2 Replies Latest reply on Mar 1, 2018 11:49 AM by philippn

    Elytron and AuthenticationContext propagation from one thread to another

    philippn
    philippn Mar 1, 2018 3:44 AM

      Hi folks,

       

      I'm currently in the process of migrating a legacy web application from JBoss 7 to WildFly 11 and there is one thing that is causing me headache: The application is spawning new threads inside a web request (Don't ask! :-) ), and in the good old JBoss 7 days it propagated the current authentication context to the new thread thanks to the usage of a InheritableThreadLocal (see [AS7-4687] Review the use of InheritableThreadLocal in SecurityContextAssociation - JBoss Issue Tracker ).

       

      I understand that Elytron is no longer using this InheritableThreadLocal approach and that is perfectly fine for me. Looking at the API of Elytron I hoped that AuthenticationContext.captureCurrent() or something like that might come to the rescue, but playing around with it I wasn't able to get it work.

       

      So my question is: Is this what I would like to do (propagate auth context from one thread to another) possible at all using Elytron API? If so, could you give me any hints where to start looking?

       

      Thanks in advance and kind regards,

       

      Philipp

      • 410 Views
      • Tags:
        • 1. Re: Elytron and AuthenticationContext propagation from one thread to another
          dmlloyd
          dmlloyd Mar 1, 2018 8:56 AM (in response to philippn)

          There are two sides to authentication: the current (server) identity, and the captured (client) authentication context.

           

          As you have correctly discovered, the client authentication context should be captured using AuthenticationContext.getCurrent().  In the new thread, the captured context can be restored by putting your task body inside of an authCtxt.run() block.

           

          The server side identity can be captured and restored in a similar way.  First you must acquire your security domain (typically via SecurityDomain#getCurrent()) since each security domain may have different active identities.  Then use domain.getCurrentSecurityIdentity() to return the identity itself, which can be restored by using its runAs() methods.

            • Actions
          • 2. Re: Elytron and AuthenticationContext propagation from one thread to another
            philippn
            philippn Mar 1, 2018 11:49 AM (in response to dmlloyd)

            Thank you so much! The server side identity did the trick :-)

              • Actions