[keycloak-user] @SecurityDomain("keycloak") in EJB

Pedro Igor Silva psilva at redhat.com
Wed Aug 22 16:11:26 EDT 2018 

Hi Ryan,

Elytron is the new security framework in Wildfly. It is indeed different
than legacy (although compliant with legacy config using JAAS) but with a
lot of capabilities we lack in legacy. One of the main features you have
with elytron is the possibility to propagate the security context to remote
EJBs/servers.

Ideally, you should start using elytron subsystem given that legacy is
deprecated.

Please, take a look at some quickstarts [1] about how to protect EJBs using
elytron subsystem. I know it's new stuff, but is worthy to give it some
time and learn how it works.

[1] https://github.com/wildfly/quickstart

On Wed, Aug 22, 2018 at 3:05 PM, Ryan Slominski <ryans at jlab.org> wrote:

> Looks like @SecurityRealm("keycloak") is needed only if you have the
> elytron configuration in your wildfly standalone.xml file.  I noticed that
> one test server had a bunch of extra keycloak elytron configuration while
> the other didn't.  I deleted the extra configuration and now my application
> works as expected (authentication and authorization info is propagated to
> EJBs without any extra annotations).   I guess this is the difference
> between legacy configuration and new elytron configuration.   Seems like
> the new elytron client adapter is not as good as the legacy adapter /
> integration.   Any reason not to stick with the legacy adapter?
>
>
>
>
> ----- Original Message -----
> From: "Ryan Slominski" <ryans at jlab.org>
> To: "keycloak-user" <keycloak-user at lists.jboss.org>
> Sent: Wednesday, August 22, 2018 12:26:43 PM
> Subject: @SecurityDomain("keycloak") in EJB
>
> Using the Wildfly adapter I've noticed that the security context is
> propagated to EJBs without the SecurityDomain annotation in some cases, but
> not others.  Does anyone know in what case it is needed?   My only clue so
> far is Windows vs Linux, as I thought I configured both test boxes
> identically, but maybe I missed something. My application currently does
> not use the annotation and on my Windows test box authentication is
> propagated fine.  However, on my Linux test box with the same war file I
> see unauthorized exception in the EJB layer even though the servlet reports
> I'm authenticated with proper roles.   Does it have to do with Wildfly
> client adapter online vs offline install or adapter vs adapter-elytron
> install?
>
> If I end up having to import the org.jboss.ejb3.annotation.SecurityDomain
> that would break platform independence, which container managed security is
> supposed to support.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

More information about the keycloak-user mailing list