2 Replies Latest reply on Jun 1, 2018 11:46 AM by jenskreidler

Wildfly Elytron programmatic local login

jenskreidler May 22, 2018 4:14 AM

Hi community,

I'd like to auto-login soon after a scheduled method of session bean is invoked. Assume session bean A with a method m enriched with a @Scheduled annotation starts. It will invoke a method n of session bean B, that is annotated with a custom Annotation "AutoLogin" that is managed by an interceptor using "@AroundInvoke" . Before method n is invoked, I'd like to do inside that interceptor method a programmatic, local login behind the scenes, so that any subsequent actions are running in an authenticated security context with a special user, i.e. "importer". I managed to do so when between method invocations is a JMS message that delegates to the target method n. But when doing so locally, stateless session bean A to stateless session bean B, it won't throw an exception but the security context is still "anonymous".

Any thoughts or hints are appreciated, thanks in advance.

1. Re: Wildfly Elytron programmatic local login

dlofthouse May 22, 2018 5:19 AM (in response to jenskreidler)
Very quickly the steps to follow for in container authentication and identity switching are: -

Obtain the SecurityDomain associated with the deployment SecurityDomain (WildFly Elytron 1.3.2.Final API)
Authenticate which will give you a SecurityIdentity SecurityDomain (WildFly Elytron 1.3.2.Final API)
Use one of the runAs methods on the resulting SecurityIdentity SecurityIdentity (WildFly Elytron 1.3.2.Final API)
Actions

2. Re: Wildfly Elytron programmatic local login

jenskreidler Jun 1, 2018 11:46 AM (in response to dlofthouse)

Hi Darran,

thank you for your answer, I've found the time to forge your solution draw, thanks so far:

@AroundInvoke
public Object invokeMethodLoggedIn(final InvocationContext context) throws Exception {

        // Check if the invocation context is method-driven
        Method method = context.getMethod();
      
        if (method != null) {
            ContainerAutoLogin runWith = method.getAnnotation(ContainerAutoLogin.class);
            // Do the programmatic login only if it is required/necessary
            if (shouldLogin(runWith)) {
                SecurityDomain currentSecurityDomain = SecurityDomain.getCurrent();
                Evidence evidence = new PasswordGuessEvidence(runWith.password().toCharArray());
                SecurityIdentity identity = currentSecurityDomain.authenticate(runWith.username(), evidence);
                return identity.runAs(new Callable(){
                    @Override
                    public Object call() throws Exception {
                        LOG.warn("This should be runWith#username()? " + sessionCtx.getCallerPrincipal().getName());
                        return context.proceed();
                    }
                });

            }
        }
        return context.proceed();
}

Unfortunately, the username still is "anonymous".

What is the correct way to propagate the authenticated elytron user to the container's EJBContext (authentication it succeeds, changing password to an invalid one throws the appropriate exception).?

I'd like to rely on EJBContext or SessionContext's getCallerPrincipal() in order to get the current authenticated, logged-in technical user behind the scenes.

Thanks in advance for your hints and knowledge!

Go to original post