[keycloak-user] Wildfly Elytron client adapter - Propagate security domain to EJB
Ryan Slominski
ryans at jlab.org
Wed Apr 3 16:17:19 EDT 2019
OK, great.
The "legacy" client adapter already automatically propagates the security context to EJBs (local ones anyways). So from this user's point-of-view switching to the shiny new Elytron system was a step backwards. If automatic propagation (to local EJBs) harms no-one then I see it as a good enhancement. If rejected, at least I have updated my build notes on how to set it up working again ??
________________________________
From: Pedro Igor Silva <psilva at redhat.com>
Sent: Wednesday, April 3, 2019 4:05 PM
To: Ryan Slominski
Cc: keycloak-user
Subject: Re: [keycloak-user] Wildfly Elytron client adapter - Propagate security domain to EJB
I meant in Elytron/Wildfly docs. That JIRA will help so I can try to talk with people here if we can consider it in the some future sprint.
On Wed, Apr 3, 2019 at 4:58 PM Ryan Slominski <ryans at jlab.org<mailto:ryans at jlab.org>> wrote:
I'm not able to find the command in the Keycloak documentation. Please link to it if I missed it.
As far as propagating to EJB tier goes I only found two places where it is mentioned and they both say use @SecurityDomain annotation:
1. For OIDC: https://www.keycloak.org/docs/latest/securing_apps/index.html#security-domain<https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.keycloak.org%2Fdocs%2Flatest%2Fsecuring_apps%2Findex.html%23security-domain&data=02%7C01%7Cryans%40jlab.org%7Ca6cc5353df824f19799508d6b86fc15e%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636899187464312552&sdata=0UBiXoXV%2FOU3hthsI624v3wk5fcl4u8sXLZ00ka2NGs%3D&reserved=0>
2. For SAML: https://www.keycloak.org/docs/latest/securing_apps/index.html#jboss-eap-wildfly-adapter-2<https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.keycloak.org%2Fdocs%2Flatest%2Fsecuring_apps%2Findex.html%23jboss-eap-wildfly-adapter-2&data=02%7C01%7Cryans%40jlab.org%7Ca6cc5353df824f19799508d6b86fc15e%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636899187464322561&sdata=pCKWZeB%2B1Qph%2FW9pmH0DkIHXbBj2DC9nsRaTyFG3BIA%3D&reserved=0>
The SAML document says:
"We hope to improve our integration in the future so that you don’t have to specify the @SecurityDomain annotation when you want to propagate a keycloak security context to the EJB tier."
I've created a pull request to make this automatic (I don't see why not?): https://github.com/keycloak/keycloak/pull/5977<https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fkeycloak%2Fkeycloak%2Fpull%2F5977&data=02%7C01%7Cryans%40jlab.org%7Ca6cc5353df824f19799508d6b86fc15e%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636899187464322561&sdata=qzA1SQFRnAL05%2Fw6MHNWKRUl0FpnyhpkKzw9U4srjmQ%3D&reserved=0>
I've added comments to the original JIRA: https://issues.jboss.org/browse/KEYCLOAK-5665<https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.jboss.org%2Fbrowse%2FKEYCLOAK-5665&data=02%7C01%7Cryans%40jlab.org%7Ca6cc5353df824f19799508d6b86fc15e%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636899187464332566&sdata=oZzK7MjMb0sTqVVFcRf72xKCr5ZFCO%2BbqKBaUAYW9Dg%3D&reserved=0>
________________________________
From: Pedro Igor Silva <psilva at redhat.com<mailto:psilva at redhat.com>>
Sent: Wednesday, April 3, 2019 3:43 PM
To: Ryan Slominski
Cc: keycloak-user
Subject: Re: [keycloak-user] Wildfly Elytron client adapter - Propagate security domain to EJB
Thanks, Ryan.
I think this specific configuration is covered in Elytron/Wildfly docs already. As well as how to propagate identities to remote EJBs (which is a bit more complex to set up).
In regards to adding the command to the CLI scripts, although it seems a good OOTB config we don't see much demand from the community. However, you can still open a JIRA if you like and ask people to rank it.
On Wed, Apr 3, 2019 at 12:04 PM Ryan Slominski <ryans at jlab.org<mailto:ryans at jlab.org>> wrote:
Thanks for your help Pedro.
