Re: [wildfly-dev] Read Elytron security domain from Undertow's ApplicationSecurityDomainService

Will this work for Undertow default "other" application security domain's reference Elytron SecurityDomain ? On Mon, Mar 16, 2020 at 6:26 PM Darran Lofthouse < darran.lofthouse(a)jboss.com&gt; wrote: > Overall it is the SecurityDomain.getCurrent method you need: - > > > https://wildfly-security.github.io/wildfly-elytron/master-public/org/wild... > > If a SecurityDomain is associated with the Thread's context class loader > it will be returned. > > On Mon, Mar 16, 2020 at 10:22 AM Jim Ma <ema(a)redhat.com&gt; wrote: > >> >> >> On Mon, Mar 16, 2020 at 6:07 PM Darran Lofthouse < >> darran.lofthouse(a)jboss.com&gt; wrote: >> >>> I don't know if it will help but the SecurityDomain is associated with >>> the ClassLoader of the deployment, not sure if that could be an alternative >>> way for WS to access it. >>> >>> I'll try it . Can you please point me some code example or test code? >> >> >>> The thing that is complicating it for now is the dual mode with >>> PicketBox, once we remove PicketBox a deployment will either have an >>> Elytron SecurityDomain or it will not. >>> >> Yes. Now webservice has to add many PicketBox or Elytron checks to do >> following actions. We wrap this as much as possible with spi interface. >> >> >>> >>> >> >>> >>> On Fri, Mar 13, 2020 at 8:20 AM Jim Ma <ema(a)redhat.com&gt; wrote: >>> >>>> >>>> >>>> On Thu, Mar 12, 2020 at 8:12 PM Darran Lofthouse < >>>> darran.lofthouse(a)jboss.com&gt; wrote: >>>> >>>>> Is it possible to identify the revelevent DeploymentUnitProcessors in >>>>> this process along with their phase and priority so we can check the >>>>> ordering. >>>>> >>>> >>>> The "other"'s mapped Elytron security domain service is required to >>>> read in EndpointServiceDeploymentAspect. It's installed in Phase.INSTALL, >>>> Phase.INSTALL_WS_DEPLOYMENT_ASPECTS priority. It's running >>>> before UndertowDeploymentProcessor >>>> >>>> >>>>> >>>>> What may be more appropriate is for the Undertow DUP to attach >>>>> something which identifies the SecurityDomain instead of the web services >>>>> DUP relying on internal API / repeating the same checks already performed >>>>> within Undertow. >>>>> >>>>> In the future we will be removing all of the application security >>>>> domain resources so coordinating using attachments will hopefully also >>>>> future proof any fix. >>>>> >>>> >>>> It looks this attachment should be set in some Undertow DUP before >>>> UndertowDeploymentProcessor. WebService needs a Securitycontext to call >>>> the ejb ws endpoint method or webservice endpoint method : >>>> >>>> https://github.com/wildfly/wildfly/blob/master/webservices/server-integra... >>>> Is there better api/approach to perform this kind of method invocation >>>> ? >>>> >>>> Thanks, >>>> Jim >>>> >>>> >>>> >>>>> >>>>> Regards, >>>>> Darran Lofthouse. >>>>> >>>>> >>>>> On Thu, Mar 12, 2020 at 11:45 AM Jim Ma <ema(a)redhat.com&gt; wrote: >>>>> >>>>>> There is ws deployment failure issue[1] which is caused by >>>>>> Webservice subsystem doesn't correctly get mapped elytron security domain >>>>>> from web deployment's default "other" >>>>>> application security domain. I tried to fix this by reading Elytron >>>>>> security domain from Undertow started services, but it looks now >>>>>> ApplicationSecurityDomainService is private static and it doesn't provide a >>>>>> getter which allows to get Elytron security domain. Webservice subsystem >>>>>> requires an Undertow service like ApplicationSecurityDomainService[2] >>>>>> started by EJB subsystem to read the Elytron security domain. Is it doable >>>>>> to change Undertow's ApplicationSecurityDomainService to provide mapped >>>>>> security domain ? Or any better approach to get the mapped Elytron domain ? >>>>>> >>>>>> [1]https://issues.redhat.com/browse/WFLY-12765 >>>>>> [2] >>>>>> https://github.com/wildfly/wildfly/blob/master/ejb3/src/main/java/org/jbo... >>>>>> >>>>>> Cheers, >>>>>> Jim >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> wildfly-dev mailing list >>>>>> wildfly-dev(a)lists.jboss.org >>>>>> https://lists.jboss.org/mailman/listinfo/wildfly-dev >>>>> >>>>>