1 Reply Latest reply on Jul 22, 2019 2:15 AM by Olaf Ziems

    WF17 Elytron server side authentication with classes from EAR

    Olaf Ziems Newbie

      We plan to migrate from Picketbox to Elytron and face the following problem:

       

      With Picketbox a custom login module can use functionality of (or even can reside in) a deployment module (e.g. an EAR in wildfly/standalone/deployments) to implement authentication on the server side:

       

      <subsystem xmlns="urn:jboss:domain:security:2.0">

          <security-domains>

              ...

              <security-domain name="MyDomain" cache-type="default">

                  <authentication>

                      <login-module name="MyLoginModule" code="de.example.wildfly.MyLoginModule" flag="required" module="deployment.de.example.wildfly.login"/>

                  </authentication>

              </security-domain>

       

       

      My first try was to use a custom realm in Elytron. But as far as I understand, a custom realm needs to be a "static" module (meaning it is located under wildfly/modules/...) and thus cannot access "dynamically" deployed modules (see Custom login-module functionality using Elytron).

       

      <subsystem xmlns="urn:wildfly:elytron:7.0" final-providers="combined-providers" disallowed-providers="OracleUcrypto">

          ...

          <security-domains>

              <security-domain name="MyDomain" default-realm="MyRealm" permission-mapper="default-permission-mapper">

                  <realm name="MyRealm" role-decoder="from-roles-attribute" />

              </security-domain>

          </security-domains>

          <security-realms>

              ...

              <custom-realm name="MyRealm" module="de.example.wildfly.login" class-name="de.example.wildfly.MyCustomRealm" />

       

      (I omitted some more of the security domain configuration)

       

      When I try to load a Spring context (that is located in an EAR in order to access some custom classes from the EAR) in MyCustomRealm, I get the following error:

       

      org.springframework.beans.factory.access.BootstrapException: Unable to initialize group definition. Group resource name [classpath:applicationContext-appServerBase.xml], factory key [applicationContextEjb]; nested exception is org.springframework.beans.factory.BeanDefinitionStoreException: IOException parsing XML document from class path resource [applicationContext-appServerBase.xml]; nested exception is java.io.FileNotFoundException: class path resource [applicationContext-appServerBase.xml] cannot be opened because it does not exist

       

      Which is no surprise, because my realm does not depend on the ear or any jar from therein, where the application context is located.

       

      How can authentication (specifically for EJB calls) be customized on server side by using classes from a deployment module (EAR) in Elytron?