[keycloak-user] Wildfly Elytron client adapter - Propagate security domain to EJB

Ryan Slominski ryans at jlab.org
Wed Apr 3 08:28:35 EDT 2019 

I'm not familiar with how the Elytron Keycloak client adapter works.    How do I change the application-security-domain in both ejb3 and undertow subsystems to "other"?

If I try:
/subsystem=undertow/application-security-domain=KeycloakDomain:add(security-domain=KeycloakDomain)

Then I get the following on deploy:

"{\"WFLYCTL0080: Failed services\" => {\"jboss.deployment.unit.\\\"staff.war\\\".undertow-deployment\" => \"java.lang.RuntimeException: java.lang.IllegalStateException: The required mechanism 'KEYCLOAK' is not available in mechanisms [BASIC, CLIENT_CERT, FORM] from the HttpAuthenticationFactory.
    Caused by: java.lang.RuntimeException: java.lang.IllegalStateException: The required mechanism 'KEYCLOAK' is not available in mechanisms [BASIC, CLIENT_CERT, FORM] from the HttpAuthenticationFactory.
    Caused by: java.lang.IllegalStateException: The required mechanism 'KEYCLOAK' is not available in mechanisms [BASIC, CLIENT_CERT, FORM] from the HttpAuthenticationFactory.\"}}"


If I try:

/subsystem=undertow/application-security-domain=other:add(security-domain=KeycloakDomain)

The command fails with:

{
    "outcome" => "failed",
    "failure-description" => "WFLYCTL0212: Duplicate resource [
    (\"subsystem\" => \"undertow\"),
    (\"application-security-domain\" => \"other\")
]",
    "rolled-back" => true
}
________________________________
From: Pedro Igor Silva <psilva at redhat.com>
Sent: Wednesday, April 3, 2019 8:15 AM
To: Ryan Slominski
Cc: keycloak-user
Subject: Re: [keycloak-user] Wildfly Elytron client adapter - Propagate security domain to EJB

This seem to be related with your WAR deployment though. Did you try to change the application-security-domain in both ejb3 and undertow subsystems to "other". That way you don't need to specify a security domain as "other" will be the default. IIRC, when you run the elytron adapter scripts an "other" application-security-domain is created in the undertow subsystem.

On Wed, Apr 3, 2019 at 9:08 AM Ryan Slominski <ryans at jlab.org<mailto:ryans at jlab.org>> wrote:
Using the command:

/subsystem=ejb3/application-security-domain=KeycloakDomain:add(security-domain=KeycloakDomain)

Results in different error upon application deploy:

08:03:35,017 ERROR [org.jboss.as.controller.management-operation] (DeploymentScanner-threads - 1) WFLYCTL0013: Operation ("deploy") failed - address: ([("deployment" => "staff.war")]) - failure description: {
    "WFLYCTL0412: Required services that are not installed:" => ["jboss.security.security-domain.KeycloakDomain"],
    "WFLYCTL0180: Services with missing/unavailable dependencies" => ["jboss.deployment.unit.\"staff.war\".undertow-deployment.UndertowDeploymentInfoService is missing [jboss.security.security-domain.KeycloakDomain]"]
}


More log context attached.


________________________________
From: Pedro Igor Silva <psilva at redhat.com<mailto:psilva at redhat.com>>
Sent: Wednesday, April 3, 2019 7:53 AM
To: Ryan Slominski
Cc: keycloak-user
Subject: Re: [keycloak-user] Wildfly Elytron client adapter - Propagate security domain to EJB

I found an error in the command that I gave to you. Could try to change the name of the application-security-domain to "KeycloakDomain", instead of "other".

If it doesn't work I would prefer to try this out first before opening the JIRA. But I appreciate if you can at least try the change above first.

On Wed, Apr 3, 2019 at 8:40 AM Ryan Slominski <ryans at jlab.org<mailto:ryans at jlab.org>> wrote:
Thanks for the idea.  Unfortunately it didn't work.  I still see:

"WFLYCTL0412: Required services that are not installed:" => ["jboss.security.security-domain.KeycloakDomain"]

I am using only local EJBs.   I guess I must stick with the legacy Wildfly client adapter.  Looks like the JIRA to addresss the EJB propagation issue has been closed.  Can we re-open it?