I can confirm that after installing a fresh instance of Wildfly 16.0.0.Final and copying the latest Keycloak Elytron client adapter code over top the install directory the only extra step needed besides executing the "jboss-cli --file=adapter-elytron-install.cli" command was the command you originally suggested:
jboss-cli.sh -c --command="/subsystem=ejb3/application-security-domain=other:add(security-domain=KeycloakDomain)"
We should probably update the documentation to indicate this as an alternative option to the @SecurityDomain annotation. In fact, it might make sense to actually add this command to the adapter-elytron-install.cli file (and offline version too) so that users don't have to do anything extra. This assumes setting the EJB other security-domain to KeycloakDomain is safe to do in the general case, which I assume it is.
________________________________
From: Pedro Igor Silva <psilva at redhat.com<mailto:psilva at redhat.com>>
Sent: Wednesday, April 3, 2019 10:13 AM
To: Ryan Slominski
Cc: keycloak-user
Subject: Re: [keycloak-user] Wildfly Elytron client adapter - Propagate security domain to EJB
Nice. That is what I was expecting. In a nutshell, you are basically saying "Please, use the same security domain across these deployments so that I can fetch the security identity".
Thanks again for moving this forward.
On Wed, Apr 3, 2019 at 10:56 AM Ryan Slominski <ryans at jlab.org<mailto:ryans at jlab.org>> wrote:
I have it working now. I had an entry in jboss-web.xml that I had added when trying various theories and I forgot to remove it, and it was preventing deployment:
<security-domain>KeycloakDomain</security-domain>
I'll work on building the server from scratch to confirm but it appears the solution to set this up is:
1. Copy Eltyron client adapter files into Wildfly
2. Execute jboss-cli.sh -c --file=bin/adapter-elytron-install.cli
3. Execute jboss-cli.sh -c --command="/subsystem=ejb3/application-security-domain=other:add(security-domain=KeycloakDomain)"
________________________________
From: Pedro Igor Silva <psilva at redhat.com<mailto:psilva at redhat.com>>
Sent: Wednesday, April 3, 2019 9:16 AM
To: Ryan Slominski
Cc: keycloak-user
Subject: Re: [keycloak-user] Wildfly Elytron client adapter - Propagate security domain to EJB
Not sure. I need to check this. I'll look at the that later this week.
Thank you for your feedbacks. Will ping you back once I've something to share.
On Wed, Apr 3, 2019 at 10:11 AM Ryan Slominski <ryans at jlab.org<mailto:ryans at jlab.org>> wrote:
Thanks for the guidance, but I'm unable to get this working. Here is what I tried:
1. Logged into Wildfly admin console and navigated to Configuration > Subsystems > EJB > Security Domain
* Ensured I only have one entry: "other" and that it's own "Security Domain" sub-field is "KeycloakDomain"
2. Navigated to Configuration > Subsystems > Web (Undertow) > Settings > Application Security Domain > other
* Ensured "Security Domain" sub-field is blank (actually tried with blank and value "KeycloakDomain"; doesn't make a difference)
3. I deleted the jboss-ejb3.xml file from my web application WEB-INF directory
Still seeing the following error on deployment of war file:
"WFLYCTL0412: Required services that are not installed:" => ["jboss.security.security-domain.KeycloakDomain"]
I am using the latest version of Wildfly (16.0.0.Final), so perhaps the latest Keycloak Elytron client adapter simply doesn't work with this version of Wildfly?
________________________________
From: Pedro Igor Silva <psilva at redhat.com<mailto:psilva at redhat.com>>
Sent: Wednesday, April 3, 2019 8:50 AM
To: Ryan Slominski
Cc: keycloak-user
Subject: Re: [keycloak-user] Wildfly Elytron client adapter - Propagate security domain to EJB
The undertow subsystem already has the "other" application-security-domain defined as I mentioned before.
As a last try, try this:
* /subsystem=ejb3/application-security-domain=other:add(security-domain=KeycloakDomain)
* Leave the undertow subsystem with the default settings defined by the elytron adapter CLI scripts
* Remove any reference to "security-domain" from your EJB archives/beans so that "other" will be the default
What I'm trying to do is to make both web and ejb layers to use the same elytron security domain so that you can access the security identity in both layers.
If this doesn't work, I'll try to find some code that I think I have somewhere that is doing this.
On Wed, Apr 3, 2019 at 9:28 AM Ryan Slominski <ryans at jlab.org<mailto:ryans at jlab.org>> wrote:
I'm not familiar with how the Elytron Keycloak client adapter works. How do I change the application-security-domain in both ejb3 and undertow subsystems to "other"?
