Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-14976

Security Domain Configuration elytron:14.0

    XMLWordPrintable

Details

    • Enhancement
    • Resolution: Unresolved
    • Major
    • None
    • 24.0.0.Final
    • Security
    • None
    • Undefined

    Description

      I wonder if I did something totally wrong, or if the elytron security configuration bears a conceptional issue.

      I migrate form Jakarta EE8 to Jakarta EE9 (wildfly 21 to preview-24). My application uses a web security realm named 'imixsrealm'. Also the project contains EJBs with @RolesAllowed and {{@RunAs }}annotations. It took me several days to figure out the correct configuration in the standalone.xml file. (in previous versions of Wildfly I used the lagacy security-domain configuration).

      Normally you would expect that if you want to use a custom realm configuration, it should be enough to configure in the standalome.xml a security-realm and make a reference to the ApplicationDomain.

      For example like this:

       <security-domains>
 <security-domain name="ApplicationDomain" default-realm="ApplicationRealm" permission-mapper="default-permission-mapper">
 <realm name="ApplicationRealm" role-decoder="groups-to-roles"/>
 <realm name="local"/>
 <realm name="imixsrealm"/>
 </security-domain>
 <security-domain name="ManagementDomain" default-realm="ManagementRealm" permission-mapper="default-permission-mapper">
 <realm name="ManagementRealm" role-decoder="groups-to-roles"/>
 <realm name="local" role-mapper="super-user-mapper"/>
 </security-domain>
 </security-domains>
 <security-realms>
 <identity-realm name="local" identity="$local"/>
 <properties-realm name="ApplicationRealm">
 <users-properties path="application-users.properties" relative-to="jboss.server.config.dir" digest-realm-name="ApplicationRealm"/>
 <groups-properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
 </properties-realm>
 <properties-realm name="ManagementRealm">
 <users-properties path="mgmt-users.properties" relative-to="jboss.server.config.dir" digest-realm-name="ManagementRealm"/>
 <groups-properties path="mgmt-groups.properties" relative-to="jboss.server.config.dir"/>
 </properties-realm>
 
 <properties-realm name="imixsrealm" groups-attribute="Roles">
 <users-properties path="sampleapp-users.properties" relative-to="jboss.server.config.dir" 
 digest-realm-name="Application Security" plain-text="true"/>
 <groups-properties path="sampleapp-roles.properties" relative-to="jboss.server.config.dir"/>
 </properties-realm>
 </security-realms>

      Here I add the new security realm 'imixsrealm' to the applicationDomain.

      But this did not work. Instead it is necessary to define a separate security domain referring the security realm and also add the new refs into the application-security-domains section of the EJB and Undertow submodules.

      I have written a blog about how to secure a Jakarta EE9 Application here:

      https://ralph.blog.imixs.com/2021/07/03/jakarata-ee9-wildfly-elytron-securitydomains/

       

      Please correct me if I am wrong, but it looks to me very strange how complex the configuration becomes in elytron. I played around now for several days and found no other solution.

       

       

       

       

       

       

       

       

      Attachments

        Activity

          People

            Unassigned Unassigned
            rsoika ralph Soika (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated: