4 Replies Latest reply on Nov 8, 2017 12:34 AM by Stanislav Grushevskiy

    Webservices - Elytron integration

    Stanislav Grushevskiy Newbie

      https://docs.jboss.org/author/display/WFLY/WildFly+Elytron+Security#WildFlyElytronSecurity-WebServicesSubsystem

      WebServices Subsystem

      There is adapter in webservices subsystem to make authentication works for elytron security domain automatically. Like configure with legacy security domain, you can configure elytron security domain in deployment descriptor or annotation to secure webservice endpoint.

       

      How should I config WildFly to make authentication works for elytron security domain in webservices?

       

      There is maven project in "test.zip" and WildFly configuration in "standalone.xml".
      Run "mvn clean wildfly:deploy" to deploy project to WildFly 11.

       

      Result of deploy:

       

      15:39:48,345 INFO  [org.jboss.modules] (main) JBoss Modules version 1.6.1.Final

      15:39:48,587 INFO  [org.jboss.msc] (main) JBoss MSC version 1.2.7.SP1

      15:39:48,697 INFO  [org.jboss.as] (MSC service thread 1-7) WFLYSRV0049: WildFly Full 11.0.0.Final (WildFly Core 3.0.8.Final) starting

      15:39:49,728 INFO  [org.jboss.as.controller.management-deprecated] (Controller Boot Thread) WFLYCTL0028: Attribute 'security-realm' in the resource at address '/core-service=management/management-interface=http-interface' is deprecated, and may be removed in future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation.

      15:39:49,744 INFO  [org.wildfly.security] (ServerService Thread Pool -- 13) ELY00001: WildFly Elytron version 1.1.6.Final

      15:39:49,756 INFO  [org.jboss.as.controller.management-deprecated] (ServerService Thread Pool -- 29) WFLYCTL0028: Attribute 'security-realm' in the resource at address '/subsystem=undertow/server=default-server/https-listener=https' is deprecated, and may be removed in future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation.

      15:39:49,804 INFO  [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0039: Creating http management service using socket-binding (management-http)

      15:39:49,815 INFO  [org.xnio] (MSC service thread 1-5) XNIO version 3.5.4.Final

      15:39:49,819 INFO  [org.xnio.nio] (MSC service thread 1-5) XNIO NIO Implementation Version 3.5.4.Final

      15:39:49,838 INFO  [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 42) WFLYCLINF0001: Activating Infinispan subsystem.

      15:39:49,841 INFO  [org.jboss.as.jaxrs] (ServerService Thread Pool -- 43) WFLYRS0016: RESTEasy version 3.0.24.Final

      15:39:49,841 WARN  [org.jboss.as.txn] (ServerService Thread Pool -- 58) WFLYTX0013: The node-identifier attribute on the /subsystem=transactions is set to the default value. This is a danger for environments running multiple servers. Please make sure the attribute value is unique.

      15:39:49,842 INFO  [org.jboss.as.naming] (ServerService Thread Pool -- 50) WFLYNAM0001: Activating Naming Subsystem

      15:39:49,847 INFO  [org.jboss.as.jsf] (ServerService Thread Pool -- 48) WFLYJSF0007: Activated the following JSF Implementations: [main]

      15:39:49,859 INFO  [org.wildfly.extension.io] (ServerService Thread Pool -- 41) WFLYIO001: Worker 'default' has auto-configured to 16 core threads with 128 task threads based on your 8 available processors

      15:39:49,864 INFO  [org.jboss.as.webservices] (ServerService Thread Pool -- 60) WFLYWS0002: Activating WebServices Extension

      15:39:49,867 INFO  [org.jboss.as.security] (ServerService Thread Pool -- 57) WFLYSEC0002: Activating Security Subsystem

      15:39:49,870 INFO  [org.jboss.as.security] (MSC service thread 1-2) WFLYSEC0001: Current PicketBox version=5.0.2.Final

      15:39:49,878 INFO  [org.jboss.as.naming] (MSC service thread 1-1) WFLYNAM0003: Starting Naming Service

      15:39:49,880 INFO  [org.jboss.as.connector] (MSC service thread 1-1) WFLYJCA0009: Starting JCA Subsystem (WildFly/IronJacamar 1.4.6.Final)

      15:39:49,882 INFO  [org.wildfly.extension.undertow] (MSC service thread 1-6) WFLYUT0003: Undertow 1.4.18.Final starting

      15:39:49,887 INFO  [org.jboss.as.mail.extension] (MSC service thread 1-7) WFLYMAIL0001: Bound mail session [java:jboss/mail/Default]

