4 Replies Latest reply on Mar 28, 2018 3:08 AM by qkxy

    Why Elytron realms are limited to use NamePrincipal only

    qkxy
    qkxy Mar 27, 2018 4:49 AM

      Hi all,

       

      I found that every realm implementation contains this limitation:

      public RealmIdentity getRealmIdentity(final Principal principal) {
  if (! (principal instanceof NamePrincipal)) {
  return RealmIdentity.NON_EXISTENT;
  }

       

      This makes impossible to use aggregate realm with a not Elytron implemented realm

      eg. I tried to use Keycloak with properties realm and this constraint makes it impossible.

       

      I think that it should be modify to check the existence of the principal and if it has a name eg.:

          public RealmIdentity getRealmIdentity(final Principal principal) {
        if (principal==null || principal.getName()==null || principal.getName().isEmpty()) {
            return RealmIdentity.NON_EXISTENT;
        }

       

      NamePrincipal is declared as final so it can not be extended.

       

      What do you think?

      • 496 Views
      • Tags:
        • 1. Re: Why Elytron realms are limited to use NamePrincipal only
          dlofthouse
          dlofthouse Mar 27, 2018 6:23 AM (in response to qkxy)

          Do you have an example of how you are aggregating the realms so we can check?  Generally the decision within a single realm would be "If I only return a NamePrincipal that is all I expect to see" but that may be an invalid assumption we need to correct.

            • Actions
          • 2. Re: Why Elytron realms are limited to use NamePrincipal only
            qkxy
            qkxy Mar 27, 2018 6:39 AM (in response to dlofthouse)

            I have installed Keycloak as described in the Keycloak documentation and created an aggregate realm and set KeycloakDomain to use this aggregate realm:

               <security-domain 
         name="KeycloakDomain" 
         default-realm="KeycloakSAMLRealm" 
         permission-mapper="default-permission-mapper" 
         security-event-listener="local-audit"
     >
         <realm name="KeycloakSAMLRealm" />
     </security-domain>
 </security-domains>
 <security-realms>
     <custom-realm 
         name="KeycloakSAMLRealmOrig"
         module="org.keycloak.keycloak-saml-wildfly-elytron-adapter" 
         class-name="org.keycloak.adapters.saml.elytron.KeycloakSecurityRealm"
     />
     <properties-realm name="ApplicationRealm">
         <users-properties path="application-users.properties" relative-to="jboss.server.config.dir" digest-realm-name="ApplicationRealm"/>
         <groups-properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
     </properties-realm>
     <aggregate-realm 
         name="KeycloakSAMLRealm" 
         authentication-realm="KeycloakSAMLRealmOrig" 
         authorization-realm="ApplicationRealm"
     />

             

            Keycloak authenticate with a SAML claim and calls ApplicationRealm for authorization but it exists with user not found because Keycloak uses SamlPrincipal.

              • Actions
            • 3. Re: Why Elytron realms are limited to use NamePrincipal only
              mchoma
              mchoma Mar 28, 2018 2:05 AM (in response to qkxy)

              In the meantime you can use custom security realm. [1]

               

              GitHub - hkalina/custom-elytron-realm: Simple custom Elytron security realm

                • Actions
              • 4. Re: Why Elytron realms are limited to use NamePrincipal only
                qkxy
                qkxy Mar 28, 2018 3:08 AM (in response to mchoma)

                Thank you, I have done something similar: I modified the Property realm to use as a custom realm.

                  • Actions