1 2 Previous Next 23 Replies Latest reply on Dec 22, 2017 7:12 AM by Alberto Gori

    Problems with Wildfly 11 (Database Identity Store)

    Samer Jamal Newbie

      Im migrating from version 10 to 11.

      This part of the configuration has changed a lot, I'm following this link https://docs.jboss.org/author/display/WFLY/WildFly+Elytron+Security#WildFlyElytronSecurity-RealmMappers

      And the following error is occurring when deploying:

       

      Error:

      09:02:28,630 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("deploy") failed - address: ([("deployment" => "labcontrol.war")]) - failure description: {

          "WFLYCTL0412: Required services that are not installed:" => ["jboss.security.security-domain.labcontrolRealm"],

          "WFLYCTL0180: Services with missing/unavailable dependencies" => [

              "jboss.deployment.unit.\"labcontrol.war\".component.TamanhoDAO.CREATE is missing [jboss.security.security-domain.labcontrolRealm]",

       

      Configure a datasource:

      standalone.xml

       

      <datasource jta="true" jndi-name="java:/labcontrolDS" pool-name="labcontrolDS" enabled="true" use-java-context="true" use-ccm="true">

           <connection-url>jdbc:mysql://127.0.0.1:3306/labcontrol</connection-url>

           <driver>mysql</driver>

           <transaction-isolation>TRANSACTION_READ_COMMITTED</transaction-isolation>

           <pool>

                <min-pool-size>10</min-pool-size>

                <max-pool-size>100</max-pool-size>

                <prefill>true</prefill>

           </pool>

           <security>

                <user-name>root</user-name>

           </security>

           <statement>

                <prepared-statement-cache-size>32</prepared-statement-cache-size>

                <share-prepared-statements>true</share-prepared-statements>

                </statement>

      </datasource>

       

      Configure a jdbc-realm in WildFly:

      standalone.xml

       

      <jdbc-realm name="exampleDbRealm">

           <principal-query sql="SELECT u.senha FROM labcontrol.usuario u INNER JOIN labcontrol.email e ON u.email_id = e.id where e.email=?" data-source="labcontrolDS">

                <clear-password-mapper password-index="1"/>

           </principal-query>

           <principal-query sql="SELECT p.nome, 'Roles' FROM labcontrol.permissao p INNER JOIN labcontrol.gruposistema_permissao gr ON p.id = gr.permissao_id INNER JOIN labcontrol.usuario_gruposistema ug ON gr.gruposistema_id =           ug.gruposistema_id INNER JOIN labcontrol.usuario u ON ug.usuario_id = u.id INNER JOIN email e ON u.email_id = e.id WHERE e.email=?" data-source="labcontrolDS">

                <attribute-mapping>

                     <attribute to="groups" index="1"/>

                </attribute-mapping>

           </principal-query>

      </jdbc-realm>

       

      Configure a security-domain:

      standalone.xml

       

      <security-domain name="exampleDbSD" default-realm="exampleDbRealm" permission-mapper="default-permission-mapper">

           <realm name="exampleDbRealm" role-decoder="groups-to-roles"/>

      </security-domain>

       

      Configure an http-authentication-factory:

      standalone.xml

       

      <http-authentication-factory name="example-db-http-auth" http-server-mechanism-factory="global" security-domain="exampleDbSD">

           <mechanism-configuration>

                <mechanism mechanism-name="FORM">

                     <mechanism-realm realm-name="exampleDbSD"/>

                </mechanism>

           </mechanism-configuration>

      </http-authentication-factory>

       

      Configure an application-security-domain in the Undertow subsystem:

      standalone.xml

       

      <application-security-domains>

           <application-security-domain name="labcontrolRealm" http-authentication-factory="example-db-http-auth"/>

      </application-security-domains>

       

      Configure my application jboss-web.xml:

      jboss-web.xml

       

      <jboss-web>

          <context-root>labcontrol</context-root>

          <security-domain>labcontrolRealm</security-domain>

      </jboss-web>

       

      Configure my application web.xml

      web.xml

       

      <login-config>

           <auth-method>FORM</auth-method>

           <realm-name>labcontrolRealm</realm-name>

           <form-login-config>

                <form-login-page>/login.xhtml</form-login-page>

                <form-error-page>/login.xhtml</form-error-page>

           </form-login-config>

      </login-config> 

       

      Tks for help

        • 1. Re: Problems with Wildfly 11 (Database Identity Store)
          Martin Choma Master

          Seems component.TamanhoDAO.CREATE is missing legacy security domain labcontrolRealm.

