[wildfly-dev] Read Elytron security domain from Undertow's ApplicationSecurityDomainService
Jim Ma
ema at redhat.com
Wed May 6 03:09:44 EDT 2020
Hi Darran,
Did you get time to look at this reproducer? Any findings ?
Thanks,
Jim
On Thu, Apr 2, 2020 at 2:00 PM Jim Ma <ema at redhat.com> wrote:
> Thanks Darran. I uploaded the war deployment and reproduce steps readme
> to https://github.com/jimma/elytron-null-securitydomain.
> Let me know if this helps to debug why the SecurityDomain is not
> associated.
>
> On Thu, Apr 2, 2020 at 12:33 AM Darran Lofthouse <
> darran.lofthouse at jboss.com> wrote:
>
>> TBH Jim, I think I would need to dig into the code with a debugger to
>> double check what is happening there.
>>
>> SecurityDomain.getCurrent() will return null when no SecurityDomain is
>> associated with the deployment, the DeploymentUnitProcessor added for the
>> Elytron integration essentially checks what SecurityDomain name Undertow
>> was going to use and then checks if it should swap in an Elytron
>> SecurityDomain instead.
>>
>> If SecurityDomain association is being skipped due to the lack of a
>> security-constraint we should probably revisit that as there are plenty of
>> scenarios where association of a SecurityDomain would make sense even if
>> the constraints are not defined in the web.xml.
>>
>>
>> On Wed, Apr 1, 2020 at 11:29 AM Jim Ma <ema at redhat.com> wrote:
>>
>>> Hi Darran,
>>>
>>> The SecurityDomain.getCurrent() returns null when there is "other"
>>> security domain in jboss-web.xml and no “security-constraint” defined
>>> in web.xml like:
>>>
>>> -------------jboss-web.xml---------------------
>>> <jboss-web>
>>> <security-domain>other</security-domain>
>>> </jboss-web>
>>> --------------web.xml------------------------------
>>> <web-app
>>> version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>> xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
>>> http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
>>> <servlet>
>>> <servlet-name>TestService</servlet-name>
>>>
>>> <servlet-class>org.jboss.test.ws.jaxws.samples.wsse.policy.jaas.ServiceImpl</servlet-class>
>>> </servlet>
>>> <servlet-mapping>
>>> <servlet-name>TestService</servlet-name>
>>> <url-pattern>/*</url-pattern>
>>> </servlet-mapping>
>>> </web-app>
>>>
>>> Does this mean Elytron security domain mapped by undertow "other"
>>> application domain only is enforced/set for web deployment which contains <
>>> security-constraint>deployment descriptor ?
>>> When does SecurityDomain.getCurrent() return null value ?
>>>
>>> Thanks,
>>> Jim
>>>
>>> On Mon, Mar 16, 2020 at 6:35 PM Darran Lofthouse <
>>> darran.lofthouse at jboss.com> wrote:
>>>
>>>> Yes there should be no difference at runtime, if we identified the
>>>> Elytron domain via the default security domain it should still be
>>>> associated with the deployment in the same way.
>>>>
>>>> On Mon, Mar 16, 2020 at 10:33 AM Jim Ma <ema at redhat.com> wrote:
>>>>
>>>>> Will this work for Undertow default "other" application security
>>>>> domain's reference Elytron SecurityDomain ?
>>>>>
>>>>> On Mon, Mar 16, 2020 at 6:26 PM Darran Lofthouse <
>>>>> darran.lofthouse at jboss.com> wrote:
>>>>>
>>>>>> Overall it is the SecurityDomain.getCurrent method you need: -
>>>>>>
>>>>>>
>>>>>> https://wildfly-security.github.io/wildfly-elytron/master-public/org/wildfly/security/auth/server/SecurityDomain.html#getCurrent()
>>>>>>
>>>>>> If a SecurityDomain is associated with the Thread's context class
>>>>>> loader it will be returned.
>>>>>>
>>>>>> On Mon, Mar 16, 2020 at 10:22 AM Jim Ma <ema at redhat.com> wrote:
>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Mon, Mar 16, 2020 at 6:07 PM Darran Lofthouse <
>>>>>>> darran.lofthouse at jboss.com> wrote:
>>>>>>>
>>>>>>>> I don't know if it will help but the SecurityDomain is associated
>>>>>>>> with the ClassLoader of the deployment, not sure if that could be an
>>>>>>>> alternative way for WS to access it.
>>>>>>>>
>>>>>>>> I'll try it . Can you please point me some code example or test
>>>>>>> code?
