1

We are using UAA's multitenant functionality for our customers. As such, each are given their own identity zone. We'd also like to have an admin identity zone separate from the default UAA identity zone. However, it seems only a user in the default UAA identity zone is able to switch identity zones.

From the IdentiyZoneSwitchingFilter:

if (IdentityZoneHolder.isUaa() && oAuth2Authentication != null && !oAuth2Authentication.getOAuth2Request().getScope().isEmpty()) {
    SecurityContextHolder.getContext().setAuthentication(oAuth2Authentication);
} else {
    response.sendError(HttpServletResponse.SC_FORBIDDEN, "User is not authorized to switch to IdentityZone with id "+identityZoneId);
    return;
}

Obviously IdentityZoneHolder.isUaa() will be false for anything but the UAA identity zone.

In the past we made significant modifications to UAA to support our functionality, including installing our own IdentityZoneSwitchingFilter. We've recently upgraded to 3.3.0 and are trying to pull out all of our code to have a clean separation between our stuff and UAA.

We'd prefer to leave UAA unmodified however it looks like we will still need to configure our own IdentityZoneSwitchingFilter. Is this correct? Is there another way to accomplish this without modifying UAA?

Dave Rager
  • 8,002
  • 3
  • 33
  • 52

1 Answers1

1

UAA only supports zone switching from the default identity zone as this is treated as the zone from which other identity zones are administered.

Could you elaborate further on why do don't want to use the default zone for this purpose.

Sree Tummidi
  • 366
  • 3
  • 3
  • Thanks for your reply. That is what I expected. We need multiple administrative partitions based on subdomain with the ability to create and manage other partitions. I worked around this by using the admin client credentials to perform the operations on behalf of the user. It's not as elegant as I'd like but it will work for now. – Dave Rager May 10 '16 at 19:24