[keycloak-user] Wildfly Elytron client adapter - Propagate security domain to EJB

Pedro Igor Silva psilva at redhat.com
Wed Apr 3 16:22:15 EDT 2019 

Yeah, you are right. Maybe this is another argument to consider that issue.

The legacy is using a JAAS LoginModule which is configured automatically
when installing the adapter.

On Wed, Apr 3, 2019 at 5:17 PM Ryan Slominski <ryans at jlab.org> wrote:

> OK, great.
>
> The "legacy" client adapter already automatically propagates the security
> context to EJBs (local ones anyways).   So from this user's point-of-view
> switching to the shiny new Elytron system was a step backwards.  If
> automatic propagation (to local EJBs) harms no-one then I see it as a good
> enhancement.  If rejected, at least I have updated my build notes on how to
> set it up working again 🙂
>
>
>
>
>
> ------------------------------
> *From:* Pedro Igor Silva <psilva at redhat.com>
> *Sent:* Wednesday, April 3, 2019 4:05 PM
> *To:* Ryan Slominski
> *Cc:* keycloak-user
> *Subject:* Re: [keycloak-user] Wildfly Elytron client adapter - Propagate
> security domain to EJB
>
> I meant in Elytron/Wildfly docs. That JIRA will help so I can try to talk
> with people here if we can consider it in the some future sprint.
>
> On Wed, Apr 3, 2019 at 4:58 PM Ryan Slominski <ryans at jlab.org> wrote:
>
> I'm not able to find the command in the Keycloak documentation.   Please
> link to it if I missed it.
>
> As far as propagating to EJB tier goes I only found two places where it is
> mentioned and they both say use @SecurityDomain annotation:
>
>    1. For OIDC:
>    https://www.keycloak.org/docs/latest/securing_apps/index.html#security-domain
>    <https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.keycloak.org%2Fdocs%2Flatest%2Fsecuring_apps%2Findex.html%23security-domain&data=02%7C01%7Cryans%40jlab.org%7Ca6cc5353df824f19799508d6b86fc15e%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636899187464312552&sdata=0UBiXoXV%2FOU3hthsI624v3wk5fcl4u8sXLZ00ka2NGs%3D&reserved=0>
>    2. For SAML:
>    https://www.keycloak.org/docs/latest/securing_apps/index.html#jboss-eap-wildfly-adapter-2
>    <https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.keycloak.org%2Fdocs%2Flatest%2Fsecuring_apps%2Findex.html%23jboss-eap-wildfly-adapter-2&data=02%7C01%7Cryans%40jlab.org%7Ca6cc5353df824f19799508d6b86fc15e%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636899187464322561&sdata=pCKWZeB%2B1Qph%2FW9pmH0DkIHXbBj2DC9nsRaTyFG3BIA%3D&reserved=0>
>
> The SAML document says:
>
> "We hope to improve our integration in the future so that you don’t have
> to specify the @SecurityDomain annotation when you want to propagate a
> keycloak security context to the EJB tier."
>
> I've created a pull request to make this automatic (I don't see why
> not?):  https://github.com/keycloak/keycloak/pull/5977
> <https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fkeycloak%2Fkeycloak%2Fpull%2F5977&data=02%7C01%7Cryans%40jlab.org%7Ca6cc5353df824f19799508d6b86fc15e%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636899187464322561&sdata=qzA1SQFRnAL05%2Fw6MHNWKRUl0FpnyhpkKzw9U4srjmQ%3D&reserved=0>
>
> I've added comments to the original JIRA:
> https://issues.jboss.org/browse/KEYCLOAK-5665
> <https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.jboss.org%2Fbrowse%2FKEYCLOAK-5665&data=02%7C01%7Cryans%40jlab.org%7Ca6cc5353df824f19799508d6b86fc15e%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636899187464332566&sdata=oZzK7MjMb0sTqVVFcRf72xKCr5ZFCO%2BbqKBaUAYW9Dg%3D&reserved=0>
>
> ------------------------------
> *From:* Pedro Igor Silva <psilva at redhat.com>
> *Sent:* Wednesday, April 3, 2019 3:43 PM
> *To:* Ryan Slominski
> *Cc:* keycloak-user
> *Subject:* Re: [keycloak-user] Wildfly Elytron client adapter - Propagate
> security domain to EJB
>
> Thanks, Ryan.
