Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-11450

Adding application-security-domain in EJB subsystem requires server reload

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Cannot Reproduce
    • Icon: Critical Critical
    • None
    • 7.1.0.DR19
    • EJB
    • None
    • Hide

      Use https://github.com/jmartisk/mock-artifacts/tree/master/ejbclient/eap7.1-httpclient and its steps in README with some modifications:

      1) Omit step 3. Instead of it run:

      /subsystem=undertow/server=default-server/host=default-host/setting=http-invoker:remove()
reload
/subsystem=undertow/server=default-server/host=default-host/setting=http-invoker:add(http-authentication-factory=application-http-authentication)
/subsystem=security/security-domain=other/authentication=classic/login-module=RealmDirect:write-attribute(name=module-options,value={password-stacking=useFirstPass,realm=ManagementRealm})
reload

      2) Deploy application and try to run client side - it will failed because it tries to authorize through legacy ManagementRealm

      3) Call CLI command /subsystem=ejb3/application-security-domain=other:add(security-domain=ApplicationDomain) (and do NOT reload server) and try to run client side again - it will still fail because it still uses legacy ManagementRealm

      4) reload server and run client side again - it will pass because it starts to use Elytron ApplicationDomain

      Show
      Use https://github.com/jmartisk/mock-artifacts/tree/master/ejbclient/eap7.1-httpclient and its steps in README with some modifications: 1) Omit step 3. Instead of it run: /subsystem=undertow/server= default -server/host= default -host/setting=http-invoker:remove() reload /subsystem=undertow/server= default -server/host= default -host/setting=http-invoker:add(http-authentication-factory=application-http-authentication) /subsystem=security/security-domain=other/authentication=classic/login-module=RealmDirect:write-attribute(name=module-options,value={password-stacking=useFirstPass,realm=ManagementRealm}) reload 2) Deploy application and try to run client side - it will failed because it tries to authorize through legacy ManagementRealm 3) Call CLI command /subsystem=ejb3/application-security-domain=other:add(security-domain=ApplicationDomain) (and do NOT reload server) and try to run client side again - it will still fail because it still uses legacy ManagementRealm 4) reload server and run client side again - it will pass because it starts to use Elytron ApplicationDomain

      When application-security-domain is added in EJB subsystem then it is not used until server is reloaded. However CLI command does not set server to reload-required state, see:

      /subsystem=ejb3/application-security-domain=other:add(security-domain=ApplicationDomain)
{"outcome" => "success"}

              rhn-support-iweiss Ingo Weiss
              olukas Ondrej Lukas (Inactive)
              Michal Jurc Michal Jurc
              Michal Jurc Michal Jurc
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved:

                  Estimated:
                  Original Estimate - 4 hours
                  4h
                  Remaining:
                  Time Spent - 3 hours Remaining Estimate - 1 hour
                  1h
                  Logged:
                  Time Spent - 3 hours Remaining Estimate - 1 hour
                  3h