Re: [wildfly-dev] Read Elytron security domain from Undertow's ApplicationSecurityDomainService

On Mon, Mar 16, 2020 at 6:07 PM Darran Lofthouse < darran.lofthouse(a)jboss.com&gt; wrote: > I don't know if it will help but the SecurityDomain is associated with > the ClassLoader of the deployment, not sure if that could be an alternative > way for WS to access it. > > I'll try it . Can you please point me some code example or test code? > The thing that is complicating it for now is the dual mode with > PicketBox, once we remove PicketBox a deployment will either have an > Elytron SecurityDomain or it will not. > Yes. Now webservice has to add many PicketBox or Elytron checks to do following actions. We wrap this as much as possible with spi interface. > > > > On Fri, Mar 13, 2020 at 8:20 AM Jim Ma <ema(a)redhat.com&gt; wrote: > >> >> >> On Thu, Mar 12, 2020 at 8:12 PM Darran Lofthouse < >> darran.lofthouse(a)jboss.com&gt; wrote: >> >>> Is it possible to identify the revelevent DeploymentUnitProcessors in >>> this process along with their phase and priority so we can check the >>> ordering. >>> >> >> The "other"'s mapped Elytron security domain service is required to read >> in EndpointServiceDeploymentAspect. It's installed in Phase.INSTALL, >> Phase.INSTALL_WS_DEPLOYMENT_ASPECTS priority. It's running >> before UndertowDeploymentProcessor >> >> >>> >>> What may be more appropriate is for the Undertow DUP to attach >>> something which identifies the SecurityDomain instead of the web services >>> DUP relying on internal API / repeating the same checks already performed >>> within Undertow. >>> >>> In the future we will be removing all of the application security >>> domain resources so coordinating using attachments will hopefully also >>> future proof any fix. >>> >> >> It looks this attachment should be set in some Undertow DUP before >> UndertowDeploymentProcessor. WebService needs a Securitycontext to call >> the ejb ws endpoint method or webservice endpoint method : >> >> https://github.com/wildfly/wildfly/blob/master/webservices/server-integra... >> Is there better api/approach to perform this kind of method invocation ? >> >> Thanks, >> Jim >> >> >> >>> >>> Regards, >>> Darran Lofthouse. >>> >>> >>> On Thu, Mar 12, 2020 at 11:45 AM Jim Ma <ema(a)redhat.com&gt; wrote: >>> >>>> There is ws deployment failure issue[1] which is caused by Webservice >>>> subsystem doesn't correctly get mapped elytron security domain from web >>>> deployment's default "other" >>>> application security domain. I tried to fix this by reading Elytron >>>> security domain from Undertow started services, but it looks now >>>> ApplicationSecurityDomainService is private static and it doesn't provide a >>>> getter which allows to get Elytron security domain. Webservice subsystem >>>> requires an Undertow service like ApplicationSecurityDomainService[2] >>>> started by EJB subsystem to read the Elytron security domain. Is it doable >>>> to change Undertow's ApplicationSecurityDomainService to provide mapped >>>> security domain ? Or any better approach to get the mapped Elytron domain ? >>>> >>>> [1]https://issues.redhat.com/browse/WFLY-12765 >>>> [2] >>>> https://github.com/wildfly/wildfly/blob/master/ejb3/src/main/java/org/jbo... >>>> >>>> Cheers, >>>> Jim >>>> >>>> >>>> _______________________________________________ >>>> wildfly-dev mailing list >>>> wildfly-dev(a)lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/wildfly-dev >>> >>>