]
David Lloyd resolved WFLY-959.
------------------------------
Fix Version/s: 11.0.0.Final
Resolution: Done
This issue is resolved with the integration of the new security layer (Elytron). Now it
is possible to flow and switch identities in a number of ways.
Allow more flexibility in the way EJB authentication is handled with
regards to remoting and security-realms
------------------------------------------------------------------------------------------------------------
Key: WFLY-959
URL:
https://issues.jboss.org/browse/WFLY-959
Project: WildFly
Issue Type: Bug
Components: EJB
Reporter: Derek Horton
Fix For: 11.0.0.Final
My confusion is around the remoting/security-realm setup in the use case
where multiple EJBs are deployed that use different security-domains and
the EJBs will be invoked by remote standalone clients. For example,
ejbX needs to be in the sec-domain-X security-domain, while ejbY needs to
be in the sec-domain-Y security-domain.
In this situation, the authentication checks are going to be handled by
the security-realm that is associated with the remote connector that is
configured to be used by the EJB subsystem.
It looks like the security-realm can either handle the authentication
checks directly (properties file, ldap, etc) or it can defer to the
jaas security-domain. In both of those situations, it seems that the
EJBs are limited to a single authentication point. The EJB
authentication is either going to be handled by a single security-realm
or the security-realm will defer to a single security-domain.
I could configure the security-domain to have multiple login modules. I
assume the same thing could be done with the security-realm.
Basically the problem that I am trying to solve boils down to this: the
authentication checks for remote EJBs appear to be checked by either a
single security-realm or a single security-domain. Is there a way to
change this?
One idea I had was to add another remote connector to the EJB subsystem.
Unfortunately, this does not appear to be possible.