[keycloak-user] Wildfly Elytron client adapter - Propagate security domain to EJB
Pedro Igor Silva
psilva at redhat.com
Wed Apr 3 08:50:59 EDT 2019
The undertow subsystem already has the "other" application-security-domain
defined as I mentioned before.
As a last try, try this:
* /subsystem=ejb3/application-security-domain=other:add(security-
domain=KeycloakDomain)
* Leave the undertow subsystem with the default settings defined by the
elytron adapter CLI scripts
* Remove any reference to "security-domain" from your EJB archives/beans so
that "other" will be the default
What I'm trying to do is to make both web and ejb layers to use the same
elytron security domain so that you can access the security identity in
both layers.
If this doesn't work, I'll try to find some code that I think I have
somewhere that is doing this.
On Wed, Apr 3, 2019 at 9:28 AM Ryan Slominski <ryans at jlab.org> wrote:
> I'm not familiar with how the Elytron Keycloak client adapter works.
> How do I change the application-security-domain in both ejb3 and undertow
> subsystems to "other"?
>
> If I try:
>
> /subsystem=undertow/application-security-domain=KeycloakDomain:add(security-domain=KeycloakDomain)
>
> Then I get the following on deploy:
>
> "{\"WFLYCTL0080: Failed services\" =>
> {\"jboss.deployment.unit.\\\"staff.war\\\".undertow-deployment\" =>
> \"java.lang.RuntimeException: java.lang.IllegalStateException: The required
> mechanism 'KEYCLOAK' is not available in mechanisms [BASIC, CLIENT_CERT,
> FORM] from the HttpAuthenticationFactory.
> Caused by: java.lang.RuntimeException:
> java.lang.IllegalStateException: The required mechanism 'KEYCLOAK' is not
> available in mechanisms [BASIC, CLIENT_CERT, FORM] from the
> HttpAuthenticationFactory.
> Caused by: java.lang.IllegalStateException: The required mechanism
> 'KEYCLOAK' is not available in mechanisms [BASIC, CLIENT_CERT, FORM] from
> the HttpAuthenticationFactory.\"}}"
>
>
> If I try:
>
>
> /subsystem=undertow/application-security-domain=other:add(security-domain=KeycloakDomain)
>
> The command fails with:
>
> {
> "outcome" => "failed",
> "failure-description" => "WFLYCTL0212: Duplicate resource [
> (\"subsystem\" => \"undertow\"),
> (\"application-security-domain\" => \"other\")
> ]",
> "rolled-back" => true
> }
> ------------------------------
> *From:* Pedro Igor Silva <psilva at redhat.com>
> *Sent:* Wednesday, April 3, 2019 8:15 AM
> *To:* Ryan Slominski
> *Cc:* keycloak-user
> *Subject:* Re: [keycloak-user] Wildfly Elytron client adapter - Propagate
> security domain to EJB
>
> This seem to be related with your WAR deployment though. Did you try to
> change the application-security-domain in both ejb3 and undertow subsystems
> to "other". That way you don't need to specify a security domain as "other"
> will be the default. IIRC, when you run the elytron adapter scripts an
> "other" application-security-domain is created in the undertow subsystem.
>
> On Wed, Apr 3, 2019 at 9:08 AM Ryan Slominski <ryans at jlab.org> wrote:
>
> Using the command:
>
>
> /subsystem=ejb3/application-security-domain=KeycloakDomain:add(security-domain=KeycloakDomain)
>
> Results in different error upon application deploy:
>
> 08:03:35,017 ERROR [org.jboss.as.controller.management-operation]
> (DeploymentScanner-threads - 1) WFLYCTL0013: Operation ("deploy") failed -
> address: ([("deployment" => "staff.war")]) - failure description: {
> "WFLYCTL0412: Required services that are not installed:" =>
> ["jboss.security.security-domain.KeycloakDomain"],
> "WFLYCTL0180: Services with missing/unavailable dependencies" =>
> ["jboss.deployment.unit.\"staff.war\".undertow-deployment.UndertowDeploymentInfoService
> is missing [jboss.security.security-domain.KeycloakDomain]"]
> }
>
>
> More log context attached.
>
>
> ------------------------------
> *From:* Pedro Igor Silva <psilva at redhat.com>
> *Sent:* Wednesday, April 3, 2019 7:53 AM
> *To:* Ryan Slominski
> *Cc:* keycloak-user
> *Subject:* Re: [keycloak-user] Wildfly Elytron client adapter - Propagate
> security domain to EJB
>
> I found an error in the command that I gave to you. Could try to change
> the name of the application-security-domain to "KeycloakDomain", instead of
> "other".
>
> If it doesn't work I would prefer to try this out first before opening the
> JIRA. But I appreciate if you can at least try the change above first.
>
> On Wed, Apr 3, 2019 at 8:40 AM Ryan Slominski <ryans at jlab.org> wrote:
>
> Thanks for the idea. Unfortunately it didn't work. I still see:
>
> "WFLYCTL0412: Required services that are not installed:" =>
> ["jboss.security.security-domain.KeycloakDomain"]
>
> I am using only local EJBs. I guess I must stick with the legacy Wildfly
> client adapter. Looks like the JIRA to addresss the EJB propagation issue
> has been closed. Can we re-open it?
