0 Replies Latest reply on Oct 8, 2018 12:24 PM by b69

    Application Roles and Groups

    b69 Newbie

      I have an JEE-7-Application with several modules in an ear, running on WebSphere and Glassfish. Users are assigned to groups and the groups has roles which define authorizations.

      The application shoud be ported to WildFly 14. Several configurations are already done, but the final step to run it standalone on WF is missing. So:

      The security-role to groupe name mapping on WebSphere is done within the META-INF directora of the application module. it looks like:

      <?xml version="1.0" encoding="UTF-8"?>

      <application-bnd

         xmlns="http://websphere.ibm.com/xml/ns/javaee"

         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

         xsi:schemaLocation="http://websphere.ibm.com/xml/ns/javaee http://websphere.ibm.com/xml/ns/javaee/ibm-application-bnd_1_1.xsd"

         version="1.1">

        

         <security-role name="MR_EDITOR">

           <group name="mr_editorsGRP" />

         </security-role>

      :

      :

      For Glassfish the same is achieved within the WEB-INF directory of the Dynamic Web module. (JSF-Module)

      <glassfish-web-app error-url="">

         <context-root>MonteRosa</context-root>

         <security-role-mapping>

            <role-name>MR_EDITOR_ROLE</role-name>

            <group-name>mr_editorsGRP</group-name>

         </security-role-mapping>

      :

      :

      The web.xml in the WEB-INF directory of all 3 servers include a security constarint as:

         <security-constraint>

            <web-resource-collection>

               <web-resource-name>editors</web-resource-name>

               <url-pattern>/pages/edit/*</url-pattern>

            </web-resource-collection>

            <auth-constraint>

               <role-name>MR_EDITOR</role-name>

            </auth-constraint>

            <user-data-constraint>

               <transport-guarantee>INTEGRAL</transport-guarantee>

            </user-data-constraint>

         </security-constraint>

      :

      :

       

      within WEB-INF dir of JSF-Module for the WildFly server we have the jboss-web.xml with the content of:

      <?xml version="1.0" encoding="UTF-8"?>

      <!DOCTYPE jboss-web>

      <jboss-web>

         <security-domain>MRApp</security-domain>

      </jboss-web>

       

      Further we have within the jboss.server.config.dir the properties files and the standalone.xml

      ./MRApp.properties

      mr_editorsGRP=MR_EDITOR

      i.e. the security-role to group mapping

       

      ./application-roles.properties

      dolly=mr_editorsGRP

      hans=mr_readersGRP

       

      ./application-users.properties

      dolly=hash1e37...

      hans=hash61ea...

       

      The relevant section of the ./standalone.xml looks like:

      :

      :

      <security-realm name="ApplicationRealm">

           <server-identities>

             <ssl>

               <keystore path="application.keystore"

                 relative-to="jboss.server.config.dir"

                 keystore-password="password"

                 alias="server"

                 key-password="password"

                 generate-self-signed-certificate-host="localhost" />

            </ssl>

          </server-identities>

          <authentication>

                <local default-user="$local" allowed-users="dolly,hans" skip-group-loading="false"/>

                <properties path="application-users.properties" relative-to="jboss.server.config.dir"/>

            </authentication>

            <authorization>

                   <properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>

              </authorization>

      </security-realm>

      :

      :

      My problem is where exactly to declare the security-domain within the standalone.xml. and

      I'm confused with the terms security-realm and security-domain.

      Is the latter used also in a standalone environment, or only in a domain with more than one server?

      must the declaration be done under authorization within the security-realm, or must it go to a separated section?

      I read a lot, but was not able to find a clear answer.

      It would also be nice to know, if under JEE 8 the principle would remain, or would Wildfly rather step into the direction of WAS or Glassfish?

      SSO for the application would certainly also pop up, so a hint to this would be helpful too.