2 Replies Latest reply on Jun 1, 2018 11:46 AM by Thomas Jodes

    Wildfly Elytron programmatic local login

    Thomas Jodes Newbie

      Hi community,


      I'd like to auto-login soon after a scheduled method of session bean is invoked. Assume session bean A with a method m enriched with a @Scheduled annotation starts. It will invoke a method n  of session bean B, that is annotated with a custom Annotation "AutoLogin" that is managed by an interceptor using "@AroundInvoke" . Before method n is invoked, I'd like to do inside that interceptor method a programmatic, local login behind the scenes, so that any subsequent actions are running in an authenticated security context with a special user, i.e. "importer". I managed to do so when between method invocations is a JMS message that delegates to the target method n. But when doing so locally, stateless session bean A to stateless session bean B, it won't throw an exception but the security context is still "anonymous".

      Any thoughts or hints are appreciated, thanks in advance.

        • 1. Re: Wildfly Elytron programmatic local login
          Darran Lofthouse Master

          Very quickly the steps to follow for in container authentication and identity switching are: -


          1. Obtain the SecurityDomain associated with the deployment SecurityDomain (WildFly Elytron 1.3.2.Final API)
          2. Authenticate which will give you a SecurityIdentity SecurityDomain (WildFly Elytron 1.3.2.Final API)
          3. Use one of the runAs methods on the resulting SecurityIdentity SecurityIdentity (WildFly Elytron 1.3.2.Final API)
          • 2. Re: Wildfly Elytron programmatic local login
            Thomas Jodes Newbie

            Hi Darran,

            thank you for your answer, I've found the time to forge your solution draw, thanks so far:


            public Object invokeMethodLoggedIn(final InvocationContext context) throws Exception {
                    // Check if the invocation context is method-driven
                    Method method = context.getMethod();
                    if (method != null) {
                        ContainerAutoLogin runWith = method.getAnnotation(ContainerAutoLogin.class);
                        // Do the programmatic login only if it is required/necessary
                        if (shouldLogin(runWith)) {
                            SecurityDomain currentSecurityDomain = SecurityDomain.getCurrent();
                            Evidence evidence = new PasswordGuessEvidence(runWith.password().toCharArray());
                            SecurityIdentity identity = currentSecurityDomain.authenticate(runWith.username(), evidence);
                            return identity.runAs(new Callable(){
                                public Object call() throws Exception {
                                    LOG.warn("This should be runWith#username()? " + sessionCtx.getCallerPrincipal().getName());
                                    return context.proceed();
                    return context.proceed();


            Unfortunately, the username still is "anonymous".

            What is the correct way to propagate the authenticated elytron user to the container's EJBContext  (authentication it succeeds, changing password to an invalid one throws the appropriate exception).?


            I'd like to rely on EJBContext or SessionContext's getCallerPrincipal() in order to get the current authenticated, logged-in technical user behind the scenes.


            Thanks in advance for your hints and knowledge!