If I try:
/subsystem=undertow/application-security-domain=KeycloakDomain:add(security-domain=KeycloakDomain)
Then I get the following on deploy:
"{\"WFLYCTL0080: Failed services\" => {\"jboss.deployment.unit.\\\"staff.war\\\".undertow-deployment\" => \"java.lang.RuntimeException: java.lang.IllegalStateException: The required mechanism 'KEYCLOAK' is not available in mechanisms [BASIC, CLIENT_CERT, FORM] from the HttpAuthenticationFactory.
Caused by: java.lang.RuntimeException: java.lang.IllegalStateException: The required mechanism 'KEYCLOAK' is not available in mechanisms [BASIC, CLIENT_CERT, FORM] from the HttpAuthenticationFactory.
Caused by: java.lang.IllegalStateException: The required mechanism 'KEYCLOAK' is not available in mechanisms [BASIC, CLIENT_CERT, FORM] from the HttpAuthenticationFactory.\"}}"
If I try:
/subsystem=undertow/application-security-domain=other:add(security-domain=KeycloakDomain)
The command fails with:
{
"outcome" => "failed",
"failure-description" => "WFLYCTL0212: Duplicate resource [
(\"subsystem\" => \"undertow\"),
(\"application-security-domain\" => \"other\")
]",
"rolled-back" => true
}
________________________________
From: Pedro Igor Silva <psilva at redhat.com<mailto:psilva at redhat.com>>
Sent: Wednesday, April 3, 2019 8:15 AM
To: Ryan Slominski
Cc: keycloak-user
Subject: Re: [keycloak-user] Wildfly Elytron client adapter - Propagate security domain to EJB
This seem to be related with your WAR deployment though. Did you try to change the application-security-domain in both ejb3 and undertow subsystems to "other". That way you don't need to specify a security domain as "other" will be the default. IIRC, when you run the elytron adapter scripts an "other" application-security-domain is created in the undertow subsystem.
On Wed, Apr 3, 2019 at 9:08 AM Ryan Slominski <ryans at jlab.org<mailto:ryans at jlab.org>> wrote:
Using the command:
/subsystem=ejb3/application-security-domain=KeycloakDomain:add(security-domain=KeycloakDomain)
Results in different error upon application deploy:
08:03:35,017 ERROR [org.jboss.as.controller.management-operation] (DeploymentScanner-threads - 1) WFLYCTL0013: Operation ("deploy") failed - address: ([("deployment" => "staff.war")]) - failure description: {
"WFLYCTL0412: Required services that are not installed:" => ["jboss.security.security-domain.KeycloakDomain"],
"WFLYCTL0180: Services with missing/unavailable dependencies" => ["jboss.deployment.unit.\"staff.war\".undertow-deployment.UndertowDeploymentInfoService is missing [jboss.security.security-domain.KeycloakDomain]"]
}
More log context attached.
________________________________
From: Pedro Igor Silva <psilva at redhat.com<mailto:psilva at redhat.com>>
Sent: Wednesday, April 3, 2019 7:53 AM
To: Ryan Slominski
Cc: keycloak-user
Subject: Re: [keycloak-user] Wildfly Elytron client adapter - Propagate security domain to EJB
I found an error in the command that I gave to you. Could try to change the name of the application-security-domain to "KeycloakDomain", instead of "other".
If it doesn't work I would prefer to try this out first before opening the JIRA. But I appreciate if you can at least try the change above first.
On Wed, Apr 3, 2019 at 8:40 AM Ryan Slominski <ryans at jlab.org<mailto:ryans at jlab.org>> wrote:
Thanks for the idea. Unfortunately it didn't work. I still see:
"WFLYCTL0412: Required services that are not installed:" => ["jboss.security.security-domain.KeycloakDomain"]
I am using only local EJBs. I guess I must stick with the legacy Wildfly client adapter. Looks like the JIRA to addresss the EJB propagation issue has been closed. Can we re-open it?
See: https://issues.jboss.org/browse/KEYCLOAK-5665<https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.jboss.org%2Fbrowse%2FKEYCLOAK-5665&data=02%7C01%7Cryans%40jlab.org%7Ca6cc5353df824f19799508d6b86fc15e%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636899187464332566&sdata=oZzK7MjMb0sTqVVFcRf72xKCr5ZFCO%2BbqKBaUAYW9Dg%3D&reserved=0>
________________________________
From: Pedro Igor Silva <psilva at redhat.com<mailto:psilva at redhat.com>>
Sent: Tuesday, April 2, 2019 9:07 PM
To: Ryan Slominski
Cc: keycloak-user
Subject: Re: [keycloak-user] Wildfly Elytron client adapter - Propagate security domain to EJB
Hi,
I guess it is a local EJB ? If so, could you try configuring the EJB subsystem with an application-security-domain as follows:
/subsystem=ejb3/application-security-domain=other:add(security-domain=KeycloakDomain)
Regards.
