-
1. Re: EAP 7.1.0 and Elytron migration help...
mchoma Feb 20, 2018 4:06 AM (in response to johnnuy)To get java.security.Principal this should help SecurityDomain.getCurrent().getCurrentSecurityIdentity().getPrincipal().
What happens when you throw custom error message from CustomSecurityRealm?
-
2. Re: EAP 7.1.0 and Elytron migration help...
johnnuy Feb 20, 2018 10:50 AM (in response to mchoma)Hi Martin,
Thanks for the quick response. Using the SecurityDomain.getCurrent().getCurrentSecurityIdentity().getPrincipal() is a good starting point for me; However this is returning a NamePrincipal. within the Security Domain I have configured a PrincipalTransformer which is used to transform the NamePrincipal into a custom Principal which contains additional information such as the internal user identifier, and the type of user (external, internal, system, etc), when the user exists.
The getRealmIdentity method of my security realm is being passed my custom Principal so I know the transformer is being invoked. How would I ensure that the transformed Principal is the one that is set on CurrentSecurityIdentity?
the elytron subsystem is configured as follows:
<security-domains>
<security-domain name="ApplicationDomain" default-realm="ApplicationRealm" permission-mapper="default-permission-mapper">
<realm name="ApplicationRealm" principal-transformer="MyPrincipalTransformer" role-decoder="groups-to-roles"/>
</security-domain>
<!--default properties based management realm -->
</security-domains>
<security-realms>
<custom-realm name="ApplicationRealm" module="my.module.elytron-extensions:2.0.0" class-name="my.SecurityRealm"/>
<!-- management realm based on properties config -->
</security-realms>
<mappers>
<!-- default simple permission mapper -->
<custom-principal-transformer name="MyPrincipalTransformer" module="my.module.elytron-extensions:2.0.0" class-name="my.PrincipalTransformer"/>
<!--role mappers, etc -->
</mappers>
If I throw a custom exception from within the SecurityRealms verifyEvidence() method I get a server error which is returned via undertow as a stack trace to the browser... I will get the stack trace and append it shortly.
-
3. Re: EAP 7.1.0 and Elytron migration help...
johnnuy Feb 20, 2018 11:04 AM (in response to johnnuy)For some reason I can't paste the contents into this text area... so i've attached the stack trace as a file
-
stacktrace.txt.zip 1.1 KB
-
-
4. Re: EAP 7.1.0 and Elytron migration help...
mchoma Feb 21, 2018 2:09 AM (in response to johnnuy)1 of 1 people found this helpfulPlease look at Darran's WildFly Blog: WildFly Elytron - Principal Transformers, Realm Mappings, and Principal Decoders it will help you understand lifecycle of transformers and can help you to find solution in your specific use case.
-
5. Re: EAP 7.1.0 and Elytron migration help...
johnnuy Feb 22, 2018 12:16 PM (in response to mchoma)For anyone else with similar issues, switching the transformer over to a "pre-realm-principal-transformer" on the security-domain, rather than on the security realm itself has solved the issue of having my custom principal attached to the currentSecurityIdentity.
Still working on the custom login failure messages... but so far I'm liking Elytron vs the legacy JAAS implementations in previous EAP releases