>
> I think this specific configuration is covered in Elytron/Wildfly docs
> already. As well as how to propagate identities to remote EJBs (which is a
> bit more complex to set up).
>
> In regards to adding the command to the CLI scripts, although it seems a
> good OOTB config we don't see much demand from the community. However, you
> can still open a JIRA if you like and ask people to rank it.
>
> On Wed, Apr 3, 2019 at 12:04 PM Ryan Slominski <ryans at jlab.org> wrote:
>
> Thanks for your help Pedro.
>
> I can confirm that after installing a fresh instance of Wildfly
> 16.0.0.Final and copying the latest Keycloak Elytron client adapter code
> over top the install directory the only extra step needed besides executing
> the "jboss-cli --file=adapter-elytron-install.cli" command was the command
> you originally suggested:
>
> jboss-cli.sh -c
> --command="/subsystem=ejb3/application-security-domain=other:add(security-domain=KeycloakDomain)"
>
> We should probably update the documentation to indicate this as an
> alternative option to the @SecurityDomain annotation.  In fact, it might
> make sense to actually add this command to the adapter-elytron-install.cli
> file (and offline version too) so that users don't have to do anything
> extra.  This assumes setting the EJB other security-domain to
> KeycloakDomain is safe to do in the general case, which I assume it is.
> ------------------------------
> *From:* Pedro Igor Silva <psilva at redhat.com>
> *Sent:* Wednesday, April 3, 2019 10:13 AM
> *To:* Ryan Slominski
> *Cc:* keycloak-user
> *Subject:* Re: [keycloak-user] Wildfly Elytron client adapter - Propagate
> security domain to EJB
>
> Nice. That is what I was expecting. In a nutshell, you are basically
> saying "Please, use the same security domain across these deployments so
> that I can fetch the security identity".
>
> Thanks again for moving this forward.
>
> On Wed, Apr 3, 2019 at 10:56 AM Ryan Slominski <ryans at jlab.org> wrote:
>
> I have it working now.  I had an entry in jboss-web.xml that I had added
> when trying various theories and I forgot to remove it, and it was
> preventing deployment:
>
> <security-domain>KeycloakDomain</security-domain>
>
> I'll work on building the server from scratch to confirm but it appears
> the solution to set this up is:
>
>
>    1. Copy Eltyron client adapter files into Wildfly
>    2. Execute jboss-cli.sh -c --file=bin/adapter-elytron-install.cli
>    3. Execute jboss-cli.sh -c
>    --command="/subsystem=ejb3/application-security-domain=other:add(security-domain=KeycloakDomain)"
>
> ------------------------------
> *From:* Pedro Igor Silva <psilva at redhat.com>
> *Sent:* Wednesday, April 3, 2019 9:16 AM
> *To:* Ryan Slominski
> *Cc:* keycloak-user
> *Subject:* Re: [keycloak-user] Wildfly Elytron client adapter - Propagate
> security domain to EJB
>
> Not sure. I need to check this. I'll look at the that later this week.
>
> Thank you for your feedbacks. Will ping you back once I've something to
> share.
