Looks like @SecurityRealm("keycloak") is needed only if you have the elytron
configuration in your wildfly standalone.xml file. I noticed that one test server had a
bunch of extra keycloak elytron configuration while the other didn't. I deleted the
extra configuration and now my application works as expected (authentication and
authorization info is propagated to EJBs without any extra annotations). I guess this is
the difference between legacy configuration and new elytron configuration. Seems like
the new elytron client adapter is not as good as the legacy adapter / integration. Any
reason not to stick with the legacy adapter?
----- Original Message -----
From: "Ryan Slominski" <ryans(a)jlab.org>
To: "keycloak-user" <keycloak-user(a)lists.jboss.org>
Sent: Wednesday, August 22, 2018 12:26:43 PM
Subject: @SecurityDomain("keycloak") in EJB
Using the Wildfly adapter I've noticed that the security context is propagated to EJBs
without the SecurityDomain annotation in some cases, but not others. Does anyone know in
what case it is needed? My only clue so far is Windows vs Linux, as I thought I
configured both test boxes identically, but maybe I missed something. My application
currently does not use the annotation and on my Windows test box authentication is
propagated fine. However, on my Linux test box with the same war file I see unauthorized
exception in the EJB layer even though the servlet reports I'm authenticated with
proper roles. Does it have to do with Wildfly client adapter online vs offline install
or adapter vs adapter-elytron install?
If I end up having to import the org.jboss.ejb3.annotation.SecurityDomain that would break
platform independence, which container managed security is supposed to support.