Hi Ryan,
Elytron is the new security framework in Wildfly. It is indeed different
than legacy (although compliant with legacy config using JAAS) but with a
lot of capabilities we lack in legacy. One of the main features you have
with elytron is the possibility to propagate the security context to remote
EJBs/servers.
Ideally, you should start using elytron subsystem given that legacy is
deprecated.
Please, take a look at some quickstarts [1] about how to protect EJBs using
elytron subsystem. I know it's new stuff, but is worthy to give it some
time and learn how it works.
[1]
https://github.com/wildfly/quickstart
On Wed, Aug 22, 2018 at 3:05 PM, Ryan Slominski <ryans(a)jlab.org> wrote:
Looks like @SecurityRealm("keycloak") is needed only if you
have the
elytron configuration in your wildfly standalone.xml file. I noticed that
one test server had a bunch of extra keycloak elytron configuration while
the other didn't. I deleted the extra configuration and now my application
works as expected (authentication and authorization info is propagated to
EJBs without any extra annotations). I guess this is the difference
between legacy configuration and new elytron configuration. Seems like
the new elytron client adapter is not as good as the legacy adapter /
integration. Any reason not to stick with the legacy adapter?
----- Original Message -----
From: "Ryan Slominski" <ryans(a)jlab.org>
To: "keycloak-user" <keycloak-user(a)lists.jboss.org>
Sent: Wednesday, August 22, 2018 12:26:43 PM
Subject: @SecurityDomain("keycloak") in EJB
Using the Wildfly adapter I've noticed that the security context is
propagated to EJBs without the SecurityDomain annotation in some cases, but
not others. Does anyone know in what case it is needed? My only clue so
far is Windows vs Linux, as I thought I configured both test boxes
identically, but maybe I missed something. My application currently does
not use the annotation and on my Windows test box authentication is
propagated fine. However, on my Linux test box with the same war file I
see unauthorized exception in the EJB layer even though the servlet reports
I'm authenticated with proper roles. Does it have to do with Wildfly
client adapter online vs offline install or adapter vs adapter-elytron
install?
If I end up having to import the org.jboss.ejb3.annotation.SecurityDomain
that would break platform independence, which container managed security is
supposed to support.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user