WFLYCTL0013: Operation ("deploy") failed - EJBs cannot find security domain
Laura Schanno
Hello,
I’m running into errors when trying to secure my EJB services with a security domain named “datawave”. Some background: we’re migrating from Wildfly 17 to Wildfly 26 and have a need to use a custom security realm that will authenticate clients using certificates. After running my setup cli script and deploying our EAR to a standalone Wildfly, I’m seeing the following errors:
2025-08-12 15:10:01,408 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("deploy") failed - address: ([("deployment" => "datawave-ws-deploy-application-7.27.0-SNAPSHOT-dev.ear")]) - failure description: {
"WFLYCTL0412: Required services that are not installed:" => ["jboss.security.security-domain.datawave"],
"WFLYCTL0180: Services with missing/unavailable dependencies" => [
"jboss.deployment.subunit.\"datawave-ws-deploy-application-7.27.0-SNAPSHOT-dev.ear\".\"gov.nsa.datawave.webservices-datawave-ws-query-7.27.0-SNAPSHOT.jar\".component.DashboardBean.CREATE is missing [jboss.security.security-domain.datawave]",
"jboss.deployment.subunit.\"datawave-ws-deploy-application-7.27.0-SNAPSHOT-dev.ear\".\"gov.nsa.datawave.webservices-datawave-ws-common-7.27.0-SNAPSHOT.jar\".component.ConfigurationBean.CREATE is missing [jboss.security.security-domain.datawave]",
"jboss.deployment.subunit.\"datawave-ws-deploy-application-7.27.0-SNAPSHOT-dev.ear\".\"gov.nsa.datawave.webservices-datawave-ws-accumulo-7.27.0-SNAPSHOT.jar\".component.ListUserAuthorizationsBean.CREATE is missing [jboss.security.security-domain.datawave]",
"jboss.deployment.subunit.\"datawave-ws-deploy-application-7.27.0-SNAPSHOT-dev.ear\".\"gov.nsa.datawave.webservices-datawave-ws-model-7.27.0-SNAPSHOT.jar\".component.ModelBean.CREATE is missing [jboss.security.security-domain.datawave]",
...
I did not see any other errors in the logs other than this warning that seems unrelated:
2025-08-12 15:09:56,902 WARN [org.jboss.as.server.deployment] (MSC service thread 1-6) WFLYSRV0003: Could not index class module-info.class at /content/datawave-ws-deploy-application-7.27.0-SNAPSHOT-dev.ear/lib/si.uom-si-units-2.0.1.jar: java.lang.NullPointerException
at org.jbos...@2.4.2.Final//org.jboss.jandex.Indexer.processModulePackages(Indexer.java:561)
at org.jbos...@2.4.2.Final//org.jboss.jandex.Indexer.processAttributes(Indexer.java:434)
at org.jbos...@2.4.2.Final//org.jboss.jandex.Indexer.index(Indexer.java:1985)
at org.jboss...@18.1.2.Final//org.jboss.as.server.deployment.annotation.ResourceRootIndexer.indexResourceRoot(ResourceRootIndexer.java:99)
at org.jboss...@18.1.2.Final//org.jboss.as.server.deployment.annotation.AnnotationIndexProcessor.deploy(AnnotationIndexProcessor.java:51)
at org.jboss...@18.1.2.Final//org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:182)
at org.jb...@1.4.13.Final//org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1739)
at org.jb...@1.4.13.Final//org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1701)
at org.jb...@1.4.13.Final//org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1559)
at org.jbos...@2.4.0.Final//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
at org.jbos...@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1990)
at org.jbos...@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
at org.jbos...@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
at java.base/java.lang.Thread.run(Thread.java:829)
The following are snippets from my configuration.cli script run before the EAR is deployed that focus on the security and EJB aspects, but I can provide the full cli if need be
#
# Configure SSL (Elytron)
#
# Create the server key store.
/subsystem=elytron/key-store=serverKeyStore:add( \
path=${KEYSTORE}, \
credential-reference={clear-text="${KEYSTORE_PASSWORD}"}, \
type=${KEYSTORE_TYPE})
# Create the server key manager.
/subsystem=elytron/key-manager=serverKeyManager:add( \
key-store=serverKeyStore, \
credential-reference={clear-text="${KEYSTORE_PASSWORD}"})
# Create the server trust store.
/subsystem=elytron/key-store=serverTrustStore:add( \
path=${TRUSTSTORE}, \
credential-reference={clear-text="${TRUSTSTORE_PASSWORD}"}, \
type=${TRUSTSTORE_TYPE})