>
> On Wed, Apr 3, 2019 at 10:11 AM Ryan Slominski <ryans at jlab.org> wrote:
>
> Thanks for the guidance, but I'm unable to get this working.  Here is what
> I tried:
>
>
>    1. Logged into Wildfly admin console and navigated to Configuration >
>    Subsystems > EJB > Security Domain
>       1. Ensured I only have one entry: "other" and that it's own
>       "Security Domain" sub-field is "KeycloakDomain"
>    2. Navigated to Configuration > Subsystems > Web (Undertow) > Settings
>    > Application Security Domain > other
>       1. Ensured "Security Domain" sub-field is blank (actually tried
>       with blank  and value "KeycloakDomain"; doesn't make a difference)
>    3. I deleted the jboss-ejb3.xml file from my web application WEB-INF
>    directory
>
> Still seeing the following error on deployment of war file:
>
> "WFLYCTL0412: Required services that are not installed:" =>
> ["jboss.security.security-domain.KeycloakDomain"]
>
> I am using the latest version of Wildfly (16.0.0.Final), so perhaps the
> latest Keycloak Elytron client adapter simply doesn't work with this
> version of Wildfly?
>
>
> ------------------------------
> *From:* Pedro Igor Silva <psilva at redhat.com>
> *Sent:* Wednesday, April 3, 2019 8:50 AM
> *To:* Ryan Slominski
> *Cc:* keycloak-user
> *Subject:* Re: [keycloak-user] Wildfly Elytron client adapter - Propagate
> security domain to EJB
>
> The undertow subsystem already has the "other" application-security-domain
> defined as I mentioned before.
>
> As a last try, try this:
>
> * /subsystem=ejb3/application-security-domain=other:add(security-
> domain=KeycloakDomain)
> * Leave the undertow subsystem with the default settings defined by the
> elytron adapter CLI scripts
> * Remove any reference to "security-domain" from your EJB archives/beans
> so that "other" will be the default
>
> What I'm trying to do is to make both web and ejb layers to use the same
> elytron security domain so that you can access the security identity in
> both layers.
>
> If this doesn't work, I'll try to find some code that I think I have
> somewhere that is doing this.
>
> On Wed, Apr 3, 2019 at 9:28 AM Ryan Slominski <ryans at jlab.org> wrote:
>
> I'm not familiar with how the Elytron Keycloak client adapter works.
> How do I change the application-security-domain in both ejb3 and undertow
> subsystems to "other"?
>
> If I try:
>
> /subsystem=undertow/application-security-domain=KeycloakDomain:add(security-domain=KeycloakDomain)
>
> Then I get the following on deploy:
>
> "{\"WFLYCTL0080: Failed services\" =>
> {\"jboss.deployment.unit.\\\"staff.war\\\".undertow-deployment\" =>
> \"java.lang.RuntimeException: java.lang.IllegalStateException: The required
> mechanism 'KEYCLOAK' is not available in mechanisms [BASIC, CLIENT_CERT,
> FORM] from the HttpAuthenticationFactory.
>     Caused by: java.lang.RuntimeException:
> java.lang.IllegalStateException: The required mechanism 'KEYCLOAK' is not
> available in mechanisms [BASIC, CLIENT_CERT, FORM] from the
> HttpAuthenticationFactory.
>     Caused by: java.lang.IllegalStateException: The required mechanism
> 'KEYCLOAK' is not available in mechanisms [BASIC, CLIENT_CERT, FORM] from
> the HttpAuthenticationFactory.\"}}"
>
>
> If I try:
>
>
> /subsystem=undertow/application-security-domain=other:add(security-domain=KeycloakDomain)
>
> The command fails with:
>
> {
>     "outcome" => "failed",
>     "failure-description" => "WFLYCTL0212: Duplicate resource [
>     (\"subsystem\" => \"undertow\"),
>     (\"application-security-domain\" => \"other\")
> ]",
>     "rolled-back" => true
> }
> ------------------------------
> *From:* Pedro Igor Silva <psilva at redhat.com>
> *Sent:* Wednesday, April 3, 2019 8:15 AM
> *To:* Ryan Slominski
> *Cc:* keycloak-user
> *Subject:* Re: [keycloak-user] Wildfly Elytron client adapter - Propagate
> security domain to EJB
>
> This seem to be related with your WAR deployment though. Did you try to
> change the application-security-domain in both ejb3 and undertow subsystems
> to "other". That way you don't need to specify a security domain as "other"
> will be the default. IIRC, when you run the elytron adapter scripts an
> "other" application-security-domain is created in the undertow subsystem.
