Details
-
Enhancement
-
Resolution: Unresolved
-
Major
-
None
-
24.0.0.Final
-
None
-
Undefined
Description
I wonder if I did something totally wrong, or if the elytron security configuration bears a conceptional issue.
I migrate form Jakarta EE8 to Jakarta EE9 (wildfly 21 to preview-24). My application uses a web security realm named 'imixsrealm'. Also the project contains EJBs with @RolesAllowed and {{@RunAs }}annotations. It took me several days to figure out the correct configuration in the standalone.xml file. (in previous versions of Wildfly I used the lagacy security-domain configuration).
Normally you would expect that if you want to use a custom realm configuration, it should be enough to configure in the standalome.xml a security-realm and make a reference to the ApplicationDomain.
For example like this:
<security-domains> <security-domain name="ApplicationDomain" default-realm="ApplicationRealm" permission-mapper="default-permission-mapper"> <realm name="ApplicationRealm" role-decoder="groups-to-roles"/> <realm name="local"/> <realm name="imixsrealm"/> </security-domain> <security-domain name="ManagementDomain" default-realm="ManagementRealm" permission-mapper="default-permission-mapper"> <realm name="ManagementRealm" role-decoder="groups-to-roles"/> <realm name="local" role-mapper="super-user-mapper"/> </security-domain> </security-domains> <security-realms> <identity-realm name="local" identity="$local"/> <properties-realm name="ApplicationRealm"> <users-properties path="application-users.properties" relative-to="jboss.server.config.dir" digest-realm-name="ApplicationRealm"/> <groups-properties path="application-roles.properties" relative-to="jboss.server.config.dir"/> </properties-realm> <properties-realm name="ManagementRealm"> <users-properties path="mgmt-users.properties" relative-to="jboss.server.config.dir" digest-realm-name="ManagementRealm"/> <groups-properties path="mgmt-groups.properties" relative-to="jboss.server.config.dir"/> </properties-realm> <properties-realm name="imixsrealm" groups-attribute="Roles"> <users-properties path="sampleapp-users.properties" relative-to="jboss.server.config.dir" digest-realm-name="Application Security" plain-text="true"/> <groups-properties path="sampleapp-roles.properties" relative-to="jboss.server.config.dir"/> </properties-realm> </security-realms>
Here I add the new security realm 'imixsrealm' to the applicationDomain.
But this did not work. Instead it is necessary to define a separate security domain referring the security realm and also add the new refs into the application-security-domains section of the EJB and Undertow submodules.
I have written a blog about how to secure a Jakarta EE9 Application here:
https://ralph.blog.imixs.com/2021/07/03/jakarata-ee9-wildfly-elytron-securitydomains/
Please correct me if I am wrong, but it looks to me very strange how complex the configuration becomes in elytron. I played around now for several days and found no other solution.