Uploaded image for project: 'WildFly Elytron'
  1. WildFly Elytron
  2. ELY-712

Elytron GSSCredential propagation

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • None
    • None
    • Authentication Mechanisms
    • None

      User can't achieve identity propagation scenario with elytron, so far:

      1. Client authenticate to web application using SPNEGO
      2. Web application calls another service (database, another web application, ... ) on behalf of user.
      3. Web applications wants to use provided gss credential, but there is no way to get associated credentials in elytron, so far

      Basically use case tested in AS TS with legacy security [1]

      Legacy approach using DelegationCredentialContext.getDelegCredential() return null in elytron.

      Actually there exists pull request the delegated credential will be associated with the SecurityIdentity [2] . This JIRA is created mainly for tracking purpose to process it properly once pending commit gets to EAP.

      [1] https://github.com/wildfly/wildfly/blob/15f9a4f2b5a10cc3acbaa2df57d5cc13db50ff43/testsuite/integration/basic/src/test/java/org/jboss/as/test/integration/security/loginmodules/negotiation/SPNEGOLoginModuleTestCase.java#L280 testIdentityPropagation
      [2] https://github.com/wildfly-security/wildfly-elytron/pull/434/commits/9b5aba5ca03824f0b42f786e5663cb7c3a1524f2

            jkalina@redhat.com Jan Kalina (Inactive)
            jkalina@redhat.com Jan Kalina (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: