Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JEE Security Integration #46

Open
redmitry opened this issue Mar 1, 2021 · 7 comments
Open

JEE Security Integration #46

redmitry opened this issue Mar 1, 2021 · 7 comments

Comments

@redmitry
Copy link

redmitry commented Mar 1, 2021

Hello,

Having the GraphQL endpoint annotated with @GraphQLAPI and @RequestScoped I cant inject SecurityContext in the CDI.
I can inject Principal, but because this is a WELD proxy, I can not cast it to get an access to the roles. graphql-java provides the DataFetchingEnvironment, which in my understanding contains security context (?), but it doesn't work in Wildfly.
I see that the problem is that the CDI is called from another thread (Callable) and loose the context.
What is the correct way to provide programmatic security?

Kind regards,

Dmitry
@jmartisk
Copy link
Collaborator

jmartisk commented Mar 2, 2021

Hey @redmitry , thanks for reporting this.I'll experiment with your use case and report back with my findings.
I'm not aware of any security context support in DataFetchingEnvironment, and it would certainly need some integration to get it working, which we don't have.

@jmartisk
Copy link
Collaborator

jmartisk commented Mar 3, 2021

I managed to retrieve the user's name and roles using Elytron API:

pom.xml:

 <dependency>
            <groupId>org.wildfly.security</groupId>
            <artifactId>wildfly-elytron</artifactId>
            <version>1.13.1.Final</version>
            <scope>provided</scope>
       </dependency>

code:

import org.wildfly.security.auth.server.SecurityDomain;
import org.wildfly.security.auth.server.SecurityIdentity;
(...)
SecurityIdentity identity = SecurityDomain.getCurrent().getCurrentSecurityIdentity();
System.out.println("Name: " + identity.getPrincipal().getName());
System.out.println("Roles:");
identity.getRoles().forEach(System.out::println);

I'm not sure about the state of support of Jakarta EE security in WF right now, maybe it could be supported (I think it works only in EJBs and servlets right now) but I'll have to dig more.
Would this solution be sufficient for you for the time being?

@redmitry
Copy link
Author

redmitry commented Mar 3, 2021

It doesn't work :-(. I get org.wildfly.security.auth.principal.AnonymousPrincipal

@jmartisk
Copy link
Collaborator

jmartisk commented Mar 3, 2021

Does your deployment have security configured properly? I basically described my findings in this document https://github.com/wildfly-extras/wildfly-graphql-feature-pack/wiki/Server-side-security-guide if you don't need the declarative security I think you can leave out the web.xml file, but I think you still need jboss-web.xml

@redmitry
Copy link
Author

redmitry commented Mar 3, 2021

I use usual JAX-RS endpoints along to the GraphQL an have no problems injecting SecurityContext.

I use Keycloak filter:

    <filter>
        <filter-name>Keycloak Filter</filter-name>
        <filter-class>org.keycloak.adapters.servlet.KeycloakOIDCFilter</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>Keycloak Filter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

P.S. Here is the endpoint:
https://gitlab.bsc.es/inb/elixir/openebench/openebench-rest-api/-/blob/master/src/main/java/es/bsc/inb/elixir/openebench/graphql/OEBGraphQLService.java

@jmartisk
Copy link
Collaborator

jmartisk commented Mar 4, 2021

Looking at the REST classes in your repo, I suppose you're referring to javax.ws.rs.core.SecurityContext rather than javax.security.enterprise.SecurityContext which I assumed earlier. It's no wonder that you can't inject a JAX-RS specific object in a GraphQL endpoint.

After some more experiments I found out I can actually inject javax.security.enterprise.SecurityContext in a GraphQL endpoint (I had to make my application explicitly depend on the org.glassfish.soteria module to make it work)

But if you're getting an anonymous principal, I think that switching from Elytron to javax.security.enterprise.SecurityContext might not help. I see your jboss-web.xml does not declare any security domain, so it could be something with using Keycloak instead of built-in WildFly security domains. I must admit I'm not familiar with Keycloak though.

@redmitry
Copy link
Author

redmitry commented Mar 4, 2021

I have to admit that integrating KEYCLOAK "normal" way - via web.xml

    <login-config>
        <auth-method>KEYCLOAK</auth-method>
    </login-config>

the solution with SecurityDomain works.
I am using the KC filter to be able to make a call without any security (injecting "BASIC" authorization when no specified).
Thank you very much for pointing to the javax.ws.rs.core.SecurityContext in REST, I definitely should pass to the JEE8 SecurityContext to unify GraphQL with JAX-RS.

I hope, in some moment GraphQL integration solves the SecurityContext integration though.

Kind regards,

Dmitry

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jmartisk @redmitry