2

We are moving to Wildfly 26 from v.22. Using Keycloak v18 for authentication.

I switched from keycloak adapter to openid-connect/OIDC following http://www.mastertheboss.com/jbossas/jboss-security/secure-wildfly-applications-with-openid-connect/

After login I get org.wildfly.security.http.oidc.OidcSecurityContext as http request attribute and I can see an authenticated user name and the roles.

But when I inject @Resource SessionContext in Stateless bean, sessionContext.getCallerPrincipal() is returned as org.wildfly.security.auth.principal.AnonymousPrincipal. Keycloak adapter used to return a KeycloakPrincipal with full info.

Any other configuration needed to propagate security to EJB level?

Might be similar to Wildfly 26.1.0 final + elytron-oidc-client + wont propagate user to EJB + user become anonymous but I have everyting in a single WAR - just a servlet and a Stateless bean

Thanks

zaerymoghaddam
  • 3,037
  • 1
  • 27
  • 33
Andrius
  • 41
  • 2

1 Answers1

0

As long as the EJB is part of the same deployment, the identity will be propagated. However, the EJB does need to be secured (i.e., it needs to have a security annotation).

fjuma
  • 151
  • 4
  • i did this using @SecurityDomain(value = "other"). Then i get "not allowed". Adding PermittAll results to the same, having annonymous principal. Do i need to add something like a "token-realm" to elytron configuration or should this work out of the box ? – Matthias H Aug 04 '22 at 12:26
  • No need to specify the "other" SecurityDomain on the EJB, that's different from the virtual security domain that is used by the elytron-oidc-client subsystem. As long as your EJB is secured (i.e., has a security annotation), the identity propagation should work. – fjuma Aug 08 '22 at 14:25