      15:39:49,915 INFO  [org.jboss.as.connector.subsystems.datasources] (ServerService Thread Pool -- 36) WFLYJCA0004: Deploying JDBC-compliant driver class org.h2.Driver (version 1.4)

      15:39:49,919 INFO  [org.jboss.as.connector.deployers.jdbc] (MSC service thread 1-7) WFLYJCA0018: Started Driver service with driver-name = h2

      15:39:49,923 INFO  [org.jboss.remoting] (MSC service thread 1-4) JBoss Remoting version 5.0.5.Final

      15:39:50,080 INFO  [org.jboss.as.ejb3] (MSC service thread 1-8) WFLYEJB0482: Strict pool mdb-strict-max-pool is using a max instance size of 32 (per class), which is derived from the number of CPUs on this host.

      15:39:50,082 INFO  [org.jboss.as.ejb3] (MSC service thread 1-2) WFLYEJB0481: Strict pool slsb-strict-max-pool is using a max instance size of 128 (per class), which is derived from thread worker pool sizing.

      15:39:50,091 INFO  [org.wildfly.extension.undertow] (ServerService Thread Pool -- 59) WFLYUT0014: Creating file handler for path '/opt/wildfly-11/welcome-content' with options [directory-listing: 'false', follow-symlink: 'false', case-sensitive: 'true', safe-symlink-paths: '[]']

      15:39:50,095 INFO  [org.wildfly.extension.undertow] (MSC service thread 1-6) WFLYUT0012: Started server default-server.

      15:39:50,096 INFO  [org.wildfly.extension.undertow] (MSC service thread 1-6) WFLYUT0018: Host default-host starting

      15:39:50,166 INFO  [org.wildfly.extension.undertow] (MSC service thread 1-6) WFLYUT0006: Undertow HTTP listener default listening on 127.0.0.1:8080

      15:39:50,173 INFO  [org.jboss.as.ejb3] (MSC service thread 1-4) WFLYEJB0493: EJB subsystem suspension complete

      15:39:50,268 INFO  [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-7) WFLYJCA0001: Bound data source [java:jboss/datasources/ExampleDS]

      15:39:50,277 INFO  [org.jboss.as.patching] (MSC service thread 1-5) WFLYPAT0050: WildFly Full cumulative patch ID is: base, one-off patches include: none

      15:39:50,287 WARN  [org.jboss.as.domain.management.security] (MSC service thread 1-1) WFLYDM0111: Keystore /opt/wildfly-11/standalone-test/configuration/application.keystore not found, it will be auto generated on first use with a self signed certificate for host localhost

      15:39:50,442 INFO  [org.jboss.as.server.deployment.scanner] (MSC service thread 1-3) WFLYDS0013: Started FileSystemDeploymentService for directory /opt/wildfly-11/standalone-test/deployments

      15:39:50,484 INFO  [org.wildfly.extension.undertow] (MSC service thread 1-3) WFLYUT0006: Undertow HTTPS listener https listening on 127.0.0.1:8443

      15:39:50,532 INFO  [org.jboss.ws.common.management] (MSC service thread 1-1) JBWS022052: Starting JBossWS 5.1.9.Final (Apache CXF 3.1.12)

      15:39:50,591 INFO  [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0212: Resuming server

      15:39:50,593 INFO  [org.jboss.as] (Controller Boot Thread) WFLYSRV0060: Http management interface listening on http://127.0.0.1:9990/management

      15:39:50,593 INFO  [org.jboss.as] (Controller Boot Thread) WFLYSRV0051: Admin console listening on http://127.0.0.1:9990

      15:39:50,593 INFO  [org.jboss.as] (Controller Boot Thread) WFLYSRV0025: WildFly Full 11.0.0.Final (WildFly Core 3.0.8.Final) started in 2586ms - Started 292 of 554 services (348 services are lazy, passive or on-demand)

      15:40:07,421 INFO  [org.jboss.as.repository] (management-handler-thread - 3) WFLYDR0001: Content added at location /opt/wildfly-11/standalone-test/data/content/ef/226b4c177dd0e951a646da25f3d1e92891d3a8/content

      15:40:07,440 INFO  [org.jboss.as.server.deployment] (MSC service thread 1-8) WFLYSRV0027: Starting deployment of "test.war" (runtime-name: "test.war")

      15:40:07,975 INFO  [org.infinispan.factories.GlobalComponentRegistry] (MSC service thread 1-7) ISPN000128: Infinispan version: Infinispan 'Chakra' 8.2.8.Final

