Get role list to update directly from the security context rather than from previously created subject info.

Roles within groups must be unpacked added separately in order to contain all roles.

adapters/oidc/wildfly/wildfly-adapter/src/main/java/org/keycloak/adapters/wildfly/WildflyRequestAuthenticator.java

@@ -17,8 +17,15 @@
 
 package org.keycloak.adapters.wildfly;
 
-import io.undertow.security.api.SecurityContext;
-import io.undertow.server.HttpServerExchange;
+import java.security.Principal;
+import java.security.acl.Group;
+import java.util.Collection;
+import java.util.Enumeration;
+import java.util.Iterator;
+import java.util.Set;
+
+import javax.security.auth.Subject;
+
 import org.jboss.logging.Logger;
 import org.jboss.security.NestableGroup;
 import org.jboss.security.SecurityConstants;
@@ -35,19 +42,15 @@ import org.keycloak.adapters.spi.HttpFacade;
 import org.keycloak.adapters.undertow.KeycloakUndertowAccount;
 import org.keycloak.adapters.undertow.ServletRequestAuthenticator;
 
-import javax.security.auth.Subject;
-import java.security.Principal;
-import java.security.acl.Group;
-import java.util.Collection;
-import java.util.Enumeration;
-import java.util.Iterator;
-import java.util.Set;
+import io.undertow.security.api.SecurityContext;
+import io.undertow.server.HttpServerExchange;
 
 /**
  * @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
  * @version $Revision: 1 $
  */
-public class WildflyRequestAuthenticator extends ServletRequestAuthenticator {
+public class WildflyRequestAuthenticator extends ServletRequestAuthenticator
+{
     protected static Logger log = Logger.getLogger(WildflyRequestAuthenticator.class);
 
     public WildflyRequestAuthenticator(HttpFacade facade, KeycloakDeployment deployment, int sslRedirectPort,
@@ -97,7 +100,7 @@ public class WildflyRequestAuthenticator extends ServletRequestAuthenticator {
         //   .createIdentity(Principal [=userPrincipal], Object [=account], Role [=null]).
         // Therefore the roles are only contained in the authenticatedSubject (member of subjectInfo)
         // and subsequent logics do only access subjectInfo#roles instead of authenticatedSubject#roles.
-        mapGroupMembersOfAuthenticatedSubjectIntoSubjectInfo(sc.getSubjectInfo());
+        mapGroupMembersOfAuthenticatedSubjectIntoSecurityContext(sc);
     }
 
     /**
@@ -161,7 +164,8 @@ public class WildflyRequestAuthenticator extends ServletRequestAuthenticator {
         return roleSets;
     }
 
-	private static void mapGroupMembersOfAuthenticatedSubjectIntoSubjectInfo(SubjectInfo subjectInfo) {
+    private static void mapGroupMembersOfAuthenticatedSubjectIntoSecurityContext(org.jboss.security.SecurityContext sc) {
+        SubjectInfo subjectInfo = sc.getSubjectInfo();
         if (subjectInfo == null) {
             return;
         }
@@ -171,14 +175,14 @@ public class WildflyRequestAuthenticator extends ServletRequestAuthenticator {
             return;
         }
 
-        // Get role group of subjectInfo in order to add roles of authenticatedSubject.
-        RoleGroup scRoles = subjectInfo.getRoles();
+        // Get role group of security context in order to add roles of authenticatedSubject.
+        RoleGroup scRoles = sc.getUtil().getRoles();
         if (scRoles == null) {
             scRoles = new SimpleRoleGroup("Roles");
-            subjectInfo.setRoles(scRoles);
+            sc.getUtil().setRoles(scRoles);
         }
 
-        // Get group roles of authenticatedSubject and add them into subjectInfo
+        // Get group roles of authenticatedSubject and add each role of the group into security context
         Iterator<Principal> principalItr = authenticatedSubject.getPrincipals().iterator();
         while (principalItr.hasNext()) {
             Principal principal = principalItr.next();