2 Replies Latest reply on Apr 2, 2014 1:58 AM by dward

    Accessing SecurityContext within SY Components

    jorgemoralespou_2
    jorgemoralespou_2 Apr 1, 2014 7:33 AM

      Hi,

      We have an application that needs access to the user that has logged in, and also for the roles, etc... for the user to be able to do auditing based on user, and routing based on roles.

      We have found that it is very difficult to have access t SecurityContext, that it seems an internal API, and we think that there should be a way provide with a limited access to a reduced API (if this is for security contraints) where service creators could have access to SecurityContext information.

      So far we have done somtehing like this:

       

      public String getUserName(Context context) throws Exception {
   SecurityContext securityCtx = context.getPropertyValue(SecurityContext.class.getName());
   Set<NameCredential> s = securityCtx.getCredentials(NameCredential.class);
   if (s.isEmpty()){
      throw new Exception("No credentials in Context");
   }
   if (s.size()>1){
      throw new Exception("Credentials for more than 1 user");
   }
   NameCredential[] credentials = (NameCredential[]) s.toArray();
   return credentials[0].getName();
}

       

      Which is a trick, but it works. We think that this should be provided out of the box with an injectable SecurityContext (or reduced API). So far we need to copy this code in every service where we need access to the context, and we can not abstract it to a base class due to some kind of limitation on where to use context.

       

      I would love to hear what Keith Baboo, David Ward and the rest of main commiters have to say about this :-D

       

      There are already 2 jiras related to this:

      [SWITCHYARD-2031] Please allow public API access to Lite version of SecurityContext - JBoss Issue Tracker

      [SWITCHYARD-2032] Please add feature to TestKit to allow user to set authentication credentials - JBoss Issue Tracker