           

          How is legacy security domain referenced there? As some annotation?

          • 2. Re: Problems with Wildfly 11 (Database Identity Store)
            Alberto Gori Newbie

            Exact same problem here.

             

            My EJBs are not using any security domain, but still fail showing the error reported by Samer.

            Security domain is used at web layer level instead (activated by jboss-web.xml as reported by Samer again).

            • 3. Re: Problems with Wildfly 11 (Database Identity Store)
              Alberto Gori Newbie

              Probably this line is wrong:

               

                <mechanism-realm realm-name="exampleDbSD"/>

               

              and should be

               

                <mechanism-realm realm-name="exampleDbRealm"/>

               

              at least this is what the attribute name suggests.

               

              By the way even after this fix, I still have the same errors.

               

              Another question would be, how can I debug what's going on? The log, even after enabling DEBUG level, does not really give any clue a part from a bunch of

              ......component.LogService.CREATE is missing [jboss.security.security-domain.....]",

              • 4. Re: Problems with Wildfly 11 (Database Identity Store)
                Samer Jamal Newbie

                My EJBs are not using any security domain too

                 

                In my attempts I had already altered mechanism-realm for exampleDbRealm

                 

                For now I gave up and returned to version 10

                • 5. Re: Problems with Wildfly 11 (Database Identity Store)
                  Alberto Gori Newbie

                  I gave it up too, but found out you can still keep WF11. All you have to do is to configure security domain in the old way

                   

                  <subsystem xmlns="urn:jboss:domain:security:2.0">

                   

                  (it's toward the bottom)

                   

                  and ditch all you have done so far.

                   

                  It worked for me.

                  • 6. Re: Problems with Wildfly 11 (Database Identity Store)
                    Darran Lofthouse Master

                    In general to log messages related to security with the new Elytron subsystem enable TRACE logging for the 'org.wildfly.security' category, if this is SASL authentication for Remoting then also adding 'org.jboss.remoting' at level TRACE can reveal some more information.

                    • 7. Re: Problems with Wildfly 11 (Database Identity Store)
                      Darran Lofthouse Master

                      +1 the legacy security has not been removed at this stage so no one is forced into an immediate migration just to use WildFly 11.

                      • 8. Re: Problems with Wildfly 11 (Database Identity Store)
                        Samer Jamal Newbie

                        Alberto,

                        Sorry but I dont understand what needs to be done

                        Can you publish your standalone file?

                        • 9. Re: Problems with Wildfly 11 (Database Identity Store)
                          Alberto Gori Newbie

                          I can publish my legacy security subsystem.

                           

