3 Replies Latest reply on Jan 18, 2016 6:16 PM by Rahul Daga

    Meaning of 'realm' and 'security-domain' ?

    Ralph Soika Apprentice



      I have a question about the right understanding of the security configuration in WildFly.

      I succeeded to configure my EAR with a security-domain using a Database Login Module. It works great! And I am again impressed how easy it is to configure WildFly. But I have a problem with the meaning of 'realms' and 'security-domains' in WildFly.


      In my standalong.xml file I added the following configuration for a new Database Login Module:


      <security-domain name="imixsrealm">


                              <login-module code="Database" flag="required">

                                  <module-option name="dsJndiName" value="java:/jdbc/imixs_office"/>

                                  <module-option name="principalsQuery" value="select PASSWORD from USERID where ID=?"/>

                                  <module-option name="rolesQuery" value="select GROUP_ID,'Roles' from USERID_USERGROUP where ID=?"/>

                                  <module-option name="hashAlgorithm" value="SHA-256"/>

                                  <module-option name="hashEncoding" value="hex"/>

                                  <module-option name="unauthenticatedIdentity" value="anonymous"/>





      Next I added into the WEB-INF folder of my war module a 'jboss-web.xml' file with the following content:


      <?xml version="1.0" encoding="UTF-8"?>





      and into the EJB module a 'jboss-ejb3.xml' file with this content:


      <?xml version="1.1" encoding="UTF-8"?>

      <jboss:ejb-jar xmlns:jboss="http://www.jboss.com/xml/ns/javaee"

        xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"


        xsi:schemaLocation="http://www.jboss.com/xml/ns/javaee http://www.jboss.org/j2ee/schema/jboss-ejb3-2_0.xsd http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/ejb-jar_3_1.xsd"

        version="3.1" impl-version="2.0">




        <!-- other imixsrealm -->








      But what I am wondering about is that in the web.xml file I need the following login-config entry











      My question is: Why must be the realm-name in web.xml set to 'ApplicationRealm' ? Here I expected that I could set 'imixsrealm'.

      It looks to me that in WildFly the realm-name used in web.xml must always be 'ApplicationRealm'  and can not be changed?

      Or is there a way to change the realm-name in web.xml - maybe I have only misunderstood something?

      But the database login module works excellent - so I am fine with my current configuration ;-)



        • 1. Re: Meaning of 'realm' and 'security-domain' ?
          xiang yingbing Master

          My opinions (maybe I am wrong):


          1. You had better change <security-domain name="imixsrealm"> to <security-domain name="imixs-security-domain">.


          2. wildfly-8.0.0.CR1\docs\schema\jboss-as-config_2_0.xsd is a good place to find answer. Its comments are meaningful!


          3. (a)Security Domain: ONLY support JAAS function.

              (b) SecurityRealm combines the JAAS(security-domain) and SSL.


                 Currently,  <security-realm name="ManagementRealm"> is for jboss management applications:

              <socket-binding name="management-native" interface="management" port="${jboss.management.native.port:9999}"/>
              <socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/>
              <socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9993}"/>


                While <security-realm name="ApplicationRealm"> is for all applications deployed in JBoss AS by developers. For example:

                        EJB applications' SSL and JAAS functions.

                As to WAR application, you can configure security-domain(JAAS) for it in jboss-web.xml, and you can configure SSL for undertow(web server) like this:

                       <https-listener name="https" socket-binding="https" security-realm="ApplicationRealm"/>

                       NOTE: sometimes, SSL function is configured in front apache.



          4. Why must be the realm-name in web.xml set to 'ApplicationRealm' ?

              (a) You can ignore <realm-name>ApplicationRealm</realm-name>.

              (b) And you can configure your security domain in WEB-INF/jboss-web.xml, like this:

                         <?xml version="1.0" encoding="UTF-8"?>



                              <!-- encoding for login servlet 'j_security_check' -->

                              <!-- for jboss as 7.2.0 and lower version -->









                              <!-- for wildfly-8.0.0.CR1 and higher version






                I did not try <realm-name>ApplicationRealm</realm-name>  in WEB-INF/web.xml.

          • 2. Re: Meaning of 'realm' and 'security-domain' ?
            xiang yingbing Master

            I have the same question: How to add a custom realm to WildFly?

            It seems that <security-realm name="ManagementRealm"> and <security-realm name="ApplicationRealm"> are enough.


            There are less people in wildfly forum than in jboss as 7 forum (JBoss AS 7).

            If your problem exists in jboss as 7 too(not a wildfly-specified problem), you had better post it in jboss as 7 forum (JBoss AS 7).

            • 3. Re: Meaning of 'realm' and 'security-domain' ?
              Rahul Daga Newbie

              Is is possible to set a maximum number of retries and then lock the account out via an update sql? Or attach a listener and do the same?