4 Replies Latest reply on May 25, 2016 12:55 PM by Carlos Alexandro Becker

    Wildfly 9 security domains won't work

    Carlos Alexandro Becker Newbie

      I'm migrating a big web app from jboss as 6 to wildfly 9, and encountered a few impediments on the way.

       

       

      One of them is the security domain.

       

       

      The relevant part of the `standalone.xml` is as follows:

      
          <subsystem xmlns="urn:jboss:domain:security:1.2">
              <security-domains>
                  <security-domain name="other" cache-type="default">
                      <authentication>
                          <login-module code="Remoting" flag="optional">
                              <module-option name="password-stacking" value="useFirstPass"/>
                          </login-module>
                          <login-module code="RealmDirect" flag="required">
                              <module-option name="password-stacking" value="useFirstPass"/>
                          </login-module>
                      </authentication>
                  </security-domain>
                  <security-domain name="jboss-web-policy" cache-type="default">
                      <authorization>
                          <policy-module code="Delegating" flag="required"/>
                      </authorization>
                  </security-domain>
                  <security-domain name="jboss-ejb-policy" cache-type="default">
                      <authorization>
                          <policy-module code="Delegating" flag="required"/>
                      </authorization>
                  </security-domain>
                  <security-domain name="mydomain" cache-type="default">
                      <authentication>
                          <login-module code="foo.token.LoginModule" flag="required">
                              <module-option name="hashAlgorithm" value="SHA-512"/>
                              <module-option name="hashEncoding" value="base64"/>
                              <module-option name="unauthenticatedIdentity" value="guest"/>
                              <module-option name="dsJndiName" value="jdbc/fooDS"/>
                              <module-option name="principalsQuery" value="select ..."/>
                              <module-option name="rolesQuery" value="select o.name, 'Roles' from roles up join ef_usuario ..."/>
                          </login-module>
                      </authentication>
                  </security-domain>
              </security-domains>
          </subsystem>
      

       

      The `foo.token.LoginModule.java` is something like this:

       

          @NoArgsConstructor
          public class FooLoginModule extends DatabaseServerLoginModule {
          
          private Principal principal;
          private String userName;
          
          @Override
          public boolean login() throws LoginException {
          super.loginOk = false;
          super.loginOk = tryLogin();
          return super.loginOk;
          }
          
          protected boolean tryLogin() throws LoginException {
          if (doesSomeAdditionalLoginValidation()) {
          createPrincipal();
          return true;
          }
          return false;
          }
          
          @VisibleForTesting
          protected UserResourceClient createUserResourceClient() {
          return new UserResourceClient( createAuth(), createEndPoint() );
          }
          
          private EndPoint createEndPoint() {
          return new EndPointProvider( ... ).create();
          }
          
          private Auth createAuth() {
          return new AuthProvider( ... ).createAuth();
          }
          
          private void createPrincipal() throws LoginException {
          try {
          principal = createIdentity( userName );
          } catch (Exception e) {
          throw new LoginException( PROCESSING_FAILED + "Failed to create principal: " + e.getMessage() );
          }
          }
          
          @Override
          protected String getUsername() {
          return userName;
          }
          
          @Override
          protected Principal getIdentity() {
          return principal;
          }
          
          }
      

       

       

       

      The app is deployed as an `ear`, so, in `.war` files I have a `jboss-web.xml` and in `.jar` files I have a `jboss-app.xml`. jboss-web:

       

       

       

       

          <jboss-web>
          <security-domain>mydomain</security-domain>
          </jboss-web>
      

       

       

       

      jboss-app:

       

       

      <?xml version="1.0" encoding="UTF-8"?>
          <jboss-app>
          <security-domain>mydomain</security-domain>
          </jboss-app>
      

       

      But, when I try the app tries to use a `Stateless` bean annotated with `@SecurityDomain("mydomain")`, I get access errors:

       

       

      19:35:40,530 ERROR [org.jboss.as.ejb3.invocation] (default task-26)

      WFLYEJB0034: EJB Invocation failed on component FooService for method

      public java.lang.String foo.service.blah.FooService.find():

      javax.ejb.EJBAccessException: WFLYEJB0364: Invocation on method:

      public java.lang.String foo.service.blah.FooService.find() of bean:

      FooService is not allowed

       

       

      The FooService's code looks like:

       

      @Stateless
      @SecurityDomain("mydomain")
      public class FooService {
          
          public List<Foo> find() {
                  return ...;
          }
      }
      

       

      I see that the prefix `java:/jaas/` has to be removed from everywhere, and I did it, but still this won't work.

       

       

      Can't find any other thing that seems related to that in migration guides.

       

       

      What am I missing?