6 Replies Latest reply on Mar 15, 2018 7:30 AM by stanislav1125

Webservices - Elytron integration

stanislav1125 Nov 7, 2017 4:04 AM

https://docs.jboss.org/author/display/WFLY/WildFly+Elytron+Security#WildFlyElytronSecurity-WebServicesSubsystem

WebServices Subsystem

There is adapter in webservices subsystem to make authentication works for elytron security domain automatically. Like configure with legacy security domain, you can configure elytron security domain in deployment descriptor or annotation to secure webservice endpoint.

How should I config WildFly to make authentication works for elytron security domain in webservices?

There is maven project in "test.zip" and WildFly configuration in "standalone.xml".
Run "mvn clean wildfly:deploy" to deploy project to WildFly 11.

Result of deploy:

15:39:48,345 INFO [org.jboss.modules] (main) JBoss Modules version 1.6.1.Final

15:39:48,587 INFO [org.jboss.msc] (main) JBoss MSC version 1.2.7.SP1

15:39:48,697 INFO [org.jboss.as] (MSC service thread 1-7) WFLYSRV0049: WildFly Full 11.0.0.Final (WildFly Core 3.0.8.Final) starting

15:39:49,728 INFO [org.jboss.as.controller.management-deprecated] (Controller Boot Thread) WFLYCTL0028: Attribute 'security-realm' in the resource at address '/core-service=management/management-interface=http-interface' is deprecated, and may be removed in future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation.

15:39:49,744 INFO [org.wildfly.security] (ServerService Thread Pool -- 13) ELY00001: WildFly Elytron version 1.1.6.Final

15:39:49,756 INFO [org.jboss.as.controller.management-deprecated] (ServerService Thread Pool -- 29) WFLYCTL0028: Attribute 'security-realm' in the resource at address '/subsystem=undertow/server=default-server/https-listener=https' is deprecated, and may be removed in future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation.

15:39:49,804 INFO [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0039: Creating http management service using socket-binding (management-http)

15:39:49,815 INFO [org.xnio] (MSC service thread 1-5) XNIO version 3.5.4.Final

15:39:49,819 INFO [org.xnio.nio] (MSC service thread 1-5) XNIO NIO Implementation Version 3.5.4.Final

15:39:49,838 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 42) WFLYCLINF0001: Activating Infinispan subsystem.

15:39:49,841 INFO [org.jboss.as.jaxrs] (ServerService Thread Pool -- 43) WFLYRS0016: RESTEasy version 3.0.24.Final

15:39:49,841 WARN [org.jboss.as.txn] (ServerService Thread Pool -- 58) WFLYTX0013: The node-identifier attribute on the /subsystem=transactions is set to the default value. This is a danger for environments running multiple servers. Please make sure the attribute value is unique.

15:39:49,842 INFO [org.jboss.as.naming] (ServerService Thread Pool -- 50) WFLYNAM0001: Activating Naming Subsystem

15:39:49,847 INFO [org.jboss.as.jsf] (ServerService Thread Pool -- 48) WFLYJSF0007: Activated the following JSF Implementations: [main]

15:39:49,859 INFO [org.wildfly.extension.io] (ServerService Thread Pool -- 41) WFLYIO001: Worker 'default' has auto-configured to 16 core threads with 128 task threads based on your 8 available processors

15:39:49,864 INFO [org.jboss.as.webservices] (ServerService Thread Pool -- 60) WFLYWS0002: Activating WebServices Extension

15:39:49,867 INFO [org.jboss.as.security] (ServerService Thread Pool -- 57) WFLYSEC0002: Activating Security Subsystem

15:39:49,870 INFO [org.jboss.as.security] (MSC service thread 1-2) WFLYSEC0001: Current PicketBox version=5.0.2.Final

15:39:49,878 INFO [org.jboss.as.naming] (MSC service thread 1-1) WFLYNAM0003: Starting Naming Service

15:39:49,880 INFO [org.jboss.as.connector] (MSC service thread 1-1) WFLYJCA0009: Starting JCA Subsystem (WildFly/IronJacamar 1.4.6.Final)

15:39:49,882 INFO [org.wildfly.extension.undertow] (MSC service thread 1-6) WFLYUT0003: Undertow 1.4.18.Final starting

15:39:49,887 INFO [org.jboss.as.mail.extension] (MSC service thread 1-7) WFLYMAIL0001: Bound mail session [java:jboss/mail/Default]

15:39:49,915 INFO [org.jboss.as.connector.subsystems.datasources] (ServerService Thread Pool -- 36) WFLYJCA0004: Deploying JDBC-compliant driver class org.h2.Driver (version 1.4)

15:39:49,919 INFO [org.jboss.as.connector.deployers.jdbc] (MSC service thread 1-7) WFLYJCA0018: Started Driver service with driver-name = h2

15:39:49,923 INFO [org.jboss.remoting] (MSC service thread 1-4) JBoss Remoting version 5.0.5.Final

15:39:50,080 INFO [org.jboss.as.ejb3] (MSC service thread 1-8) WFLYEJB0482: Strict pool mdb-strict-max-pool is using a max instance size of 32 (per class), which is derived from the number of CPUs on this host.