>
> See: https://issues.jboss.org/browse/KEYCLOAK-5665
> <https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.jboss.org%2Fbrowse%2FKEYCLOAK-5665&data=02%7C01%7Cryans%40jlab.org%7C6fe0e5b114a8446f396608d6b82e2169%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898905606438187&sdata=FFAbXphkRO9%2BdbGIGPySZr3nXp8XXluqXDt%2BUe%2FFe2Q%3D&reserved=0>
> ------------------------------
> *From:* Pedro Igor Silva <psilva at redhat.com>
> *Sent:* Tuesday, April 2, 2019 9:07 PM
> *To:* Ryan Slominski
> *Cc:* keycloak-user
> *Subject:* Re: [keycloak-user] Wildfly Elytron client adapter - Propagate
> security domain to EJB
>
> Hi,
>
> I guess it is a local EJB ? If so, could you try configuring the EJB
> subsystem with an application-security-domain as follows:
>
>
> /subsystem=ejb3/application-security-domain=other:add(security-domain=KeycloakDomain)
>
> Regards.
>
> On Tue, Apr 2, 2019 at 6:14 PM Ryan Slominski <ryans at jlab.org> wrote:
>
> Has anyone been able to propagate the Keycloak security domain in Wildfly
> Elytron client adapter to EJBs in an application using jboss-ejb3.xml?
> Creating a single file that is bundled with the application war seems like
> a better solution than importing and apply a JBOSS specific annotation
> (@SecurityDomain) to hundreds of EJBs.
>
> I placed the file into WEB-INF with contents:
>
> <?xml version="1.1" encoding="UTF-8"?>
> <jboss:ejb-jar xmlns:jboss="http://www.jboss.com/xml/ns/javaee
> <https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.jboss.com%2Fxml%2Fns%2Fjavaee&data=02%7C01%7Cryans%40jlab.org%7C6fe0e5b114a8446f396608d6b82e2169%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898905606448188&sdata=Ak4pY6bfZ3R2y2AzlSbTWFXbB2nekeRqXN8I6YX3jwg%3D&reserved=0>
> "
> xmlns="http://java.sun.com/xml/ns/javaee
> <https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fjava.sun.com%2Fxml%2Fns%2Fjavaee&data=02%7C01%7Cryans%40jlab.org%7C6fe0e5b114a8446f396608d6b82e2169%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898905606458197&sdata=K881eDky%2BbaXlLuHuN%2FCxVnoG0Crd5fcn4fmV4KA9xM%3D&reserved=0>
> "
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance
> <https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.w3.org%2F2001%2FXMLSchema-instance&data=02%7C01%7Cryans%40jlab.org%7C6fe0e5b114a8446f396608d6b82e2169%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898905606458197&sdata=DC29UYkdLb5S33S577mdhDhgS5mwXFT145eNxyxyUGo%3D&reserved=0>
> "
> xmlns:s="urn:security"
> xsi:schemaLocation="http://www.jboss.com/xml/ns/javaee
> <https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.jboss.com%2Fxml%2Fns%2Fjavaee&data=02%7C01%7Cryans%40jlab.org%7C6fe0e5b114a8446f396608d6b82e2169%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898905606468202&sdata=vr%2F9eJUEBiwHIoLd0sek9aesY%2FambfnInTCgv0kObek%3D&reserved=0>
> http://www.jboss.org/j2ee/schema/jboss-ejb3-2_0.xsd
> <https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.jboss.org%2Fj2ee%2Fschema%2Fjboss-ejb3-2_0.xsd&data=02%7C01%7Cryans%40jlab.org%7C6fe0e5b114a8446f396608d6b82e2169%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898905606468202&sdata=Z80OIgc%2Flj%2Bx9akdsL6rXQPbjGN2H4VAULEiCjq6d8U%3D&reserved=0>
> "
> version="3.1" impl-version="2.0">
> <assembly-descriptor>
> <s:security>
> <ejb-name>*</ejb-name>
> <s:security-domain>keycloak</s:security-domain>
> </s:security>
> </assembly-descriptor>
> </jboss:ejb-jar>
>
> I also tried label "KeycloakDomain" instead of "keycloak". In either case
> I get the following error when I attempt to deploy the war file:
>
> "WFLYCTL0412: Required services that are not installed:" =>
> ["jboss.security.security-domain.KeycloakDomain"],
> "WFLYCTL0180: Services with missing/unavailable dependencies" => [
> "jboss.deployment.unit.\"staff.war\".component.StaffFacade.CREATE
> is missing [jboss.security.security-domain.KeycloakDomain]",
>
> "jboss.deployment.unit.\"staff.war\".undertow-deployment.UndertowDeploymentInfoService
> is missing [jboss.security.security-domain.KeycloakDomain]",
>
> "jboss.deployment.unit.\"staff.war\".component.WorkgroupFacade.CREATE is
> missing [jboss.security.security-domain.KeycloakDomain]"
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> <https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-user&data=02%7C01%7Cryans%40jlab.org%7C6fe0e5b114a8446f396608d6b82e2169%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898905606478211&sdata=eYK983rVX2psH9W0OUJFzhH0vjfM0tzRZkZYxile3ac%3D&reserved=0>
>
>
More information about the keycloak-user
mailing list