Re: [keycloak-user] Wildfly Elytron client adapter - Propagate security domain to EJB

I'm not familiar with how the Elytron Keycloak client adapter works. How do I change the application-security-domain in both ejb3 and undertow subsystems to "other"? If I try: /subsystem=undertow/application-security-domain=KeycloakDomain:add(security-domain=KeycloakDomain) Then I get the following on deploy: "{\"WFLYCTL0080: Failed services\" => {\"jboss.deployment.unit.\\\"staff.war\\\".undertow-deployment\" => \"java.lang.RuntimeException: java.lang.IllegalStateException: The required mechanism 'KEYCLOAK' is not available in mechanisms [BASIC, CLIENT_CERT, FORM] from the HttpAuthenticationFactory. Caused by: java.lang.RuntimeException: java.lang.IllegalStateException: The required mechanism 'KEYCLOAK' is not available in mechanisms [BASIC, CLIENT_CERT, FORM] from the HttpAuthenticationFactory. Caused by: java.lang.IllegalStateException: The required mechanism 'KEYCLOAK' is not available in mechanisms [BASIC, CLIENT_CERT, FORM] from the HttpAuthenticationFactory.\"}}" If I try: /subsystem=undertow/application-security-domain=other:add(security-domain=KeycloakDomain) The command fails with: { "outcome" => "failed", "failure-description" => "WFLYCTL0212: Duplicate resource [ (\"subsystem\" => \"undertow\"), (\"application-security-domain\" => \"other\") ]", "rolled-back" => true } ________________________________ From: Pedro Igor Silva <psilva(a)redhat.com&gt; Sent: Wednesday, April 3, 2019 8:15 AM To: Ryan Slominski Cc: keycloak-user Subject: Re: [keycloak-user] Wildfly Elytron client adapter - Propagate security domain to EJB This seem to be related with your WAR deployment though. Did you try to change the application-security-domain in both ejb3 and undertow subsystems to "other". That way you don't need to specify a security domain as "other" will be the default. IIRC, when you run the elytron adapter scripts an "other" application-security-domain is created in the undertow subsystem. On Wed, Apr 3, 2019 at 9:08 AM Ryan Slominski <ryans@jlab.org<mailto:ryans@jlab.org>> wrote: Using the command: /subsystem=ejb3/application-security-domain=KeycloakDomain:add(security-domain=KeycloakDomain) Results in different error upon application deploy: 08:03:35,017 ERROR [org.jboss.as.controller.management-operation] (DeploymentScanner-threads - 1) WFLYCTL0013: Operation ("deploy") failed - address: ([("deployment" => "staff.war")]) - failure description: { "WFLYCTL0412: Required services that are not installed:" => ["jboss.security.security-domain.KeycloakDomain"], "WFLYCTL0180: Services with missing/unavailable dependencies" => ["jboss.deployment.unit.\"staff.war\".undertow-deployment.UndertowDeploymentInfoService is missing [jboss.security.security-domain.KeycloakDomain]"] } More log context attached. ________________________________ From: Pedro Igor Silva <psilva@redhat.com<mailto:psilva@redhat.com>> Sent: Wednesday, April 3, 2019 7:53 AM To: Ryan Slominski Cc: keycloak-user Subject: Re: [keycloak-user] Wildfly Elytron client adapter - Propagate security domain to EJB I found an error in the command that I gave to you. Could try to change the name of the application-security-domain to "KeycloakDomain", instead of "other". If it doesn't work I would prefer to try this out first before opening the JIRA. But I appreciate if you can at least try the change above first. On Wed, Apr 3, 2019 at 8:40 AM Ryan Slominski <ryans@jlab.org<mailto:ryans@jlab.org>> wrote: Thanks for the idea. Unfortunately it didn't work. I still see: "WFLYCTL0412: Required services that are not installed:" => ["jboss.security.security-domain.KeycloakDomain"] I am using only local EJBs. I guess I must stick with the legacy Wildfly client adapter. Looks like the JIRA to addresss the EJB propagation issue has been closed. Can we re-open it? See: https://issues.jboss.org/browse/KEYCLOAK-5665<https://gcc01.safelinks.... ________________________________ From: Pedro Igor Silva <psilva@redhat.com<mailto:psilva@redhat.com>> Sent: Tuesday, April 2, 2019 9:07 PM To: Ryan Slominski Cc: keycloak-user Subject: Re: [keycloak-user] Wildfly Elytron client adapter - Propagate security domain to EJB Hi, I guess it is a local EJB ? If so, could you try configuring the EJB subsystem with an application-security-domain as follows: /subsystem=ejb3/application-security-domain=other:add(security-domain=KeycloakDomain) Regards. On Tue, Apr 2, 2019 at 6:14 PM Ryan Slominski <ryans@jlab.org<mailto:ryans@jlab.org>> wrote: Has anyone been able to propagate the Keycloak security domain in Wildfly Elytron client adapter to EJBs in an application using jboss-ejb3.xml? Creating a single file that is bundled with the application war seems like a better solution than importing and apply a JBOSS specific annotation (@SecurityDomain) to hundreds of EJBs. I placed the file into WEB-INF with contents: <?xml version="1.1" encoding="UTF-8"?> <jboss:ejb-jar xmlns:jboss="http://www.jboss.com/xml/ns/javaee<https://gcc01.saf... xmlns="http://java.sun.com/xml/ns/javaee<https://gcc01.safelinks.... xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance<https://gcc0... xmlns:s="urn:security" xsi:schemaLocation="http://www.jboss.com/xml/ns/javaee<https://gc... http://www.jboss.org/j2ee/schema/jboss-ejb3-2_0.xsd<https://gcc01.safe... version="3.1" impl-version="2.0"> <assembly-descriptor> <s:security> <ejb-name>*</ejb-name> <s:security-domain>keycloak</s:security-domain> </s:security> </assembly-descriptor> </jboss:ejb-jar> I also tried label "KeycloakDomain" instead of "keycloak". In either case I get the following error when I attempt to deploy the war file: "WFLYCTL0412: Required services that are not installed:" => ["jboss.security.security-domain.KeycloakDomain"], "WFLYCTL0180: Services with missing/unavailable dependencies" => [ "jboss.deployment.unit.\"staff.war\".component.StaffFacade.CREATE is missing [jboss.security.security-domain.KeycloakDomain]", "jboss.deployment.unit.\"staff.war\".undertow-deployment.UndertowDeploymentInfoService is missing [jboss.security.security-domain.KeycloakDomain]", "jboss.deployment.unit.\"staff.war\".component.WorkgroupFacade.CREATE is missing [jboss.security.security-domain.KeycloakDomain]" _______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user<https://gcc01.s...