Re: Wildfly 32.0.1 legacy security domain error even after migrating to elytron
Rebecca Searls
Hi all,
We are upgrading our webservices from Wildfly 18.0.1 to Wildfly 32.0.1. We are facing an issue with migration of existing picketbox security domain to elytron security domain. I configured a new security domain in elytron as mentioned in the wildfly documentation: https://docs.wildfly.org/32/WildFly_Elytron_Security.html#Migrate_Legacy_Security_to_Elytron_Security
Still its giving me error saying: WFLYEJB0530: The deployment is configured to use a legacy security domain 'application-security' which is no longer supported
jboss-web.xml--<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
<context-root><--our web app context root--></context-root>-->
<security-domain>application-security</security-domain>
</jboss-web> web.xml contents
<login-config>
<auth-method>FORM</auth-method>
<realm-name>application-properties</realm-name>
</login-config>
standalone.xml contents <subsystem xmlns="urn:wildfly:elytron:community:18.0" final-providers="combined-providers" disallowed-providers="OracleUcrypto"> ... <security-domains> ... <security-domain name="application-security" default-realm="application-properties" permission-mapper="default-permission-mapper"> <realm name="application-properties"/> </security-domain> </security-domains> <security-realms> ... <properties-realm name="application-properties" groups-attribute="Roles"> <users-properties path="example-users.properties" relative-to="jboss.server.config.dir" digest-realm-name="Application Security" plain-text="true"/> <groups-properties path="example-roles.properties" relative-to="jboss.server.config.dir"/> </properties-realm> </security-realms> ... <http> ... <http-authentication-factory name="application-security-http" http-server-mechanism-factory="global" security-domain="application-security"> <mechanism-configuration> <mechanism mechanism-name="FORM"/> </mechanism-configuration> </http-authentication-factory> ... </http> ... </subsystem> <subsystem xmlns="urn:jboss:domain:undertow:14.0"> ... <application-security-domains> <application-security-domain name="application-security" http-authentication-factory="application-security-http"/> </application-security-domains> ... </subsystem> This is all implemented as per wildfly documentation and there is no reference of old security domain configuration in entire standalone.xml still unable to understand how its considering the security domain as legacy. Someone please help out. Thanks
You received this message because you are subscribed to the Google Groups "WildFly" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wildfly+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wildfly/618189e1-86ae-45f0-a37a-251e912b5e96n%40googlegroups.com.
Goren Zicwar
Rebecca Searls
<subsystem xmlns="urn:jboss:domain:ejb3:10.0">
...
<application-security-domains>
<application-security-domain name="other" security-domain="ApplicationDomain"/>
</application-security-domains>
...
</subsystem>
To view this discussion on the web visit https://groups.google.com/d/msgid/wildfly/3dd99dab-19e2-47b7-877c-7b4ac95020cen%40googlegroups.com.
Goren Zicwar
WFLYEJB0530: The deployment is configured to use a legacy security domain 'application-security' which is no longer supported."},
An interesting observation, if I give any name of security domain in jboss-web.xml, it gives the same error (i.e. even if no security domain is defined in standalone.xml)
For example, I deployed my web app with following jboss-web.xml
<jboss-web>
<context-root><--our web app context root--></context-root>-->
<security-domain>AnyFakeName</security-domain>
</jboss-web>
It gave me the same error:
WFLYEJB0530: The deployment is configured to use a legacy security domain 'AnyFakeName' which is no longer supported."},
Does this mean the issue may be in my web app configuration somehow?
Rebecca Searls
...
<application-security-domains>
</application-security-domains>
...
</subsystem>
To view this discussion on the web visit https://groups.google.com/d/msgid/wildfly/5fee3bf8-9582-468f-96b9-d4569a2c6242n%40googlegroups.com.
Goren Zicwar
keeping name and security domain name as same in ejb3 application-security-domain fixed the issue. Thank you!
I have another question related to same security domain. Wildfly 18 has a separate security domain subsystem <subsystem xmlns="urn:jboss:domain:security:2.0"> in which we have a
security domain java:/jaas/other. It was created as an exact copy of "other" security domain which is pre-exiting in the subsystem, with other pre-existing domains like jboss-web-policy, jaspitest and jboss-ejb-policy. There was no separate realm defined for it, neither for the pre-existing domains.
<subsystem xmlns="urn:jboss:domain:security:2.0">
<security-domains>
<security-domain name="java:/jaas/other" cache-type="default">
<authentication>
<login-module code="Remoting" flag="optional">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
<login-module code="RealmDirect" flag="required">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
</authentication>
</security-domain>
<security-domain name="other" cache-type="default">
<authentication>
<login-module code="Remoting" flag="optional">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
<login-module code="RealmDirect" flag="required">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
</authentication>
</security-domain>
<security-domain name="jboss-web-policy" cache-type="default">
<authorization>
<policy-module code="Delegating" flag="required"/>
</authorization>
</security-domain>
<security-domain name="jaspitest" cache-type="default">
<authentication-jaspi>
<login-module-stack name="dummy">
<login-module code="Dummy" flag="optional"/>
</login-module-stack>
<auth-module code="Dummy"/>
</authentication-jaspi>
</security-domain>
<security-domain name="jboss-ejb-policy" cache-type="default">
<authorization>
<policy-module code="Delegating" flag="required"/>
</authorization>
</security-domain>
<security-domains>
Now in Wildfly 32 this subsystem is removed. So do we need to migrate these pre-existing security domains to elytron in Wildfly 32? And secondly, to migrate the custom domain java:/jaas/other to Wildfly 32, what approach should be followed for these kind of security domains which have no security realms defined and have some default login modules?
Bartosz Baranowski
1. AFAIR Yes
2. I think there is a bit of functional difference between legacy and elytron and you might have to define realms.
Goren Zicwar
=> Ok. The doubt I have here is the security domains jboss-web-policy, jaspitest and jboss-ejb-policy were part of standalone xml provided by Wildfly 18 and not custom created, and we never directly referred to or used any of them in any of our wildfly configuration or webservice project. In this case would they still be necessary to be defined in elytron? Also, since these were part security domain subsystem provided out of the box by wildfly 18, any idea on why they were not included in recent wildfly updates out of the box?
2. I think there is a bit of functional difference between legacy and elytron and you might have to define realms.
Any further guidance would be greatly appreciated!