authenticationjakarta-eewildflyelytron

Wildfly / Elytron - access identity attributes from ejb


I'm migrating an old legacy service to EAP 7.1 It currently authenticates and authorizes users through LDAP and I would like to move this to where it belongs - a security domain on the AS.

I have a working security domain backed by an LDAP realm like so:

/subsystem=elytron/ldap-realm=***censored***:query
{
  "outcome" => "success",
  "result" => {
    "allow-blank-password" => false,
    "dir-context" => "***censored***",
    "direct-verification" => true,
    "identity-mapping" => {
      "rdn-identifier" => "sAMAccountName",
      "use-recursive-search" => true,
      "search-base-dn" => "***censored***",
      "attribute-mapping" => [
        {
          "from" => "cn",
          "to" => "roles",
          "filter" => "(&(objectClass=group)(member={1}))",
          "filter-base-dn" => "***censored***"
        },
        {"from" => "company", "to" => "company"},
        {"from" => "givenName", "to" => "firstName"},
        {"from" => "sn", "to" => "lastName"},
        {"from" => "mail", "to" => "email"}
      ],
      "user-password-mapper" => {"from" => "userPassword"}
    }
  }
}

Authorization is done against the identity attribute "roles" picked up from the LDAP attribute-mapping.

Now that this works I would like to pick up a few more attributes from LDAP (company, firstName, lastName, email and possibly more). Those are already picked up by the config above and Elytron handles them the way I think I should expect:

 <TS> DEBUG [org.wildfly.security] (default task-6) [javax.naming.ldap.InitialLdapContext@5c7e4fb4] successfully created. Connection established to LDAP server.
 <TS> DEBUG [org.wildfly.security] (default task-6) Trying to create identity for principal [*****].
 <TS> DEBUG [org.wildfly.security] (default task-6) Executing search [(sAMAccountName={0})] in context [*****] with arguments [*****]. Returning attributes are [MAIL, SN, GIVENNAME, COMPANY]. Binary attributes are [null].
 <TS> DEBUG [org.wildfly.security] (default task-6) Found entry [*****].
 <TS> DEBUG [org.wildfly.security] (default task-6) Identity for principal [*****] found at [*****].
 <TS> DEBUG [org.wildfly.security] (default task-6) Executing search [(&(objectClass=group)(member={1}))] in context [*****] with arguments [*****, *****]. Returning attributes are [null, CN]. Binary attributes are [null].
 <TS> DEBUG [org.wildfly.security] (default task-6) Found entry [*****].
 .
 . bunch of group memberships
 .
 <TS> DEBUG [org.wildfly.security] (default task-6) Found entry [*****].
 <TS> TRACE [org.wildfly.security] (default task-6) Identity iterating - pagination not supported - end of list
 <TS> DEBUG [org.wildfly.security] (default task-6) Obtaining authorization identity attributes for principal [*****]:
 <TS> DEBUG [org.wildfly.security] (default task-6) Identity [*****] attributes are:
 <TS> DEBUG [org.wildfly.security] (default task-6)     Attribute [lastName] value [*****].
 <TS> DEBUG [org.wildfly.security] (default task-6)     Attribute [firstName] value [*****].
 <TS> DEBUG [org.wildfly.security] (default task-6)     Attribute [roles] value [*****].
 <TS> DEBUG [org.wildfly.security] (default task-6)     Attribute [roles] value [*****].
 <TS> DEBUG [org.wildfly.security] (default task-6)     Attribute [roles] value [*****].
 <TS> DEBUG [org.wildfly.security] (default task-6)     Attribute [roles] value [*****].
 <TS> DEBUG [org.wildfly.security] (default task-6)     Attribute [roles] value [*****].
 <TS> DEBUG [org.wildfly.security] (default task-6)     Attribute [roles] value [*****].
 <TS> DEBUG [org.wildfly.security] (default task-6)     Attribute [roles] value [*****].
 <TS> DEBUG [org.wildfly.security] (default task-6)     Attribute [company] value [*****].
 <TS> DEBUG [org.wildfly.security] (default task-6)     Attribute [email] value [*****].
 <TS> DEBUG [org.wildfly.security] (default task-6) Context [javax.naming.ldap.InitialLdapContext@5c7e4fb4] was closed. Connection closed or just returned to the pool.

What I would like to do is to get hold of those identity attributes from the code in the secured EJB. It's of course possible to inject the dir-context and lookup the attributes from the code itself but that would be deployment specific. I would very much prefer to let the AS expose these attributes through the SessionContext or equivalent.

I'm at a loss of how to do this. Much of the Elytron material available on the web is of the me-too-kind that just copies the official examples for cred while just being the same Hello World examples rolled over again and again.

So. To summarize. Never mind this being an LDAP realm. The attributes I need are available in the Identity object. The Identity is later transformed into a Principal without those attributes and as far as I know the Principal is the thing I have access to through the EJB session context.

Is there any way I can get hold of the Identity, or at least a view of it, from the EJB? Preferably in an implementation agnostic way?

Best regards!

/Magnus Drougge


Solution

  • To get the current security identity from an EJB, the following code can be used:

    SecurityDomain.getCurrent().getCurrentSecurityIdentity()
    

    More details about SecurityDomain can be found here:

    http://wildfly-security.github.io/wildfly-elytron/master/org/wildfly/security/auth/server/SecurityDomain.html