[jboss-jira] [JBoss JIRA] (WFCORE-4407) Cannot configure Elytron security domain using embedded server in admin mode

Yeray Borges (Jira) issues at jboss.org
Mon Apr 8 12:04:02 EDT 2019 

Yeray Borges created WFCORE-4407:
------------------------------------

             Summary: Cannot configure Elytron security domain using embedded server in admin mode
                 Key: WFCORE-4407
                 URL: https://issues.jboss.org/browse/WFCORE-4407
             Project: WildFly Core
          Issue Type: Bug
          Components: Embedded
         Environment: 


            Reporter: Yeray Borges
            Assignee: Yeray Borges


There are some configurations that are impossible to do using the embedded server, for example, we cannot create a security domain in Elytron that references a security domain in the security subsystem:

{noformat}
embed-server --server-config=standalone-full-ha.xml --std-out=echo

/subsystem=security/security-domain=my-sec-domain:add(cache-type=default)
/subsystem=security/security-domain=my-sec-domain/authentication=classic:add(login-modules=[{code=RealmUsersRoles, flag=required, module=RealmUsersRoles, module-options=[("usersProperties"=>"usersProperties"),("rolesProperties"=>"rolesProperties")]}])

/subsystem=security/elytron-realm=my-sec-domain:add(legacy-jaas-config=my-sec-domain)

/subsystem=elytron/security-domain=my-sec-domain:add(realms=[{realm=my-sec-domain}],default-realm=my-sec-domain,permission-mapper=default-permission-mapper)

stop-embedded-server
{noformat}

The execution of these operations in an embedded server running in admin-mode throws the following error:

{noformat}
[standalone at embedded /] /subsystem=elytron/security-domain=my-sec-domain:add(realms=[{realm=my-sec-domain}],default-realm=my-sec-domain,permission-mapper=default-permission-mapper)
12:30:53,429 ERROR [org.jboss.as.controller.management-operation] (pool-3-thread-1) WFLYCTL0013: Operation ("add") failed - address: ([
    ("subsystem" => "elytron"),
    ("security-domain" => "my-sec-domain")
]) - failure description: {
    "WFLYCTL0412: Required services that are not installed:" => ["org.wildfly.security.security-realm.my-sec-domain"],
    "WFLYCTL0180: Services with missing/unavailable dependencies" => ["org.wildfly.security.security-domain.my-sec-domain.initial is missing [org.wildfly.security.security-realm.my-sec-domain]"]
}
{
    "outcome" => "failed",
    "failure-description" => {
        "WFLYCTL0412: Required services that are not installed:" => ["org.wildfly.security.security-realm.my-sec-domain"],
        "WFLYCTL0180: Services with missing/unavailable dependencies" => ["org.wildfly.security.security-domain.my-sec-domain.initial is missing [org.wildfly.security.security-realm.my-sec-domain]"]
    },
    "rolled-back" => true
}
{noformat}

The problem here is Elytron security domain services cannot be up because they require the legacy installed realm services, which are not up when we are using embedded in admin-only mode.

The SecurityDomain advertises no runtime operation, if no services are installed that would ever depend on security domain we may be able to skip installing some of these services entirely and allow their configuration in embedded / admin-only.



--
This message was sent by Atlassian Jira
(v7.12.1#712002)

More information about the jboss-jira mailing list