<div dir="ltr">Yes there should be no difference at runtime, if we identified the Elytron domain via the default security domain it should still be associated with the deployment in the same way.</div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Mar 16, 2020 at 10:33 AM Jim Ma <<a href="mailto:ema@redhat.com">ema@redhat.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Will this work for Undertow default "other" application security domain's reference Elytron SecurityDomain ? </div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Mar 16, 2020 at 6:26 PM Darran Lofthouse <<a href="mailto:darran.lofthouse@jboss.com" target="_blank">darran.lofthouse@jboss.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Overall it is the SecurityDomain.getCurrent method you need: -<div><br></div><div><a href="https://wildfly-security.github.io/wildfly-elytron/master-public/org/wildfly/security/auth/server/SecurityDomain.html#getCurrent()" target="_blank">https://wildfly-security.github.io/wildfly-elytron/master-public/org/wildfly/security/auth/server/SecurityDomain.html#getCurrent()</a><br></div><div><br></div><div>If a SecurityDomain is associated with the Thread's context class loader it will be returned.</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Mar 16, 2020 at 10:22 AM Jim Ma <<a href="mailto:ema@redhat.com" target="_blank">ema@redhat.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Mar 16, 2020 at 6:07 PM Darran Lofthouse <<a href="mailto:darran.lofthouse@jboss.com" target="_blank">darran.lofthouse@jboss.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">I don't know if it will help but the SecurityDomain is associated with the ClassLoader of the deployment, not sure if that could be an alternative way for WS to access it.<div><br></div></div></blockquote><div>I'll try it . Can you please point me some code example or test code?</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div></div><div>The thing that is complicating it for now is the dual mode with PicketBox, once we remove PicketBox a deployment will either have an Elytron SecurityDomain or it will not.</div></div></blockquote><div>Yes. Now webservice has to add many PicketBox or Elytron checks to do following actions. We wrap this as much as possible with spi interface. </div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div> </div></div></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Mar 13, 2020 at 8:20 AM Jim Ma <<a href="mailto:ema@redhat.com" target="_blank">ema@redhat.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Mar 12, 2020 at 8:12 PM Darran Lofthouse <<a href="mailto:darran.lofthouse@jboss.com" target="_blank">darran.lofthouse@jboss.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Is it possible to identify the revelevent DeploymentUnitProcessors in this process along with their phase and priority so we can check the ordering.</div></blockquote><div><br></div><div>The "other"'s mapped Elytron security domain service is required to read in EndpointServiceDeploymentAspect. It's installed in Phase.INSTALL, Phase.INSTALL_WS_DEPLOYMENT_ASPECTS priority. It's running before UndertowDeploymentProcessor</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div><br></div><div>What may be more appropriate is for the Undertow DUP to attach something which identifies the SecurityDomain instead of the web services DUP relying on internal API / repeating the same checks already performed within Undertow.</div><div><br></div><div>In the future we will be removing all of the application security domain resources so coordinating using attachments will hopefully also future proof any fix.</div></div></blockquote><div><br></div><div>It looks this attachment should be set in some Undertow DUP before UndertowDeploymentProcessor. WebService needs a Securitycontext to call the ejb ws endpoint method or webservice endpoint method :</div><div><a href="https://github.com/wildfly/wildfly/blob/master/webservices/server-integration/src/main/java/org/jboss/as/webservices/invocation/AbstractInvocationHandler.java#L114" target="_blank">https://github.com/wildfly/wildfly/blob/master/webservices/server-integration/src/main/java/org/jboss/as/webservices/invocation/AbstractInvocationHandler.java#L114</a><br></div><div>Is there better api/approach to perform this kind of method invocation ?</div><div><br></div><div>Thanks,</div><div>Jim</div><div> </div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div><br></div><div>Regards,</div><div>Darran Lofthouse.</div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Mar 12, 2020 at 11:45 AM Jim Ma <<a href="mailto:ema@redhat.com" target="_blank">ema@redhat.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">There is ws deployment failure issue[1] which is caused by Webservice subsystem doesn't correctly get mapped elytron security domain from web deployment's default "other"<div>application security domain. I tried to fix this by reading Elytron security domain from Undertow started services, but it looks now ApplicationSecurityDomainService is private static and it doesn't provide a getter which allows to get Elytron security domain. Webservice subsystem requires an Undertow service like ApplicationSecurityDomainService[2] started by EJB subsystem to read the Elytron security domain. Is it doable to change Undertow's ApplicationSecurityDomainService to provide mapped security domain ? Or any better approach to get the mapped Elytron domain ?</div><div><br></div><div>[1]<a href="https://issues.redhat.com/browse/WFLY-12765" target="_blank">https://issues.redhat.com/browse/WFLY-12765</a> </div><div>[2] <a href="https://github.com/wildfly/wildfly/blob/master/ejb3/src/main/java/org/jboss/as/ejb3/subsystem/ApplicationSecurityDomainService.java" target="_blank">https://github.com/wildfly/wildfly/blob/master/ejb3/src/main/java/org/jboss/as/ejb3/subsystem/ApplicationSecurityDomainService.java</a></div><div><br></div><div>Cheers,</div><div>Jim</div><div><br></div><div><br></div></div>
_______________________________________________<br>
wildfly-dev mailing list<br>
<a href="mailto:wildfly-dev@lists.jboss.org" target="_blank">wildfly-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/wildfly-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/wildfly-dev</a></blockquote></div>
</blockquote></div></div>
</blockquote></div>
</blockquote></div></div>
</blockquote></div>
</blockquote></div>
</blockquote></div>