15:39:50,082 INFO [org.jboss.as.ejb3] (MSC service thread 1-2) WFLYEJB0481: Strict pool slsb-strict-max-pool is using a max instance size of 128 (per class), which is derived from thread worker pool sizing.

15:39:50,091 INFO [org.wildfly.extension.undertow] (ServerService Thread Pool -- 59) WFLYUT0014: Creating file handler for path '/opt/wildfly-11/welcome-content' with options [directory-listing: 'false', follow-symlink: 'false', case-sensitive: 'true', safe-symlink-paths: '[]']

15:39:50,095 INFO [org.wildfly.extension.undertow] (MSC service thread 1-6) WFLYUT0012: Started server default-server.

15:39:50,096 INFO [org.wildfly.extension.undertow] (MSC service thread 1-6) WFLYUT0018: Host default-host starting

15:39:50,166 INFO [org.wildfly.extension.undertow] (MSC service thread 1-6) WFLYUT0006: Undertow HTTP listener default listening on 127.0.0.1:8080

15:39:50,173 INFO [org.jboss.as.ejb3] (MSC service thread 1-4) WFLYEJB0493: EJB subsystem suspension complete

15:39:50,268 INFO [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-7) WFLYJCA0001: Bound data source [java:jboss/datasources/ExampleDS]

15:39:50,277 INFO [org.jboss.as.patching] (MSC service thread 1-5) WFLYPAT0050: WildFly Full cumulative patch ID is: base, one-off patches include: none

15:39:50,287 WARN [org.jboss.as.domain.management.security] (MSC service thread 1-1) WFLYDM0111: Keystore /opt/wildfly-11/standalone-test/configuration/application.keystore not found, it will be auto generated on first use with a self signed certificate for host localhost

15:39:50,442 INFO [org.jboss.as.server.deployment.scanner] (MSC service thread 1-3) WFLYDS0013: Started FileSystemDeploymentService for directory /opt/wildfly-11/standalone-test/deployments

15:39:50,484 INFO [org.wildfly.extension.undertow] (MSC service thread 1-3) WFLYUT0006: Undertow HTTPS listener https listening on 127.0.0.1:8443

15:39:50,532 INFO [org.jboss.ws.common.management] (MSC service thread 1-1) JBWS022052: Starting JBossWS 5.1.9.Final (Apache CXF 3.1.12)

15:39:50,591 INFO [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0212: Resuming server

15:39:50,593 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0060: Http management interface listening on http://127.0.0.1:9990/management

15:39:50,593 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0051: Admin console listening on http://127.0.0.1:9990

15:39:50,593 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0025: WildFly Full 11.0.0.Final (WildFly Core 3.0.8.Final) started in 2586ms - Started 292 of 554 services (348 services are lazy, passive or on-demand)

15:40:07,421 INFO [org.jboss.as.repository] (management-handler-thread - 3) WFLYDR0001: Content added at location /opt/wildfly-11/standalone-test/data/content/ef/226b4c177dd0e951a646da25f3d1e92891d3a8/content

15:40:07,440 INFO [org.jboss.as.server.deployment] (MSC service thread 1-8) WFLYSRV0027: Starting deployment of "test.war" (runtime-name: "test.war")

15:40:07,975 INFO [org.infinispan.factories.GlobalComponentRegistry] (MSC service thread 1-7) ISPN000128: Infinispan version: Infinispan 'Chakra' 8.2.8.Final

15:40:08,004 INFO [org.jboss.ws.cxf.metadata] (MSC service thread 1-3) JBWS024061: Adding service endpoint metadata: id=com.test.TestEndpoint

address=http://localhost:8080/test/TestEndpoint

implementor=com.test.TestEndpoint

serviceName={http://test.com/}TestEndpointService

portName={http://test.com/}TestEndpointPort

annotationWsdlLocation=null

wsdlLocationOverride=null

mtomEnabled=false

15:40:08,227 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 16) WFLYCLINF0002: Started client-mappings cache from ejb container

15:40:08,511 INFO [org.apache.cxf.wsdl.service.factory.ReflectionServiceFactoryBean] (MSC service thread 1-3) Creating Service {http://test.com/}TestEndpointService from class com.test.TestEndpoint

15:40:08,653 INFO [org.apache.cxf.endpoint.ServerImpl] (MSC service thread 1-3) Setting the server's publish address to be http://localhost:8080/test/TestEndpoint

