1 of 1 people found this helpful
The security domain still needs to be defined. You can either define security domain directly in jboss-web.xml or you can define default one in Undertow subsystem (/subsystem=undertow:write-attribute(name=default-security-domain, value=`@NAME_OF_YOUR_SECURITY_DOMAN@`). Note in case of elytron you need to have defined application-security-domain in undertow with the given name.
+1 to the comment from Radim - this blog post shows a web application migrated to Elytron security using the default security domain on the Undertow subsystem combined with an application-security-domain definition Darran's WildFly Blog: WildFly Elytron - Add Kerberos Authentication To Existing Web Application
The original question is: Do you need to modify BOTH web.xml and jboss-web.xml to get Elytron working. In my case, I only need to modify jboss-web.xml. My jboss-web.xml has the following line:
My web.xml has nothing in-regards to security, except for the <security-constraint> and <security-role> tags.
If I remove the security line in jboss-web.xml and enter the following in web.xml:
, this does NOT work (basic authentication always fails).
Therefore, I conclude that only jboss-web.xml is needed (assuming all the required realms, domain, http-authentication-factory, and http-authentication are setup in standalone-full.xml).
I'm not sure if I like this. I like to keep as much as possible is standard/well-known files. If I was new to a project, a logical place to look would be "web.xml". But on the other hand, since Elytron is so ingrained in Wildfly/EAP 7.1, I guess it makes sense to put the configuration inside a JBoss specific file.
I'm curious if anyone has this working only using web.xml.
The official documentation implies web.xml needs to be modified: https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.1/html/how_to_configure_identity_management/elytron_secure_apps#elytron_apps_DBAuth
The exact quote is:
jboss-web.xmlmust be updated to use the
application-security-domainyou configured in JBoss EAP.
The official configuration document says the same this:: Chapter 2. Elytron Subsystem - Red Hat Customer Portal