1 2 Previous Next 23 Replies Latest reply on Dec 22, 2017 7:12 AM by lagoria

Problems with Wildfly 11 (Database Identity Store)

samerjamal Nov 22, 2017 6:31 AM

Im migrating from version 10 to 11.

This part of the configuration has changed a lot, I'm following this link https://docs.jboss.org/author/display/WFLY/WildFly+Elytron+Security#WildFlyElytronSecurity-RealmMappers

And the following error is occurring when deploying:

Error:

09:02:28,630 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("deploy") failed - address: ([("deployment" => "labcontrol.war")]) - failure description: {

"WFLYCTL0412: Required services that are not installed:" => ["jboss.security.security-domain.labcontrolRealm"],

"WFLYCTL0180: Services with missing/unavailable dependencies" => [

"jboss.deployment.unit.\"labcontrol.war\".component.TamanhoDAO.CREATE is missing [jboss.security.security-domain.labcontrolRealm]",

Configure a datasource:

standalone.xml

<connection-url>jdbc:mysql://127.0.0.1:3306/labcontrol</connection-url>

<driver>mysql</driver>

<transaction-isolation>TRANSACTION_READ_COMMITTED</transaction-isolation>

<pool>

<min-pool-size>10</min-pool-size>

<max-pool-size>100</max-pool-size>

</pool>

<user-name>root</user-name>

</security>

<prepared-statement-cache-size>32</prepared-statement-cache-size>

<share-prepared-statements>true</share-prepared-statements>

</statement>

</datasource>

Configure a jdbc-realm in WildFly:

standalone.xml

<jdbc-realm name="exampleDbRealm">

<principal-query sql="SELECT u.senha FROM labcontrol.usuario u INNER JOIN labcontrol.email e ON u.email_id = e.id where e.email=?" data-source="labcontrolDS">

<clear-password-mapper password-index="1"/>

</principal-query>

<principal-query sql="SELECT p.nome, 'Roles' FROM labcontrol.permissao p INNER JOIN labcontrol.gruposistema_permissao gr ON p.id = gr.permissao_id INNER JOIN labcontrol.usuario_gruposistema ug ON gr.gruposistema_id = ug.gruposistema_id INNER JOIN labcontrol.usuario u ON ug.usuario_id = u.id INNER JOIN email e ON u.email_id = e.id WHERE e.email=?" data-source="labcontrolDS">

<attribute-mapping>

</attribute-mapping>

</principal-query>

</jdbc-realm>

Configure a security-domain:

standalone.xml

<security-domain name="exampleDbSD" default-realm="exampleDbRealm" permission-mapper="default-permission-mapper">

</security-domain>

Configure an http-authentication-factory:

standalone.xml

<http-authentication-factory name="example-db-http-auth" http-server-mechanism-factory="global" security-domain="exampleDbSD">

<mechanism-configuration>

<mechanism-realm realm-name="exampleDbSD"/>

</mechanism>

</mechanism-configuration>

</http-authentication-factory>

Configure an application-security-domain in the Undertow subsystem:

standalone.xml

<application-security-domains>

<application-security-domain name="labcontrolRealm" http-authentication-factory="example-db-http-auth"/>

</application-security-domains>

Configure my application jboss-web.xml:

jboss-web.xml

<jboss-web>

<context-root>labcontrol</context-root>

<security-domain>labcontrolRealm</security-domain>

</jboss-web>

Configure my application web.xml

web.xml

<login-config>

<auth-method>FORM</auth-method>

<realm-name>labcontrolRealm</realm-name>

<form-login-config>

<form-login-page>/login.xhtml</form-login-page>

<form-error-page>/login.xhtml</form-error-page>

</form-login-config>

</login-config>

Tks for help

1. Re: Problems with Wildfly 11 (Database Identity Store)

mchoma Nov 23, 2017 3:24 PM (in response to samerjamal)

Seems component.TamanhoDAO.CREATE is missing legacy security domain labcontrolRealm.

How is legacy security domain referenced there? As some annotation?
Actions
2. Re: Problems with Wildfly 11 (Database Identity Store)

lagoria Nov 28, 2017 3:53 AM (in response to mchoma)

Exact same problem here.

My EJBs are not using any security domain, but still fail showing the error reported by Samer.
Security domain is used at web layer level instead (activated by jboss-web.xml as reported by Samer again).
Actions
3. Re: Problems with Wildfly 11 (Database Identity Store)

lagoria Nov 28, 2017 4:57 AM (in response to lagoria)

Probably this line is wrong:

<mechanism-realm realm-name="exampleDbSD"/>

and should be

<mechanism-realm realm-name="exampleDbRealm"/>

at least this is what the attribute name suggests.

By the way even after this fix, I still have the same errors.

Another question would be, how can I debug what's going on? The log, even after enabling DEBUG level, does not really give any clue a part from a bunch of
......component.LogService.CREATE is missing [jboss.security.security-domain.....]",
Actions
4. Re: Problems with Wildfly 11 (Database Identity Store)

samerjamal Nov 28, 2017 6:15 AM (in response to lagoria)

My EJBs are not using any security domain too

In my attempts I had already altered mechanism-realm for exampleDbRealm

For now I gave up and returned to version 10
Actions
5. Re: Problems with Wildfly 11 (Database Identity Store)

lagoria Nov 28, 2017 6:20 AM (in response to samerjamal)

I gave it up too, but found out you can still keep WF11. All you have to do is to configure security domain in the old way

<subsystem xmlns="urn:jboss:domain:security:2.0">

(it's toward the bottom)

and ditch all you have done so far.

