RE: (Fediz) STS - passing info from LoginModule to ClaimsHandler

Wed, 22 Jan 2014 01:37:00 -0800 

Hi,

Yep, I had the similar case in STS: custom claims handler should validate user 
role received in RST as claim.
However user role is determined in LoginModule through JAAS (invoked by 
ws-security.ut.validator validator).
Therefore it was necessary to pass Subject/Principle from the LoginModule to 
ClaimHandler for validation.

We did not find better solution as introducing custom SecurityContext with 
ThreadLocal:

public final class SecContext {
    static ThreadLocal<Subject> subject = new ThreadLocal<Subject>();
    private SecContext() {
    }
    public static void setSubject(Subject subject2) {
        SecContext.subject.set(subject2);
    }
    public static Subject getSubject() {
        return subject.get();
    }
}

Validator:
            LoginContext lc = new LoginContext(this.contextName, 
callbackHandler);
            lc.login();
            Subject subject = lc.getSubject();
            SecContext.setSubject(subject);

Claim Handler:
            Subject subject = SecContext.getSubject();
            Set<Principal> groups = subject.getPrincipals();
            List<String> roles = new ArrayList<String>();
            for (Principal group : groups) {
                if 
("org.apache.karaf.jaas.boot.principal.RolePrincipal".equals(group.getClass()
                    .getName())) {
                    roles.add(group.getName());
                }
            }
...

I think it will be nice to provide a possibility to access all custom 
Principles in ClaimsHandler - will think about that.

Regards,
Andrei.

> -----Original Message-----
> From: Hoefer, Filip [mailto:[email protected]]
> Sent: Dienstag, 21. Januar 2014 13:16
> To: [email protected]
> Subject: (Fediz) STS - passing info from LoginModule to ClaimsHandler
> 
> Hello,
> 
> I am implementing a custom LoginModule and a custom ClaimsHandler for
> the Fediz STS. The custom classes are integrated into Fediz via config files, 
> no
> problem. However, I do not know how to pass information from my
> LoginModule to my ClaimsHandler. I create a custom Principal (with custom
> claims) in the LoginModule based on authentication via an external security
> server. The problem is that the ClaimsHandler always only receives a
> SAMLTokenPrincipal which will not give me access to the custom claims. So
> far, do not see any alternative to accessing user account via the identifier
> from SAMLTokenPrincipal.getName(). But that only gives me access to the
> static user account, not to the transient state created during login.
> 
> Please let me know if I oversee something, any help is appreciated.
> 
> Kind regards,
> 
>     Filip Hofer

Reply via email to