[jboss-jira] [JBoss JIRA] (WFCORE-2503) Legacy security domain used as Elytron security realm does not work in authorization part of aggregate-realm

[ https://issues.jboss.org/browse/WFCORE-2503?page=com.atlassian.jira.plugi... ] Ondrej Lukas updated WFCORE-2503: --------------------------------- Steps to Reproduce: 1) create property files /tmp/users.properties and /tmp/roles.properties /tmp/users.properties: {code} admin=admin {code} /roles.properties: {code} admin=JBossAdmin {code} 2) Through add-user.sh add user admin with some password and role Admin for ApplicationRealm 3) add legacy configuration to application server {code} <security-domain name="legacyDomain" cache-type="default"> <authentication> <login-module code="UsersRoles" flag="required"> <module-option name="usersProperties" value="/tmp/users.properties"/> <module-option name="rolesProperties" value="/tmp/roles.properties"/> </login-module> </authentication> <mapping> <mapping-module code="SimpleRoles" type="role"> <module-option name="admin" value="User"/> </mapping-module> </mapping> </security-domain> ... <elytron-integration> <security-realms> <elytron-realm name="exportedDomain" legacy-jaas-config="legacyDomain"/> </security-realms> </elytron-integration> {code} 4) setup Elytron part: {code} /subsystem=elytron/simple-role-decoder=roles-decoder:add(attribute=Roles) /subsystem=elytron/aggregate-realm=pbauthz:add(authentication-realm=ApplicationRealm,authorization-realm=exportedDomain) /subsystem=elytron/security-domain=elytronDomain:add(default-realm=pbauthz,permission-mapper=default-permission-mapper,realms=[{realm=pbauthz,role-decoder=roles-decoder}]) /subsystem=elytron/http-authentication-factory=elytron-http-auth:add(http-server-mechanism-factory=global,security-domain=elytronDomain,mechanism-configurations=[{mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name="Exported Realm"}]}]) /subsystem=undertow/application-security-domain=print-roles:add(http-authentication-factory=elytron-http-auth) {code} 5) Deploy application for printing roles (see attachments) 6) Access http://127.0.0.1:8080/print-roles/protected/printRoles?role=User&role... and login with admin/admin - no roles are assigned (HTTP status cod 403 is returned) was: 1) create property files /tmp/users.properties and /tmp/roles.properties /tmp/users.properties: {code} admin=admin {code} /roles.properties: {code} admin=JBossAdmin {code} 2) Through add-user.sh add user admin with some password and role Admin 3) add legacy configuration to application server {code} <security-domain name="legacyDomain" cache-type="default"> <authentication> <login-module code="UsersRoles" flag="required"> <module-option name="usersProperties" value="/tmp/users.properties"/> <module-option name="rolesProperties" value="/tmp/roles.properties"/> </login-module> </authentication> <mapping> <mapping-module code="SimpleRoles" type="role"> <module-option name="admin" value="User"/> </mapping-module> </mapping> </security-domain> ... <elytron-integration> <security-realms> <elytron-realm name="exportedDomain" legacy-jaas-config="legacyDomain"/> </security-realms> </elytron-integration> {code} 4) setup Elytron part: {code} /subsystem=elytron/simple-role-decoder=roles-decoder:add(attribute=Roles) /subsystem=elytron/aggregate-realm=pbauthz:add(authentication-realm=ApplicationRealm,authorization-realm=exportedDomain) /subsystem=elytron/security-domain=elytronDomain:add(default-realm=pbauthz,permission-mapper=default-permission-mapper,realms=[{realm=pbauthz,role-decoder=roles-decoder}]) /subsystem=elytron/http-authentication-factory=elytron-http-auth:add(http-server-mechanism-factory=global,security-domain=elytronDomain,mechanism-configurations=[{mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name="Exported Realm"}]}]) /subsystem=undertow/application-security-domain=print-roles:add(http-authentication-factory=elytron-http-auth) {code} 5) Deploy application for printing roles (see attachments) 6) Access http://127.0.0.1:8080/print-roles/protected/printRoles?role=User&role... and login with admin/admin - no roles are assigned (HTTP status cod 403 is returned) -- This message was sent by Atlassian JIRA (v7.2.3#72005)