It worked for me.
Actions
6. Re: Problems with Wildfly 11 (Database Identity Store)

dlofthouse Nov 28, 2017 6:26 AM (in response to lagoria)

In general to log messages related to security with the new Elytron subsystem enable TRACE logging for the 'org.wildfly.security' category, if this is SASL authentication for Remoting then also adding 'org.jboss.remoting' at level TRACE can reveal some more information.
Actions
7. Re: Problems with Wildfly 11 (Database Identity Store)

dlofthouse Nov 28, 2017 6:28 AM (in response to lagoria)

+1 the legacy security has not been removed at this stage so no one is forced into an immediate migration just to use WildFly 11.
Actions
8. Re: Problems with Wildfly 11 (Database Identity Store)

samerjamal Nov 28, 2017 6:45 AM (in response to lagoria)

Alberto,
Sorry but I dont understand what needs to be done
Can you publish your standalone file?
Actions
9. Re: Problems with Wildfly 11 (Database Identity Store)

lagoria Nov 28, 2017 6:55 AM (in response to samerjamal)

I can publish my legacy security subsystem.

        <subsystem xmlns="urn:jboss:domain:security:2.0">
            <security-domains>
                <security-domain name="other" cache-type="default">
                    <authentication>
                        <login-module code="Remoting" flag="optional">
                            <module-option name="password-stacking" value="useFirstPass"/>
                        </login-module>
                        <login-module code="RealmDirect" flag="required">
                            <module-option name="password-stacking" value="useFirstPass"/>
                        </login-module>
                    </authentication>
                </security-domain>
                <security-domain name="jboss-web-policy" cache-type="default">
                    <authorization>
                        <policy-module code="Delegating" flag="required"/>
                    </authorization>
                </security-domain>
                <security-domain name="jboss-ejb-policy" cache-type="default">
                    <authorization>
                        <policy-module code="Delegating" flag="required"/>
                    </authorization>
                </security-domain>
                <security-domain name="jaspitest" cache-type="default">
                    <authentication-jaspi>
                        <login-module-stack name="dummy">
                            <login-module code="Dummy" flag="optional"/>
                        </login-module-stack>
                        <auth-module code="Dummy"/>
                    </authentication-jaspi>
                </security-domain>
                <security-domain name="wmt" cache-type="default">
                    <authentication>
                        <login-module code="Database" flag="required">
                            <module-option name="dsJndiName" value="java:/myappDS"/>
                            <module-option name="principalsQuery" value="select password from user where email = ?"/>
                            <module-option name="rolesQuery" value="select role, 'Roles' from user_role_auth where email = ?"/>
                            <module-option name="hashAlgorithm" value="MD5"/>
                            <module-option name="hashEncoding" value="hex"/>
                        </login-module>
                        <login-module code="RoleMapping" flag="required">
                            <module-option name="rolesProperties" value="file:${jboss.server.config.dir}/app.properties"/>
                            <module-option name="replaceRole" value="false"/>
                        </login-module>
                    </authentication>
                </security-domain>
            </security-domains>
        </subsystem>

and leave the elytron subsystem

<subsystem xmlns="urn:wildfly:elytron:1.2" final-providers="combined-providers" disallowed-providers="OracleUcrypto">

as it was before you started to add stuff to it.

P.S.
when I paste something into the textarea then I get pushed to the top of the page everytime I hit the spacebar key. Please replace this forum with something decent
Actions
10. Re: Problems with Wildfly 11 (Database Identity Store)

mchoma Nov 28, 2017 7:06 AM (in response to lagoria)

What are these component.*.CREATE? They are EJB? Isn't legacy security domain referenced in configuration, e.g. http-connector in standalone.xml or jboss-ejb3.xml in deployment?

In [1] there is how to secure EJB with Elytron.

[1] Getting started with EJBs and Elytron Part 1: Securing EJBs and invoking them from remote clients
Actions
11. Re: Problems with Wildfly 11 (Database Identity Store)

lagoria Nov 28, 2017 7:10 AM (in response to mchoma)

They are local EJBs, so I don't think I should add anything else (by the way, I also tried to add the jboss-ejb3.xml entry, but didn't work).
I am just interested in securing the web layer, not the ejb one.
Actions
12. Re: Problems with Wildfly 11 (Database Identity Store)

jaikiran Nov 28, 2017 7:11 AM (in response to lagoria)

lagoria wrote:

Exact same problem here.

My EJBs are not using any security domain, but still fail showing the error reported by Samer.
Security domain is used at web layer level instead (activated by jboss-web.xml as reported by Samer again).
Are you packaging your EJBs as part of the war? If yes, then the security domain in jboss-web.xml gets applied to both the EJBs as well as the web components.
Actions
13. Re: Problems with Wildfly 11 (Database Identity Store)

lagoria Nov 28, 2017 7:12 AM (in response to jaikiran)

yes, it is a simple war.
Actions
14. Re: Problems with Wildfly 11 (Database Identity Store)

jaikiran Nov 28, 2017 7:17 AM (in response to lagoria)

lagoria wrote:
Exact same problem here.
My EJBs are not using any security domain, but still fail showing the error reported by Samer.
Security domain is used at web layer level instead (activated by jboss-web.xml as reported by Samer again).
Are you packaging your EJBs as part of the war? If yes, then the security domain in jboss-web.xml gets applied to both the EJBs as well as the web components.
lagoria wrote:

yes, it is a simple war.
In that case, like Martin noted in one of his replies, you seem to be missing one step in the configuration of your server (standalone.xml). You seem to have added a "application-security-domain" in the undertow subsystem (for web components) but haven't added one in the ejb3 subsystem (for EJB components). You need them both. How to add it to EJB3 subsystem is explained in the link that Martin pointed to in his reply Re: Problems with Wildfly 11 (Database Identity Store)
Actions

1 2 Previous Next

Go to original post