I am trying to configure authentication and authorization in an EAR application, I think I nailed the Authentication part but missing something for the Authorization. What I have done so far is the following:
- Created a new custom security-realm named MyRealm with two custom plugins to load users and roles from a custom database.
- Configured the subsystem urn:jboss:domain:remoting:2.0 to use MyRealm instead of ApplicationRealm.
- Annotated my Stateless EJB bean with @DeclareRoles("administrator") and one of its methods with @RolesAllowed("administrator")
- Finally I added a file under META-INF/jboss-ejb3.xml with the following content (I guess it is the default and may not be needed)
<?xml version="1.0" encoding="UTF-8"?> <jboss:jboss xmlns="http://java.sun.com/xml/ns/javaee" xmlns:jboss="http://www.jboss.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:s="urn:security:1.1" version="3.1" impl-version="2.0"> <assembly-descriptor> <s:security> <ejb-name>*</ejb-name> <s:security-domain>other</s:security-domain> </s:security> </assembly-descriptor> </jboss:jboss>
- When I invoke remotely an EJB method annotated with (i.e. @PermitAll) it gets invoked correctly, and if I check the caller identity I see the correct username as configured in jboss-ejb-client.properties.
- If I try to invoke the same EJB method with a username/password not created in my database I get a connection error (authentication fails).
- I put some logs in my Auhtentication/Authorization plugins, and I see in the logs that the method loadRoles returns the roles correctly array: [administrator]
What does not work:
- If I invoke a method that requires a specific role using the annotation @RolesAllowed("administrator") then the invocation fails and I get an error saying Invocation on method:.... is not allowed
- If I remove the @RolesAllowed and check the isCallerInRole("administrator") it returns FALSE, keep in mind that as requested from the JEE specification I have added the @DeclareRoles("administrator") on my EJB.
My understanding is that to secure EJB's you need a security domain, and that if you don't specify a security domain then the default one used is "other" but how I can tell the "other" security domain to use my custom realm MyRealm? and if I need a security domain then why I have to specify MyRealm to the urn:jboss:domain:remoting:2.0 subsystem? and what is the connection between the urn:jboss:domain:remoting:2.0 and the other security domain?
Reading the documentation of: Security Realms - WildFly 8 - Project Documentation Editor I read this phrase related to Authentication that I don't totally understand and may have something to do with my problem:
The actual security realms are not involved in any authorization decisions however they can be configured to load a users roles which will subsequently be used to make authorization decisions - when references to authorization are seen in the context of security realms it is this loading of roles that is being referred to.
For the loading of roles the process is split out to occur after the authentication step so after a user has been authenticated a second step will occur to load the roles based on the username they used to authenticate with.