15:40:08,707 INFO [org.jboss.ws.cxf.deployment] (MSC service thread 1-3) JBWS024074: WSDL published to: file:/opt/wildfly-11/standalone-test/data/wsdl/test.war/TestEndpointService.wsdl

15:40:08,778 ERROR [org.jboss.as.controller.management-operation] (management-handler-thread - 3) WFLYCTL0013: Operation ("add") failed - address: ([("deployment" => "test.war")]) - failure description: {

"WFLYCTL0412: Required services that are not installed:" => ["jboss.security.security-domain.application-security-domain"],

"WFLYCTL0180: Services with missing/unavailable dependencies" => ["jboss.ws.endpoint.\"test.war\".\"com.test.TestEndpoint\" is missing [jboss.security.security-domain.application-security-domain]"]

}

15:40:08,779 ERROR [org.jboss.as.server] (management-handler-thread - 3) WFLYSRV0021: Deploy of deployment "test.war" was rolled back with the following failure message:

{

"WFLYCTL0412: Required services that are not installed:" => ["jboss.security.security-domain.application-security-domain"],

"WFLYCTL0180: Services with missing/unavailable dependencies" => ["jboss.ws.endpoint.\"test.war\".\"com.test.TestEndpoint\" is missing [jboss.security.security-domain.application-security-domain]"]

}

15:40:08,788 ERROR [org.jboss.ws.common.deployment] (MSC service thread 1-1) JBWS022102: Cannot stop endpoint in state UNDEFINED: jboss.ws:context=test,endpoint=com.test.TestEndpoint

15:40:08,826 INFO [org.jboss.as.server.deployment] (MSC service thread 1-7) WFLYSRV0028: Stopped deployment test.war (runtime-name: test.war) in 47ms

standalone.xml.zip 5.2 KB
test.zip 2.9 KB
pom.xml.zip 819 bytes
TestEndpoint.java 92 bytes
jboss-web.xml.zip 235 bytes

1. Re: Webservices - Elytron integration

fjuma Nov 6, 2017 10:48 AM (in response to stanislav1125)

Looks like "database-application-security-domain" isn't being treated as an Elytron security domain. Are you able to post more snippets from the server.log file?
Actions
2. Re: Webservices - Elytron integration

stanislav1125 Nov 7, 2017 4:09 AM (in response to fjuma)

Added test project, WildFly configuration, server log.
Actions
3. Re: Webservices - Elytron integration

jim.ma Nov 7, 2017 4:38 AM (in response to stanislav1125)
Can you try the following change to see if this works ?
Add another application-security-domain in undertow subystem like : <application-security-domain name="database-security-domain" http-authentication-factory="database-http-authentication-factory"/>
Change security domain in jboss-web.xml to : <security-domain>database-security-domain</security-domain>
In current webservice elytron integration, the security domain specified to secure webservice endpoint must be the same name with elytron security domain name . This is not ideal and I am looking at
a better solution for this now.
Actions
4. Re: Webservices - Elytron integration

stanislav1125 Nov 8, 2017 12:34 AM (in response to jim.ma)

You can add settings "application-security-domains" to "webservices" subsystem like it's done for "ejb3" subsystem.

        <subsystem xmlns="urn:jboss:domain:webservices:2.0">
            <wsdl-host>{jboss.bind.address:127.0.0.1}</wsdl-host>
            <endpoint-config name="Standard-Endpoint-Config"/>
            <endpoint-config name="Recording-Endpoint-Config">
                <pre-handler-chain name="recording-handlers" protocol-bindings="##SOAP11_HTTP ##SOAP11_HTTP_MTOM ##SOAP12_HTTP ##SOAP12_HTTP_MTOM">
                    <handler name="RecordingHandler" class="org.jboss.ws.common.invocation.RecordingServerHandler"/>
                </pre-handler-chain>
            </endpoint-config>
            <client-config name="Standard-Client-Config"/>
            <application-security-domains>
                <application-security-domain name="database-application-security-domain" security-domain="database-security-domain"/>
            </application-security-domains>
        </subsystem>
Actions
5. Re: Webservices - Elytron integration

j_ri Jan 19, 2018 5:45 AM (in response to stanislav1125)

no, unfortunately this does not work;-(
The schmema file for the webservices subsystem "jboss-as-webservices_2_0.xsd" doesn't have any attributes or elements for the "security-domain".
Nevertheless I tried it, but Wildfly doesn't even start.
Actions
6. Re: Webservices - Elytron integration

stanislav1125 Mar 15, 2018 7:30 AM (in response to j_ri)

You can add settings "application-security-domains" to "webservices" subsystem like it's done for "ejb3" subsystem.
It's a suggestion for futher development.
Actions

Go to original post