>
> On Wed, Apr 3, 2019 at 9:08 AM Ryan Slominski <ryans at jlab.org> wrote:
>
> Using the command:
>
>
> /subsystem=ejb3/application-security-domain=KeycloakDomain:add(security-domain=KeycloakDomain)
>
> Results in different error upon application deploy:
>
> 08:03:35,017 ERROR [org.jboss.as.controller.management-operation]
> (DeploymentScanner-threads - 1) WFLYCTL0013: Operation ("deploy") failed -
> address: ([("deployment" => "staff.war")]) - failure description: {
>     "WFLYCTL0412: Required services that are not installed:" =>
> ["jboss.security.security-domain.KeycloakDomain"],
>     "WFLYCTL0180: Services with missing/unavailable dependencies" =>
> ["jboss.deployment.unit.\"staff.war\".undertow-deployment.UndertowDeploymentInfoService
> is missing [jboss.security.security-domain.KeycloakDomain]"]
> }
>
>
> More log context attached.
>
>
> ------------------------------
> *From:* Pedro Igor Silva <psilva at redhat.com>
> *Sent:* Wednesday, April 3, 2019 7:53 AM
> *To:* Ryan Slominski
> *Cc:* keycloak-user
> *Subject:* Re: [keycloak-user] Wildfly Elytron client adapter - Propagate
> security domain to EJB
>
> I found an error in the command that I gave to you. Could try to change
> the name of the application-security-domain to "KeycloakDomain", instead of
> "other".
>
> If it doesn't work I would prefer to try this out first before opening the
> JIRA. But I appreciate if you can at least try the change above first.
>
> On Wed, Apr 3, 2019 at 8:40 AM Ryan Slominski <ryans at jlab.org> wrote:
>
> Thanks for the idea.  Unfortunately it didn't work.  I still see:
>
> "WFLYCTL0412: Required services that are not installed:" =>
> ["jboss.security.security-domain.KeycloakDomain"]
>
> I am using only local EJBs.   I guess I must stick with the legacy Wildfly
> client adapter.  Looks like the JIRA to addresss the EJB propagation issue
> has been closed.  Can we re-open it?
>
> See:  https://issues.jboss.org/browse/KEYCLOAK-5665
> <https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.jboss.org%2Fbrowse%2FKEYCLOAK-5665&data=02%7C01%7Cryans%40jlab.org%7Ca6cc5353df824f19799508d6b86fc15e%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636899187464332566&sdata=oZzK7MjMb0sTqVVFcRf72xKCr5ZFCO%2BbqKBaUAYW9Dg%3D&reserved=0>
> ------------------------------
> *From:* Pedro Igor Silva <psilva at redhat.com>
> *Sent:* Tuesday, April 2, 2019 9:07 PM
> *To:* Ryan Slominski
> *Cc:* keycloak-user
> *Subject:* Re: [keycloak-user] Wildfly Elytron client adapter - Propagate
> security domain to EJB
>
> Hi,
>
> I guess it is a local EJB ? If so, could you try configuring the EJB
> subsystem with an application-security-domain as follows:
>
>
> /subsystem=ejb3/application-security-domain=other:add(security-domain=KeycloakDomain)
>
> Regards.
>
> On Tue, Apr 2, 2019 at 6:14 PM Ryan Slominski <ryans at jlab.org> wrote:
>
> Has anyone been able to propagate the Keycloak security domain in Wildfly
> Elytron client adapter to EJBs in an application using jboss-ejb3.xml?
> Creating a single file that is bundled with the application war seems like
> a better solution than importing  and apply a JBOSS specific annotation
> (@SecurityDomain) to hundreds of EJBs.
