Wildfly 9 security domains won't work
caarlos0 May 24, 2016 6:49 PMI'm migrating a big web app from jboss as 6 to wildfly 9, and encountered a few impediments on the way.
One of them is the security domain.
The relevant part of the `standalone.xml` is as follows:
<subsystem xmlns="urn:jboss:domain:security:1.2"> <security-domains> <security-domain name="other" cache-type="default"> <authentication> <login-module code="Remoting" flag="optional"> <module-option name="password-stacking" value="useFirstPass"/> </login-module> <login-module code="RealmDirect" flag="required"> <module-option name="password-stacking" value="useFirstPass"/> </login-module> </authentication> </security-domain> <security-domain name="jboss-web-policy" cache-type="default"> <authorization> <policy-module code="Delegating" flag="required"/> </authorization> </security-domain> <security-domain name="jboss-ejb-policy" cache-type="default"> <authorization> <policy-module code="Delegating" flag="required"/> </authorization> </security-domain> <security-domain name="mydomain" cache-type="default"> <authentication> <login-module code="foo.token.LoginModule" flag="required"> <module-option name="hashAlgorithm" value="SHA-512"/> <module-option name="hashEncoding" value="base64"/> <module-option name="unauthenticatedIdentity" value="guest"/> <module-option name="dsJndiName" value="jdbc/fooDS"/> <module-option name="principalsQuery" value="select ..."/> <module-option name="rolesQuery" value="select o.name, 'Roles' from roles up join ef_usuario ..."/> </login-module> </authentication> </security-domain> </security-domains> </subsystem>
The `foo.token.LoginModule.java` is something like this:
@NoArgsConstructor public class FooLoginModule extends DatabaseServerLoginModule { private Principal principal; private String userName; @Override public boolean login() throws LoginException { super.loginOk = false; super.loginOk = tryLogin(); return super.loginOk; } protected boolean tryLogin() throws LoginException { if (doesSomeAdditionalLoginValidation()) { createPrincipal(); return true; } return false; } @VisibleForTesting protected UserResourceClient createUserResourceClient() { return new UserResourceClient( createAuth(), createEndPoint() ); } private EndPoint createEndPoint() { return new EndPointProvider( ... ).create(); } private Auth createAuth() { return new AuthProvider( ... ).createAuth(); } private void createPrincipal() throws LoginException { try { principal = createIdentity( userName ); } catch (Exception e) { throw new LoginException( PROCESSING_FAILED + "Failed to create principal: " + e.getMessage() ); } } @Override protected String getUsername() { return userName; } @Override protected Principal getIdentity() { return principal; } }
The app is deployed as an `ear`, so, in `.war` files I have a `jboss-web.xml` and in `.jar` files I have a `jboss-app.xml`. jboss-web:
<jboss-web> <security-domain>mydomain</security-domain> </jboss-web>
jboss-app:
<?xml version="1.0" encoding="UTF-8"?> <jboss-app> <security-domain>mydomain</security-domain> </jboss-app>
But, when I try the app tries to use a `Stateless` bean annotated with `@SecurityDomain("mydomain")`, I get access errors:
19:35:40,530 ERROR [org.jboss.as.ejb3.invocation] (default task-26)
WFLYEJB0034: EJB Invocation failed on component FooService for method
public java.lang.String foo.service.blah.FooService.find():
javax.ejb.EJBAccessException: WFLYEJB0364: Invocation on method:
public java.lang.String foo.service.blah.FooService.find() of bean:
FooService is not allowed
The FooService's code looks like:
@Stateless @SecurityDomain("mydomain") public class FooService { public List<Foo> find() { return ...; } }
I see that the prefix `java:/jaas/` has to be removed from everywhere, and I did it, but still this won't work.
Can't find any other thing that seems related to that in migration guides.
What am I missing?