TBH Jim, I think I would need to dig into the code with a debugger to
double check what is happening there.
SecurityDomain.getCurrent() will return null when no SecurityDomain is
associated with the deployment, the DeploymentUnitProcessor added for the
Elytron integration essentially checks what SecurityDomain name Undertow
was going to use and then checks if it should swap in an Elytron
SecurityDomain instead.
If SecurityDomain association is being skipped due to the lack of a
security-constraint we should probably revisit that as there are plenty of
scenarios where association of a SecurityDomain would make sense even if
the constraints are not defined in the web.xml.
On Wed, Apr 1, 2020 at 11:29 AM Jim Ma <ema(a)redhat.com> wrote:
Hi Darran,
The SecurityDomain.getCurrent() returns null when there is "other"
security domain in jboss-web.xml and no “security-constraint” defined in
web.xml like:
-------------jboss-web.xml---------------------
<jboss-web>
<security-domain>other</security-domain>
</jboss-web>
--------------web.xml------------------------------
<web-app
version="2.5"
xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
<servlet>
<servlet-name>TestService</servlet-name>
<servlet-class>org.jboss.test.ws.jaxws.samples.wsse.policy.jaas.ServiceImpl</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>TestService</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
</web-app>
Does this mean Elytron security domain mapped by undertow "other"
application domain only is enforced/set for web deployment which contains <
security-constraint>deployment descriptor ?
When does SecurityDomain.getCurrent() return null value ?
Thanks,
Jim
On Mon, Mar 16, 2020 at 6:35 PM Darran Lofthouse <
darran.lofthouse(a)jboss.com> wrote:
> Yes there should be no difference at runtime, if we identified the
> Elytron domain via the default security domain it should still be
> associated with the deployment in the same way.
>
> On Mon, Mar 16, 2020 at 10:33 AM Jim Ma <ema(a)redhat.com> wrote:
>
>> Will this work for Undertow default "other" application security
>> domain's reference Elytron SecurityDomain ?
>>
>> On Mon, Mar 16, 2020 at 6:26 PM Darran Lofthouse <
>> darran.lofthouse(a)jboss.com> wrote:
>>
>>> Overall it is the SecurityDomain.getCurrent method you need: -
>>>
>>>
>>>
https://wildfly-security.github.io/wildfly-elytron/master-public/org/wild...
>>>
>>> If a SecurityDomain is associated with the Thread's context class
>>> loader it will be returned.
>>>
>>> On Mon, Mar 16, 2020 at 10:22 AM Jim Ma <ema(a)redhat.com> wrote:
>>>
>>>>
>>>>
>>>> On Mon, Mar 16, 2020 at 6:07 PM Darran Lofthouse <
>>>> darran.lofthouse(a)jboss.com> wrote:
>>>>
>>>>> I don't know if it will help but the SecurityDomain is
associated
>>>>> with the ClassLoader of the deployment, not sure if that could be an
>>>>> alternative way for WS to access it.
>>>>>
>>>>> I'll try it . Can you please point me some code example or test
code?
>>>>
>>>>
>>>>> The thing that is complicating it for now is the dual mode with
>>>>> PicketBox, once we remove PicketBox a deployment will either have an
>>>>> Elytron SecurityDomain or it will not.
>>>>>
>>>> Yes. Now webservice has to add many PicketBox or Elytron checks to do
>>>> following actions. We wrap this as much as possible with spi
interface.
>>>>
>>>>
>>>>>
>>>>>
>>>>
>>>>>
>>>>> On Fri, Mar 13, 2020 at 8:20 AM Jim Ma <ema(a)redhat.com> wrote:
>>>>>
>>>>>>
>>>>>>
>>>>>> On Thu, Mar 12, 2020 at 8:12 PM Darran Lofthouse <
>>>>>> darran.lofthouse(a)jboss.com> wrote:
>>>>>>
>>>>>>> Is it possible to identify the revelevent
DeploymentUnitProcessors
>>>>>>> in this process along with their phase and priority so we can
check the
>>>>>>> ordering.
>>>>>>>
>>>>>>
>>>>>> The "other"'s mapped Elytron security domain
service is required to
>>>>>> read in EndpointServiceDeploymentAspect. It's installed in
Phase.INSTALL,
>>>>>> Phase.INSTALL_WS_DEPLOYMENT_ASPECTS priority. It's running
>>>>>> before UndertowDeploymentProcessor
>>>>>>
>>>>>>
>>>>>>>
>>>>>>> What may be more appropriate is for the Undertow DUP to
attach
>>>>>>> something which identifies the SecurityDomain instead of the
web services
>>>>>>> DUP relying on internal API / repeating the same checks
already performed
>>>>>>> within Undertow.
>>>>>>>
>>>>>>> In the future we will be removing all of the application
security
>>>>>>> domain resources so coordinating using attachments will
hopefully also
>>>>>>> future proof any fix.
>>>>>>>
>>>>>>
>>>>>> It looks this attachment should be set in some Undertow DUP
before
>>>>>> UndertowDeploymentProcessor. WebService needs a Securitycontext
to call
>>>>>> the ejb ws endpoint method or webservice endpoint method :
>>>>>>
>>>>>>
https://github.com/wildfly/wildfly/blob/master/webservices/server-integra...
>>>>>> Is there better api/approach to perform this kind of method
>>>>>> invocation ?
>>>>>>
>>>>>> Thanks,
>>>>>> Jim
>>>>>>
>>>>>>
>>>>>>
>>>>>>>
>>>>>>> Regards,
>>>>>>> Darran Lofthouse.
>>>>>>>
>>>>>>>
>>>>>>> On Thu, Mar 12, 2020 at 11:45 AM Jim Ma
<ema(a)redhat.com> wrote:
>>>>>>>
>>>>>>>> There is ws deployment failure issue[1] which is caused
by
>>>>>>>> Webservice subsystem doesn't correctly get mapped
elytron security domain
>>>>>>>> from web deployment's default "other"
>>>>>>>> application security domain. I tried to fix this by
reading
>>>>>>>> Elytron security domain from Undertow started services,
but it looks now
>>>>>>>> ApplicationSecurityDomainService is private static and it
doesn't provide a
>>>>>>>> getter which allows to get Elytron security domain.
Webservice subsystem
>>>>>>>> requires an Undertow service like
ApplicationSecurityDomainService[2]
>>>>>>>> started by EJB subsystem to read the Elytron security
domain. Is it doable
>>>>>>>> to change Undertow's ApplicationSecurityDomainService
to provide mapped
>>>>>>>> security domain ? Or any better approach to get the
mapped Elytron domain ?
>>>>>>>>
>>>>>>>> [
1]https://issues.redhat.com/browse/WFLY-12765
>>>>>>>> [2]
>>>>>>>>
https://github.com/wildfly/wildfly/blob/master/ejb3/src/main/java/org/jbo...
>>>>>>>>
>>>>>>>> Cheers,
>>>>>>>> Jim
>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> wildfly-dev mailing list
>>>>>>>> wildfly-dev(a)lists.jboss.org
>>>>>>>>
https://lists.jboss.org/mailman/listinfo/wildfly-dev
>>>>>>>
>>>>>>>