>
> I placed the file into WEB-INF with contents:
>
> <?xml version="1.1" encoding="UTF-8"?>
> <jboss:ejb-jar xmlns:jboss="http://www.jboss.com/xml/ns/javaee
> <https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.jboss.com%2Fxml%2Fns%2Fjavaee&data=02%7C01%7Cryans%40jlab.org%7Ca6cc5353df824f19799508d6b86fc15e%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636899187464342575&sdata=as%2BksxrwH7ZKN%2Fka3qHinjoQ2hQC90sa%2F8x8vfHbFlU%3D&reserved=0>
> "
>     xmlns="http://java.sun.com/xml/ns/javaee
> <https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fjava.sun.com%2Fxml%2Fns%2Fjavaee&data=02%7C01%7Cryans%40jlab.org%7Ca6cc5353df824f19799508d6b86fc15e%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636899187464352580&sdata=qvZZuFFg5vn3xgykc1cxV0AxQA5xuPJwakPy6%2FQZTVA%3D&reserved=0>
> "
>     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance
> <https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.w3.org%2F2001%2FXMLSchema-instance&data=02%7C01%7Cryans%40jlab.org%7Ca6cc5353df824f19799508d6b86fc15e%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636899187464352580&sdata=qxUqEgm4UzNcwk5wORR5HU%2BzIxSag1S4d8ul3tVUrfA%3D&reserved=0>
> "
>     xmlns:s="urn:security"
>     xsi:schemaLocation="http://www.jboss.com/xml/ns/javaee
> <https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.jboss.com%2Fxml%2Fns%2Fjavaee&data=02%7C01%7Cryans%40jlab.org%7Ca6cc5353df824f19799508d6b86fc15e%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636899187464362589&sdata=PyKAqVzld26c6CbZjwh6XyaZnfdjMxQDYGj869yHya0%3D&reserved=0>
> http://www.jboss.org/j2ee/schema/jboss-ejb3-2_0.xsd
> <https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.jboss.org%2Fj2ee%2Fschema%2Fjboss-ejb3-2_0.xsd&data=02%7C01%7Cryans%40jlab.org%7Ca6cc5353df824f19799508d6b86fc15e%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636899187464362589&sdata=S2mx2tkxKv1Gi2%2B6APaXqbH7rqPnCFE%2BN6DzDfmGIGM%3D&reserved=0>
> "
>     version="3.1" impl-version="2.0">
>     <assembly-descriptor>
>         <s:security>
>             <ejb-name>*</ejb-name>
>             <s:security-domain>keycloak</s:security-domain>
>         </s:security>
>     </assembly-descriptor>
> </jboss:ejb-jar>
>
> I also tried label "KeycloakDomain" instead of "keycloak".  In either case
> I get the following error when I attempt to deploy the war file:
>
>     "WFLYCTL0412: Required services that are not installed:" =>
> ["jboss.security.security-domain.KeycloakDomain"],
>     "WFLYCTL0180: Services with missing/unavailable dependencies" => [
>         "jboss.deployment.unit.\"staff.war\".component.StaffFacade.CREATE
> is missing [jboss.security.security-domain.KeycloakDomain]",
>
> "jboss.deployment.unit.\"staff.war\".undertow-deployment.UndertowDeploymentInfoService
> is missing [jboss.security.security-domain.KeycloakDomain]",
>
> "jboss.deployment.unit.\"staff.war\".component.WorkgroupFacade.CREATE is
> missing [jboss.security.security-domain.KeycloakDomain]"
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> <https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-user&data=02%7C01%7Cryans%40jlab.org%7Ca6cc5353df824f19799508d6b86fc15e%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636899187464372598&sdata=Ra4IIclmql7hfIleGChRdZC0FNU1BTiDJRs7DFZ4FaQ%3D&reserved=0>
>
>

More information about the keycloak-user mailing list