3 Replies Latest reply on Mar 21, 2018 5:46 PM by davidj

Is jboss-web.xml still needed for Elytron Security Domains ?

mylos78 Oct 1, 2017 8:56 AM

Hi all,

I've configured a simple web application using a FileSystem Realm and Security Domain as described in: Using the Elytron Subsystem - Latest WildFly Documentation - Project Documentation Editor

From what I understand from the doc, when using Elytron Security Domain just adding into web.xml the realm-name and role-name would be sufficient:

<web-app> 
  <security-constraint>
    <web-resource-collection>
      <web-resource-name>secure</web-resource-name>
      <url-pattern>/secure/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>Admin</role-name>
    </auth-constraint>
  </security-constraint>
  <security-role>
    <description>The role that is required to log in to /secure/*</description>
    <role-name>Admin</role-name>
  </security-role>
  <login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>exampleApplicationDomain</realm-name>
  </login-config>
</web-app>
 
However with just web.xml in place I'm not able to login. On the other hand, I'm able to login when adding jboss-web.xml:
 
<jboss-web> 
  <security-domain>exampleApplicationDomain</security-domain>
</jboss-web>
So it seems jboss-web.xml is still needed also when using Elytron ? am I correct ?
Thanks
Mylos

1. Re: Is jboss-web.xml still needed for Elytron Security Domains ?

rhatlapa Oct 5, 2017 6:52 AM (in response to mylos78)

The security domain still needs to be defined. You can either define security domain directly in jboss-web.xml or you can define default one in Undertow subsystem (/subsystem=undertow:write-attribute(name=default-security-domain, value=`@NAME_OF_YOUR_SECURITY_DOMAN@`). Note in case of elytron you need to have defined application-security-domain in undertow with the given name.
1 of 1 people found this helpful
Actions
2. Re: Is jboss-web.xml still needed for Elytron Security Domains ?

dlofthouse Oct 5, 2017 6:56 AM (in response to rhatlapa)

+1 to the comment from Radim - this blog post shows a web application migrated to Elytron security using the default security domain on the Undertow subsystem combined with an application-security-domain definition Darran's WildFly Blog: WildFly Elytron - Add Kerberos Authentication To Existing Web Application
Actions
3. Re: Is jboss-web.xml still needed for Elytron Security Domains ?

davidj Mar 21, 2018 5:46 PM (in response to dlofthouse)

The original question is: Do you need to modify BOTH web.xml and jboss-web.xml to get Elytron working. In my case, I only need to modify jboss-web.xml. My jboss-web.xml has the following line:

     <security-domain>vcr-application-domain</security-domain>

My web.xml has nothing in-regards to security, except for the <security-constraint> and <security-role> tags.

If I remove the security line in jboss-web.xml and enter the following in web.xml:

     <login-config>
          <auth-method>BASIC</auth-method>
          <realm-name>vcr-application-domain</realm-name>
     </login-config>

, this does NOT work (basic authentication always fails).

Therefore, I conclude that only jboss-web.xml is needed (assuming all the required realms, domain, http-authentication-factory, and http-authentication are setup in standalone-full.xml).

I'm not sure if I like this. I like to keep as much as possible is standard/well-known files. If I was new to a project, a logical place to look would be "web.xml". But on the other hand, since Elytron is so ingrained in Wildfly/EAP 7.1, I guess it makes sense to put the configuration inside a JBoss specific file.

I'm curious if anyone has this working only using web.xml.

The official documentation implies web.xml needs to be modified: https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.1/html/how_to_configure_identity_management/elytron_secure_apps#elytron_apps_DBAuth

The exact quote is:

     Your application’s web.xml and jboss-web.xml must be updated to use the application-security-domain you configured in JBoss EAP.

The official configuration document says the same this:: Chapter 2. Elytron Subsystem - Red Hat Customer Portal

Thoughts?
Actions

Go to original post