See:  https://issues.jboss.org/browse/KEYCLOAK-5665<https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.jboss.org%2Fbrowse%2FKEYCLOAK-5665&data=02%7C01%7Cryans%40jlab.org%7C6fe0e5b114a8446f396608d6b82e2169%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898905606438187&sdata=FFAbXphkRO9%2BdbGIGPySZr3nXp8XXluqXDt%2BUe%2FFe2Q%3D&reserved=0>
________________________________
From: Pedro Igor Silva <psilva at redhat.com<mailto:psilva at redhat.com>>
Sent: Tuesday, April 2, 2019 9:07 PM
To: Ryan Slominski
Cc: keycloak-user
Subject: Re: [keycloak-user] Wildfly Elytron client adapter - Propagate security domain to EJB

Hi,

I guess it is a local EJB ? If so, could you try configuring the EJB subsystem with an application-security-domain as follows:

/subsystem=ejb3/application-security-domain=other:add(security-domain=KeycloakDomain)

Regards.

On Tue, Apr 2, 2019 at 6:14 PM Ryan Slominski <ryans at jlab.org<mailto:ryans at jlab.org>> wrote:
Has anyone been able to propagate the Keycloak security domain in Wildfly Elytron client adapter to EJBs in an application using jboss-ejb3.xml?  Creating a single file that is bundled with the application war seems like a better solution than importing  and apply a JBOSS specific annotation (@SecurityDomain) to hundreds of EJBs.

I placed the file into WEB-INF with contents:

<?xml version="1.1" encoding="UTF-8"?>
<jboss:ejb-jar xmlns:jboss="http://www.jboss.com/xml/ns/javaee<https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.jboss.com%2Fxml%2Fns%2Fjavaee&data=02%7C01%7Cryans%40jlab.org%7C6fe0e5b114a8446f396608d6b82e2169%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898905606448188&sdata=Ak4pY6bfZ3R2y2AzlSbTWFXbB2nekeRqXN8I6YX3jwg%3D&reserved=0>"
    xmlns="http://java.sun.com/xml/ns/javaee<https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fjava.sun.com%2Fxml%2Fns%2Fjavaee&data=02%7C01%7Cryans%40jlab.org%7C6fe0e5b114a8446f396608d6b82e2169%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898905606458197&sdata=K881eDky%2BbaXlLuHuN%2FCxVnoG0Crd5fcn4fmV4KA9xM%3D&reserved=0>"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance<https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.w3.org%2F2001%2FXMLSchema-instance&data=02%7C01%7Cryans%40jlab.org%7C6fe0e5b114a8446f396608d6b82e2169%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898905606458197&sdata=DC29UYkdLb5S33S577mdhDhgS5mwXFT145eNxyxyUGo%3D&reserved=0>"
    xmlns:s="urn:security"
    xsi:schemaLocation="http://www.jboss.com/xml/ns/javaee<https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.jboss.com%2Fxml%2Fns%2Fjavaee&data=02%7C01%7Cryans%40jlab.org%7C6fe0e5b114a8446f396608d6b82e2169%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898905606468202&sdata=vr%2F9eJUEBiwHIoLd0sek9aesY%2FambfnInTCgv0kObek%3D&reserved=0> http://www.jboss.org/j2ee/schema/jboss-ejb3-2_0.xsd<https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.jboss.org%2Fj2ee%2Fschema%2Fjboss-ejb3-2_0.xsd&data=02%7C01%7Cryans%40jlab.org%7C6fe0e5b114a8446f396608d6b82e2169%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898905606468202&sdata=Z80OIgc%2Flj%2Bx9akdsL6rXQPbjGN2H4VAULEiCjq6d8U%3D&reserved=0>"
    version="3.1" impl-version="2.0">
    <assembly-descriptor>
        <s:security>
            <ejb-name>*</ejb-name>
            <s:security-domain>keycloak</s:security-domain>
        </s:security>
    </assembly-descriptor>
</jboss:ejb-jar>

I also tried label "KeycloakDomain" instead of "keycloak".  In either case I get the following error when I attempt to deploy the war file:

    "WFLYCTL0412: Required services that are not installed:" => ["jboss.security.security-domain.KeycloakDomain"],
    "WFLYCTL0180: Services with missing/unavailable dependencies" => [
        "jboss.deployment.unit.\"staff.war\".component.StaffFacade.CREATE is missing [jboss.security.security-domain.KeycloakDomain]",
        "jboss.deployment.unit.\"staff.war\".undertow-deployment.UndertowDeploymentInfoService is missing [jboss.security.security-domain.KeycloakDomain]",
        "jboss.deployment.unit.\"staff.war\".component.WorkgroupFacade.CREATE is missing [jboss.security.security-domain.KeycloakDomain]"
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user<https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-user&data=02%7C01%7Cryans%40jlab.org%7C6fe0e5b114a8446f396608d6b82e2169%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898905606478211&sdata=eYK983rVX2psH9W0OUJFzhH0vjfM0tzRZkZYxile3ac%3D&reserved=0>

More information about the keycloak-user mailing list