: Service
apiVersion: v1
metadata:
name: foo-service
annotations:
# The following are used to support monitoring and administration
user.name: mySpecialUsername
user.password: mySpecialPassword
management.context-path: /foo/manage
From observation it seems that the default credentials assumed by a Spring Boot Administration server are admin/admin.
I don't think it is advisable to put passwords into a service manifest.
The SBA refdoc documents some properties to configure default or per service usernames/passwords.
If this is not an option, you can always add some custom headers to the requests that are sent to the clients:
#Bean
public HttpHeadersProvider customHttpHeadersProvider() {
return (instance) -> {
HttpHeaders httpHeaders = new HttpHeaders();
httpHeaders.add("Authorization", "Basic bXlTcGVjaWFsVXNlcm5hbWU6bXlTcGVjaWFsUGFzc3dvcmQ=");
return httpHeaders;
};
}
Our current application uses JSF/JPA technology and is deployed on Weblogic 12.1.2 and does the following:
Authenticates a user through an IDP
The IDP after authenticating the user sends back the Groups the user belong to
Using Web.xml and WebLogic.xml we map the Groups to Roles
Our Application Scoped roles are very granular and it helps us do the following:
Hide UI pages or components on UI
use RolesAllowed annotation on methods
Since Group to Role mapping is in Weblogic.xml, our application users can't change the groups to roles mapping and this is the problem that I have to solve.
My goal is to do the following:
Authenticate a user through our IDP
The IDP will send us the Groups user belongs to
Define the roles in web.xml
Define tables that our application will read to find Group to Role mapping
Use Weblogic API to do Group to Role Mapping
Create a UI to allow our users to change the Group to Role mapping
The problem that i am running into is that i can't find how to do Group to Role Mapping dynamically using WebLogic since i can't get access to WebLogic API that will allow me to change Group to Role mapping in my deployed application. Has anyone done this before?
I have looked at creating a custom Role mapper but i am not sure how to get the handle to this custom Role Mapper in our deployed application.
As of Java EE 7, this is not possible based on this thread
dynamic roles on a Java EE server
If someone does want this feature added to Java EE 8 then please vote for the following two open feature requests in Java EE 8
https://java.net/jira/browse/JAVAEE_SECURITY_SPEC-8
https://java.net/jira/browse/JASPIC_SPEC-22
Not really a concrete answer, but it can be done using a Weblogic specific solution.
See examples in:
https://docs.oracle.com/cd/E13212_01/wles/docs42/dvspisec/examples.html
You have to implement the getRoles method:
import weblogic.security.spi.RoleMapper;
import weblogic.security.spi.RoleProvider;
public final class MyRoleMapperProviderImpl implements RoleProvider, RoleMapper
{
public Map getRoles(Subject subject, Resource resource,
ContextHandler handler)
{
...
}
}
You can generate a MBean for it as well to establish automatic loading:
https://docs.oracle.com/middleware/1213/wls/DEVSP/generate_mbeantype.htm#DEVSP617
java -DMDF=xmlfile -Dfiles=filesdir -DcreateStubs=true
weblogic.management.commo.WebLogicMBeanMaker
The result can be added as a jar to the server classpath and the implementation is available on server startup.