4 Replies Latest reply on Nov 24, 2013 7:47 AM by omar al kababji

    Connection between security-domains and security-realms

    omar al kababji Newbie

      I am trying to configure authentication and authorization in an EAR application, I think I nailed the Authentication part but missing something for the Authorization. What I have done so far is the following:


      1. Created a new custom security-realm named MyRealm with two custom plugins to load users and roles from a custom database.
      2. Configured the subsystem urn:jboss:domain:remoting:2.0 to use MyRealm instead of ApplicationRealm.
      3. Annotated my Stateless EJB bean with @DeclareRoles("administrator") and one of its methods with @RolesAllowed("administrator")
      4. Finally I added a file under META-INF/jboss-ejb3.xml with the following content (I guess it is the default and may not be needed)
      <?xml version="1.0" encoding="UTF-8"?>
      <jboss:jboss xmlns="http://java.sun.com/xml/ns/javaee" xmlns:jboss="http://www.jboss.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xmlns:s="urn:security:1.1" version="3.1" impl-version="2.0">


      What works:

      1. When I invoke remotely an EJB method annotated with (i.e. @PermitAll) it gets invoked correctly, and if I check the caller identity I see the correct username as configured in jboss-ejb-client.properties.
      2. If I try to invoke the same EJB method with a username/password not created in my database I get a connection error (authentication fails).
      3. I put some logs in my Auhtentication/Authorization plugins, and I see in the logs that the method loadRoles returns the roles correctly array: [administrator]

      What does not work:

      1. If I invoke a method that requires a specific role using the annotation @RolesAllowed("administrator") then the invocation fails and I get an error saying Invocation on method:.... is not allowed
      2. If I remove the @RolesAllowed and check the isCallerInRole("administrator") it returns FALSE, keep in mind that as requested from the JEE specification I have added the @DeclareRoles("administrator") on my EJB.

      My understanding is that to secure EJB's you need a security domain, and that if you don't specify a security domain then the default one used is "other" but how I can tell the "other" security domain to use my custom realm MyRealm? and if I need a security domain then why I have to specify MyRealm to the urn:jboss:domain:remoting:2.0 subsystem? and what is the connection between the urn:jboss:domain:remoting:2.0 and the other security domain?


      Reading the documentation of: Security Realms - WildFly 8 - Project Documentation Editor I read this phrase related to Authentication that I don't totally understand and may have something to do with my problem:


      The actual security realms are not involved in any authorization decisions however they can be configured to load a users roles which will subsequently be used to make authorization decisions - when references to authorization are seen in the context of security realms it is this loading of roles that is being referred to.

      For the loading of roles the process is split out to occur after the authentication step so after a user has been authenticated a second step will occur to load the roles based on the username they used to authenticate with.



        • 1. Re: Connection between security-domains and security-realms
          Philippe Marschall Master

          You need a domain as well. Here's what we do:

          We have a domain with a custom login module (in your case the default database login module may work as well). Then have a JAAS realm that delegates to the domain instead of using plugins.

          • 2. Re: Re: Connection between security-domains and security-realms
            omar al kababji Newbie

            You mean that the plugins are useless and I should do everything using the security-domain tag? if yes does this also mean that I don't have to modify this line in the XML configuration? but then the remoting subsystem will use the ApplicationRealm which is something I am trying to avoid!


            <subsystem xmlns="urn:jboss:domain:remoting:2.0">
              <http-connector name="http-remoting-connector" connector-ref="default" security-realm="MyRealm"/>


            I would appreciate if you could share some snippets of the configuration.

            • 3. Re: Re: Re: Connection between security-domains and security-realms
              Philippe Marschall Master

              This is the (simplified) configuration we go with:


                <security-realm name="AcmeRealm">
                <jaas name="acme"/>
              <subsystem xmlns="urn:jboss:domain:security:1.2">
                <security-domain name="acme" cache-type="default">
                <login-module code="Remoting" flag="optional">
                <module-option name="password-stacking" value="useFirstPass"/>
                <login-module code="com.acme.jboss.security.loginmodule.AcmeLoginModule" flag="required" module="com.acme.jboss.security">
                <module-option name="dsJndiName" value="java:/global/datasources/OracleAcmeDS"/>
                <module-option name="hashAlgorithm" value="acmeHash2"/>
                <!-- for whatever reason users without a role are only allowed if this is set -->
                <module-option name="unauthenticatedIdentity" value="guest"/>
              <subsystem xmlns="urn:jboss:domain:remoting:1.1">
                <connector name="remoting-connector" socket-binding="remoting" security-realm="AcmeRealm"/>


              It may well be that the default database login module works for you. Check out http://sahirzm.blogspot.ch/2011/12/configure-database-server-loginmodule.html


              Don't forget the domain

              public void AcmeBean {

              And a security annotation like @PermitAll or @RolesAllowed

              • 4. Re: Re: Re: Connection between security-domains and security-realms
                omar al kababji Newbie

                Thanks Philippe, your answer helped me configure the server correctly. The only small different was in the remoting subsystem in WildFly it is urn:jboss:domain:demoting:2.0 and uses an http-connector but the configuration is the same and it works!