On Tue, Apr 2, 2019 at 6:14 PM Ryan Slominski <ryans at jlab.org<mailto:ryans at jlab.org>> wrote:
Has anyone been able to propagate the Keycloak security domain in Wildfly Elytron client adapter to EJBs in an application using jboss-ejb3.xml? Creating a single file that is bundled with the application war seems like a better solution than importing and apply a JBOSS specific annotation (@SecurityDomain) to hundreds of EJBs.
I placed the file into WEB-INF with contents:
<?xml version="1.1" encoding="UTF-8"?>
<jboss:ejb-jar xmlns:jboss="http://www.jboss.com/xml/ns/javaee<https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.jboss.com%2Fxml%2Fns%2Fjavaee&data=02%7C01%7Cryans%40jlab.org%7Ca6cc5353df824f19799508d6b86fc15e%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636899187464342575&sdata=as%2BksxrwH7ZKN%2Fka3qHinjoQ2hQC90sa%2F8x8vfHbFlU%3D&reserved=0>"
xmlns="http://java.sun.com/xml/ns/javaee<https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fjava.sun.com%2Fxml%2Fns%2Fjavaee&data=02%7C01%7Cryans%40jlab.org%7Ca6cc5353df824f19799508d6b86fc15e%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636899187464352580&sdata=qvZZuFFg5vn3xgykc1cxV0AxQA5xuPJwakPy6%2FQZTVA%3D&reserved=0>"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance<https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.w3.org%2F2001%2FXMLSchema-instance&data=02%7C01%7Cryans%40jlab.org%7Ca6cc5353df824f19799508d6b86fc15e%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636899187464352580&sdata=qxUqEgm4UzNcwk5wORR5HU%2BzIxSag1S4d8ul3tVUrfA%3D&reserved=0>"
xmlns:s="urn:security"
xsi:schemaLocation="http://www.jboss.com/xml/ns/javaee<https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.jboss.com%2Fxml%2Fns%2Fjavaee&data=02%7C01%7Cryans%40jlab.org%7Ca6cc5353df824f19799508d6b86fc15e%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636899187464362589&sdata=PyKAqVzld26c6CbZjwh6XyaZnfdjMxQDYGj869yHya0%3D&reserved=0> http://www.jboss.org/j2ee/schema/jboss-ejb3-2_0.xsd<https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.jboss.org%2Fj2ee%2Fschema%2Fjboss-ejb3-2_0.xsd&data=02%7C01%7Cryans%40jlab.org%7Ca6cc5353df824f19799508d6b86fc15e%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636899187464362589&sdata=S2mx2tkxKv1Gi2%2B6APaXqbH7rqPnCFE%2BN6DzDfmGIGM%3D&reserved=0>"
version="3.1" impl-version="2.0">
<assembly-descriptor>
<s:security>
<ejb-name>*</ejb-name>
<s:security-domain>keycloak</s:security-domain>
</s:security>
</assembly-descriptor>
</jboss:ejb-jar>
I also tried label "KeycloakDomain" instead of "keycloak". In either case I get the following error when I attempt to deploy the war file:
"WFLYCTL0412: Required services that are not installed:" => ["jboss.security.security-domain.KeycloakDomain"],
"WFLYCTL0180: Services with missing/unavailable dependencies" => [
"jboss.deployment.unit.\"staff.war\".component.StaffFacade.CREATE is missing [jboss.security.security-domain.KeycloakDomain]",
"jboss.deployment.unit.\"staff.war\".undertow-deployment.UndertowDeploymentInfoService is missing [jboss.security.security-domain.KeycloakDomain]",
"jboss.deployment.unit.\"staff.war\".component.WorkgroupFacade.CREATE is missing [jboss.security.security-domain.KeycloakDomain]"
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user<https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-user&data=02%7C01%7Cryans%40jlab.org%7Ca6cc5353df824f19799508d6b86fc15e%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636899187464372598&sdata=Ra4IIclmql7hfIleGChRdZC0FNU1BTiDJRs7DFZ4FaQ%3D&reserved=0>
More information about the keycloak-user
mailing list