      15:40:08,004 INFO  [org.jboss.ws.cxf.metadata] (MSC service thread 1-3) JBWS024061: Adding service endpoint metadata: id=com.test.TestEndpoint

      address=http://localhost:8080/test/TestEndpoint

      implementor=com.test.TestEndpoint

      serviceName={http://test.com/}TestEndpointService

      portName={http://test.com/}TestEndpointPort

      annotationWsdlLocation=null

      wsdlLocationOverride=null

      mtomEnabled=false

      15:40:08,227 INFO  [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 16) WFLYCLINF0002: Started client-mappings cache from ejb container

      15:40:08,511 INFO  [org.apache.cxf.wsdl.service.factory.ReflectionServiceFactoryBean] (MSC service thread 1-3) Creating Service {http://test.com/}TestEndpointService from class com.test.TestEndpoint

      15:40:08,653 INFO  [org.apache.cxf.endpoint.ServerImpl] (MSC service thread 1-3) Setting the server's publish address to be http://localhost:8080/test/TestEndpoint

      15:40:08,707 INFO  [org.jboss.ws.cxf.deployment] (MSC service thread 1-3) JBWS024074: WSDL published to: file:/opt/wildfly-11/standalone-test/data/wsdl/test.war/TestEndpointService.wsdl

      15:40:08,778 ERROR [org.jboss.as.controller.management-operation] (management-handler-thread - 3) WFLYCTL0013: Operation ("add") failed - address: ([("deployment" => "test.war")]) - failure description: {

          "WFLYCTL0412: Required services that are not installed:" => ["jboss.security.security-domain.application-security-domain"],

          "WFLYCTL0180: Services with missing/unavailable dependencies" => ["jboss.ws.endpoint.\"test.war\".\"com.test.TestEndpoint\" is missing [jboss.security.security-domain.application-security-domain]"]

      }

      15:40:08,779 ERROR [org.jboss.as.server] (management-handler-thread - 3) WFLYSRV0021: Deploy of deployment "test.war" was rolled back with the following failure message:

      {

          "WFLYCTL0412: Required services that are not installed:" => ["jboss.security.security-domain.application-security-domain"],

          "WFLYCTL0180: Services with missing/unavailable dependencies" => ["jboss.ws.endpoint.\"test.war\".\"com.test.TestEndpoint\" is missing [jboss.security.security-domain.application-security-domain]"]

      }

      15:40:08,788 ERROR [org.jboss.ws.common.deployment] (MSC service thread 1-1) JBWS022102: Cannot stop endpoint in state UNDEFINED: jboss.ws:context=test,endpoint=com.test.TestEndpoint

      15:40:08,826 INFO  [org.jboss.as.server.deployment] (MSC service thread 1-7) WFLYSRV0028: Stopped deployment test.war (runtime-name: test.war) in 47ms

        • 1. Re: Webservices - Elytron integration
          Farah Juma Apprentice

          Looks like "database-application-security-domain" isn't being treated as an Elytron security domain. Are you able to post more snippets from the server.log file?

          • 2. Re: Webservices - Elytron integration
            Stanislav Grushevskiy Newbie

            Added test project, WildFly configuration, server log.

            • 3. Re: Webservices - Elytron integration
              Jim Ma Apprentice

              Can you try the following change to see if this works ?

              • Add another application-security-domain in undertow subystem like : <application-security-domain name="database-security-domain" http-authentication-factory="database-http-authentication-factory"/>
              • Change security domain in jboss-web.xml to : <security-domain>database-security-domain</security-domain>

              In current webservice elytron integration,  the security domain specified to secure webservice endpoint must be the same name with elytron security domain name . This is not ideal and  I am looking at

              a better solution for this now.

              • 4. Re: Webservices - Elytron integration
                Stanislav Grushevskiy Newbie

                You can add settings "application-security-domains" to "webservices" subsystem like it's done for "ejb3" subsystem.

                 

                        <subsystem xmlns="urn:jboss:domain:webservices:2.0">

                            <wsdl-host>{jboss.bind.address:127.0.0.1}</wsdl-host>

                            <endpoint-config name="Standard-Endpoint-Config"/>

                            <endpoint-config name="Recording-Endpoint-Config">

                                <pre-handler-chain name="recording-handlers" protocol-bindings="##SOAP11_HTTP ##SOAP11_HTTP_MTOM ##SOAP12_HTTP ##SOAP12_HTTP_MTOM">

                                    <handler name="RecordingHandler" class="org.jboss.ws.common.invocation.RecordingServerHandler"/>

                                </pre-handler-chain>

                            </endpoint-config>

                            <client-config name="Standard-Client-Config"/>

                            <application-security-domains>

                                <application-security-domain name="database-application-security-domain" security-domain="database-security-domain"/>

                            </application-security-domains>

                        </subsystem>