Cannot configure Elytron security domain using embedded server in admin mode ---------------------------------------------------------------------------- Key: WFCORE-4407 URL: https://issues.jboss.org/browse/WFCORE-4407 Project: WildFly Core Issue Type: Bug Components: Embedded Environment: Reporter: Yeray Borges Assignee: Yeray Borges Priority: Major Fix For: 10.0.0.Beta7 There are some configurations that are impossible to do using the embedded server, for example, we cannot create a security domain in Elytron that references a security domain in the security subsystem: {noformat} embed-server --server-config=standalone-full-ha.xml --std-out=echo /subsystem=security/security-domain=my-sec-domain:add(cache-type=default) /subsystem=security/security-domain=my-sec-domain/authentication=classic:add(login-modules=[{code=RealmUsersRoles, flag=required, module=RealmUsersRoles, module-options=[("usersProperties"=>"usersProperties"),("rolesProperties"=>"rolesProperties")]}]) /subsystem=security/elytron-realm=my-sec-domain:add(legacy-jaas-config=my-sec-domain) /subsystem=elytron/security-domain=my-sec-domain:add(realms=[{realm=my-sec-domain}],default-realm=my-sec-domain,permission-mapper=default-permission-mapper) stop-embedded-server {noformat} The execution of these operations in an embedded server running in admin-mode throws the following error: {noformat} [standalone@embedded /] /subsystem=elytron/security-domain=my-sec-domain:add(realms=[{realm=my-sec-domain}],default-realm=my-sec-domain,permission-mapper=default-permission-mapper) 12:30:53,429 ERROR [org.jboss.as.controller.management-operation] (pool-3-thread-1) WFLYCTL0013: Operation ("add") failed - address: ([ ("subsystem" => "elytron"), ("security-domain" => "my-sec-domain") ]) - failure description: { "WFLYCTL0412: Required services that are not installed:" => ["org.wildfly.security.security-realm.my-sec-domain"], "WFLYCTL0180: Services with missing/unavailable dependencies" => ["org.wildfly.security.security-domain.my-sec-domain.initial is missing [org.wildfly.security.security-realm.my-sec-domain]"] } { "outcome" => "failed", "failure-description" => { "WFLYCTL0412: Required services that are not installed:" => ["org.wildfly.security.security-realm.my-sec-domain"], "WFLYCTL0180: Services with missing/unavailable dependencies" => ["org.wildfly.security.security-domain.my-sec-domain.initial is missing [org.wildfly.security.security-realm.my-sec-domain]"] }, "rolled-back" => true } {noformat} The problem here is Elytron security domain services cannot be up because they require the legacy installed realm services, which are not up when we are using embedded in admin-only mode. The SecurityDomain advertises no runtime operation, if no services are installed that would ever depend on security domain we may be able to skip installing some of these services entirely and allow their configuration in embedded / admin-only.