>>>>>>>
>>>>>>>
>>>>>>>> The thing that is complicating it for now is the dual mode with
>>>>>>>> PicketBox, once we remove PicketBox a deployment will either have an
>>>>>>>> Elytron SecurityDomain or it will not.
>>>>>>>>
>>>>>>> Yes. Now webservice has to add many PicketBox or Elytron checks to
>>>>>>> do following actions. We wrap this as much as possible with spi
>>>>>>> interface.
>>>>>>>
>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>>
>>>>>>>> On Fri, Mar 13, 2020 at 8:20 AM Jim Ma <ema at redhat.com> wrote:
>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Thu, Mar 12, 2020 at 8:12 PM Darran Lofthouse <
>>>>>>>>> darran.lofthouse at jboss.com> wrote:
>>>>>>>>>
>>>>>>>>>> Is it possible to identify the revelevent
>>>>>>>>>> DeploymentUnitProcessors in this process along with their phase and
>>>>>>>>>> priority so we can check the ordering.
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> The "other"'s mapped Elytron security domain service is
>>>>>>>>> required to read in EndpointServiceDeploymentAspect. It's installed
>>>>>>>>> in Phase.INSTALL, Phase.INSTALL_WS_DEPLOYMENT_ASPECTS priority. It's
>>>>>>>>> running before UndertowDeploymentProcessor
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> What may be more appropriate is for the Undertow DUP to attach
>>>>>>>>>> something which identifies the SecurityDomain instead of the web services
>>>>>>>>>> DUP relying on internal API / repeating the same checks already performed
>>>>>>>>>> within Undertow.
>>>>>>>>>>
>>>>>>>>>> In the future we will be removing all of the application security
>>>>>>>>>> domain resources so coordinating using attachments will hopefully also
>>>>>>>>>> future proof any fix.
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> It looks this attachment should be set in some Undertow DUP
>>>>>>>>> before UndertowDeploymentProcessor. WebService needs a Securitycontext to
>>>>>>>>> call the ejb ws endpoint method or webservice endpoint method :
>>>>>>>>>
>>>>>>>>> https://github.com/wildfly/wildfly/blob/master/webservices/server-integration/src/main/java/org/jboss/as/webservices/invocation/AbstractInvocationHandler.java#L114
>>>>>>>>> Is there better api/approach to perform this kind of method
>>>>>>>>> invocation ?
>>>>>>>>>
>>>>>>>>> Thanks,
>>>>>>>>> Jim
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Regards,
>>>>>>>>>> Darran Lofthouse.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On Thu, Mar 12, 2020 at 11:45 AM Jim Ma <ema at redhat.com> wrote:
>>>>>>>>>>
>>>>>>>>>>> There is ws deployment failure issue[1] which is caused by
>>>>>>>>>>> Webservice subsystem doesn't correctly get mapped elytron security domain
>>>>>>>>>>> from web deployment's default "other"
>>>>>>>>>>> application security domain. I tried to fix this by reading
>>>>>>>>>>> Elytron security domain from Undertow started services, but it looks now
>>>>>>>>>>> ApplicationSecurityDomainService is private static and it doesn't provide a
>>>>>>>>>>> getter which allows to get Elytron security domain. Webservice subsystem
>>>>>>>>>>> requires an Undertow service like ApplicationSecurityDomainService[2]
>>>>>>>>>>> started by EJB subsystem to read the Elytron security domain. Is it doable
>>>>>>>>>>> to change Undertow's ApplicationSecurityDomainService to provide mapped
>>>>>>>>>>> security domain ? Or any better approach to get the mapped Elytron domain ?
>>>>>>>>>>>
>>>>>>>>>>> [1]https://issues.redhat.com/browse/WFLY-12765
>>>>>>>>>>> [2]
>>>>>>>>>>> https://github.com/wildfly/wildfly/blob/master/ejb3/src/main/java/org/jboss/as/ejb3/subsystem/ApplicationSecurityDomainService.java
>>>>>>>>>>>
>>>>>>>>>>> Cheers,
>>>>>>>>>>> Jim
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> _______________________________________________
>>>>>>>>>>> wildfly-dev mailing list
>>>>>>>>>>> wildfly-dev at lists.jboss.org
>>>>>>>>>>> https://lists.jboss.org/mailman/listinfo/wildfly-dev
>>>>>>>>>>
>>>>>>>>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/wildfly-dev/attachments/20200506/3912789d/attachment.html
More information about the wildfly-dev
mailing list