[keycloak-user] @SecurityDomain("keycloak") in EJB
Ryan Slominski
ryans at jlab.org
Wed Aug 22 14:05:26 EDT 2018
Looks like @SecurityRealm("keycloak") is needed only if you have the elytron configuration in your wildfly standalone.xml file. I noticed that one test server had a bunch of extra keycloak elytron configuration while the other didn't. I deleted the extra configuration and now my application works as expected (authentication and authorization info is propagated to EJBs without any extra annotations). I guess this is the difference between legacy configuration and new elytron configuration. Seems like the new elytron client adapter is not as good as the legacy adapter / integration. Any reason not to stick with the legacy adapter?
----- Original Message -----
From: "Ryan Slominski" <ryans at jlab.org>
To: "keycloak-user" <keycloak-user at lists.jboss.org>
Sent: Wednesday, August 22, 2018 12:26:43 PM
Subject: @SecurityDomain("keycloak") in EJB
Using the Wildfly adapter I've noticed that the security context is propagated to EJBs without the SecurityDomain annotation in some cases, but not others. Does anyone know in what case it is needed? My only clue so far is Windows vs Linux, as I thought I configured both test boxes identically, but maybe I missed something. My application currently does not use the annotation and on my Windows test box authentication is propagated fine. However, on my Linux test box with the same war file I see unauthorized exception in the EJB layer even though the servlet reports I'm authenticated with proper roles. Does it have to do with Wildfly client adapter online vs offline install or adapter vs adapter-elytron install?
If I end up having to import the org.jboss.ejb3.annotation.SecurityDomain that would break platform independence, which container managed security is supposed to support.
More information about the keycloak-user
mailing list