Elytron question regarding security domains
431 views
Skip to first unread message
Aljaž Koželj
Nov 3, 2022, 1:10:03 PM11/3/22
to WildFly
Hi,
we are currently migrating from
Wildfly 10.1.0 to Wildfly 26.1.2. It worked perfectly on WF 24, but now I
have to remove legacy security modules.
Our legacy security:
In
our WF10 app, we had a custom legacy security domain "my-domain" that
used a few login modules. The only place that it was used in was in the
management configuration:
<management>
<security-realms>
<security-realm name="ManagementRealm">
...
</security-realm>
<security-realm name="ApplicationRealm">
...
<authentication>
<jaas name="my-security"/>
</authentication>
</security-realm>
</security-realms>
...
</management>
<security-realms>
<security-realm name="ManagementRealm">
...
</security-realm>
<security-realm name="ApplicationRealm">
...
<authentication>
<jaas name="my-security"/>
</authentication>
</security-realm>
</security-realms>
...
</management>
Additionally we used a security domain in our EJBs, by annotating our EJBs with @SecurityDomain("my-domain"). jboss-web.xml has this configured.
WF26 Defaults
By default WF26 comes with ApplicationDomain and ManagementDomain security domains, but they are not. Each have a properties-realm configured, ApplicationRealm and ManagementRealm respectively.
I see that ApplicationDomain is used in multiple locations. Most interesting for me are
In EJB subsystem:
<default-security-domain value="other"/>
<application-security-domains>
<application-security-domain name="other" security-domain="ApplicationDomain"/>
</application-security-domains>
In Undertow subsystem:
<subsystem xmlns="urn:jboss:domain:undertow:12.0" ... default-security-domain="other" ...>
...
<application-security-domains>
<application-security-domain name="other" security-domain="ApplicationDomain"/>
</application-security-domains>
</subsystem>
I write about these, so I can formulate my questions better.
<subsystem xmlns="urn:jboss:domain:undertow:12.0" ... default-security-domain="other" ...>
...
<application-security-domains>
<application-security-domain name="other" security-domain="ApplicationDomain"/>
</application-security-domains>
</subsystem>
I write about these, so I can formulate my questions better.
Current migration
In
Elytron subsystem I created a new security domain called my-domain and
configured a new JDBC realm for it. Additionally I added the
ApplicationRealm realm, since we also use a user from
application-users.properties file. I also created a http-authentication-factory and sasl-authentication-factory, basically mimicking what ApplicationDomain had.
Then I replaced "ApplicationDomain" with "my-domain" in the EJB and Undertow subsystems and it seems to work?
Questions:
- Can I just replace all usages of ApplicationDomain with my-domain in standalone-full.xml? Is there any benefit to having ApplicationDomain if we never use it (at least I think we don't?).
- What exactly are application-security-domain in the context of Undertow and EJB subsystems. In EJB one I think it made @SecurityDomain("my-domain") work, but no clue what Undertow gets from it
- I see that default domain in both EJB and Undertow subsystem is "other". If "other" is not configured, does it do anything?
- How
can I configure http remoting to use http-authentication-factory, I can
only seem to configure it for sasl-authentication-factory?
Thanks!
Reply all
Reply to author
Forward
0 new messages