                                  <subsystem xmlns="urn:jboss:domain:security:2.0">

                                      <security-domains>

                                          <security-domain name="other" cache-type="default">

                                              <authentication>

                                                  <login-module code="Remoting" flag="optional">

                                                      <module-option name="password-stacking" value="useFirstPass"/>

                                                  </login-module>

                                                  <login-module code="RealmDirect" flag="required">

                                                      <module-option name="password-stacking" value="useFirstPass"/>

                                                  </login-module>

                                              </authentication>

                                          </security-domain>

                                          <security-domain name="jboss-web-policy" cache-type="default">

                                              <authorization>

                                                  <policy-module code="Delegating" flag="required"/>

                                              </authorization>

                                          </security-domain>

                                          <security-domain name="jboss-ejb-policy" cache-type="default">

                                              <authorization>

                                                  <policy-module code="Delegating" flag="required"/>

                                              </authorization>

                                          </security-domain>

                                          <security-domain name="jaspitest" cache-type="default">

                                              <authentication-jaspi>

                                                  <login-module-stack name="dummy">

                                                      <login-module code="Dummy" flag="optional"/>

                                                  </login-module-stack>

                                                  <auth-module code="Dummy"/>

                                              </authentication-jaspi>

                                          </security-domain>

                                          <security-domain name="wmt" cache-type="default">

                                              <authentication>

                                                  <login-module code="Database" flag="required">

                                                      <module-option name="dsJndiName" value="java:/myappDS"/>

                                                      <module-option name="principalsQuery" value="select password from user where email = ?"/>

                                                      <module-option name="rolesQuery" value="select role, 'Roles' from user_role_auth where email = ?"/>

                                                      <module-option name="hashAlgorithm" value="MD5"/>

                                                      <module-option name="hashEncoding" value="hex"/>

                                                  </login-module>

                                                  <login-module code="RoleMapping" flag="required">

                                                      <module-option name="rolesProperties" value="file:${jboss.server.config.dir}/app.properties"/>

                                                      <module-option name="replaceRole" value="false"/>

                                                  </login-module>

                                              </authentication>

                                          </security-domain>

                                      </security-domains>

                                  </subsystem>

                           

                          and leave the elytron subsystem

                           

                          <subsystem xmlns="urn:wildfly:elytron:1.2" final-providers="combined-providers" disallowed-providers="OracleUcrypto">

                                     

                          as it was before you started to add stuff to it.

                           

                           

                          P.S.

                          when I paste something into the textarea then I get pushed to the top of the page everytime I hit the spacebar key. Please replace this forum with something decent

                          • 10. Re: Problems with Wildfly 11 (Database Identity Store)
                            Martin Choma Master

                            What are these component.*.CREATE? They are EJB? Isn't legacy security domain referenced in configuration, e.g. http-connector in standalone.xml or jboss-ejb3.xml in deployment?

                             

                            In [1] there is how to secure EJB with Elytron.

                             

                            [1] Getting started with EJBs and Elytron Part 1: Securing EJBs and invoking them from remote clients

                            • 11. Re: Problems with Wildfly 11 (Database Identity Store)
                              Alberto Gori Newbie

                              They are local EJBs, so I don't think I should add anything else (by the way, I also tried to add the jboss-ejb3.xml entry, but didn't work).
                              I am just interested in securing the web layer, not the ejb one.

                              • 12. Re: Problems with Wildfly 11 (Database Identity Store)
                                jaikiran pai Master

                                lagoria  wrote:

                                 

                                Exact same problem here.

                                 

                                My EJBs are not using any security domain, but still fail showing the error reported by Samer.

                                Security domain is used at web layer level instead (activated by jboss-web.xml as reported by Samer again).

                                Are you packaging your EJBs as part of the war? If yes, then the security domain in jboss-web.xml gets applied to both the EJBs as well as the web components.

                                • 14. Re: Problems with Wildfly 11 (Database Identity Store)
                                  jaikiran pai Master

                                  lagoria  wrote:

                                  Exact same problem here.

                                  My EJBs are not using any security domain, but still fail showing the error reported by Samer.

                                  Security domain is used at web layer level instead (activated by jboss-web.xml as reported by Samer again).

                                  Are you packaging your EJBs as part of the war? If yes, then the security domain in jboss-web.xml gets applied to both the EJBs as well as the web components.

                                  lagoria  wrote:

                                   

                                  yes, it is a simple war.

                                  In that case, like Martin noted in one of his replies, you seem to be missing one step in the configuration of your server (standalone.xml). You seem to have added a "application-security-domain" in the undertow subsystem (for web components) but haven't added one in the ejb3 subsystem (for EJB components). You need them both. How to add it to EJB3 subsystem is explained in the link that Martin pointed to in his reply Re: Problems with Wildfly 11 (Database Identity Store)

                                  1 2 Previous Next