# Create the server trust manager.
/subsystem=elytron/trust-manager=serverTrustManager:add( \
key-store=serverTrustStore)
# Create the server SSL context. The protocols "TLSv1.1" and "TLSv1.2" will be supported, a client certificate will be required on an SSL handshake, and the
# security-domain 'datawave' will be used for authentication during the SSL session establishment.
/subsystem=elytron/server-ssl-context=serverSSLContext:add( \
key-manager=serverKeyManager, \
trust-manager=serverTrustManager, \
protocols=["TLSv1.1","TLSv1.2"], \
want-client-auth=true, \
security-domain=datawave)
#
# Configure datawave security domain (elytron)
#
# Create a custom realm that handles preparing the DatawavePrincipal during authentication.
# Options:
# - verifier=STRING (optional, default=null)
# The class name of an org.jboss.security.auths.certs.X509CertificateVerifier that will be
# - ocspLevel=STRING (optional, default=null)
# Sets the oscp level of the verifier. Required when the verifier is datawave.security.realm.DatawaveCertVerifier.
# - trustedHeaderLogin=BOOLEAN (optional, default=false)
# When set to true, the client certificate will not be validated, and will be treated as a valid certificate.
# - jwtHeaderLogin=BOOLEAN (optional, default=false)
# When set to true, the client certificate will not be validated, and the datawave principal will be created from the credential's jwt token.
# - requiredRoles=LIST (optional, default="AuthorizedUser:AuthorizedServer:AuthorizedQueryServer:AuthorizedProxiedServer:)
# ':' delimited list of roles that either all entities in the call chain must contain at least one of, or else the required roles will not be retained for the final identity.
# - directRoles=LIST (optional, default="AuthorizedServer:AuthorizedQueryServer")
# ':' delimited list of roles that must be present if the client is a terminal server
/subsystem=elytron/custom-realm=datawaveRealm:add( \
class-name=datawave.security.realm.DatawavePrincipalSecurityRealm, \
module="datawave.security.elytron", \
configuration={ \
verifier="datawave.security.realm.DatawaveCertVerifier", \
ocspLevel="off", \
allowUserProxying="false", \
trustedHeaderLogin="${trusted.header.login}"})
/subsystem=elytron/security-domain=datawave:add(default-realm=datawaveRealm,realms=[{realm=datawaveRealm}])
# Add the security domain mapping to the EJB3 subsystem
/subsystem=ejb3/application-security-domain=datawaveApp:add(security-domain=datawave)
# Configure the HTTP/HTTPS listener for undertow
/subsystem=undertow/server=default-server/http-listener=default/:write-attribute(name=record-request-start-time,value=true)
/subsystem=undertow/server=default-server/https-listener=https/:write-attribute(name=record-request-start-time,value=true)
# Switch https-listener from the legacy security-realm to the Elytron server ssl context.
/subsystem=undertow/server=default-server/https-listener=https/:undefine-attribute(name=security-realm)
/subsystem=undertow/server=default-server/https-listener=https/:write-attribute(name=ssl-context,value=serverSSLContext)
# Add the SASL authentication factory to use SCRAM-SHA-512-PLUS for channel binding, and the security domain
/subsystem=elytron/sasl-authentication-factory=datawaveSASLFactory:add(sasl-server-factory=configured,security-domain=datawave,mechanism-configurations=[{mechanism-name=SCRAM-SHA-512-PLUS}])
# Add the remote HTTP connector using the HTTPS listener and SASL authentication factory
/subsystem=remoting/http-connector=datawaveHttpConnector:add(connector-ref=https,sasl-authentication-factory=datawaveSASLFactory)
# Add the remote HTTPS connector to the ejb3 subsystem
/subsystem=ejb3/service=remote:write-attribute(name=connectors,value=[datawaveConnector])
I was trying to follow this example. All of the EJB jars inside the EAR have the following /META-INF/jboss-ejb3.xml file:
<?xml version="1.0" encoding="UTF-8"?>
<jboss:jboss
xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:jboss="http://www.jboss.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:s="urn:security:1.1"
version="3.1" impl-version="2.0">
<assembly-descriptor>
<!-- Configure all beans in this EJB jar to use the "datawave" security domain -->
<s:security>
<ejb-name>*</ejb-name>
<s:security-domain>datawave</s:security-domain>
</s:security>
</assembly-descriptor>
</jboss:jboss>
At this point I’m uncertain where to start debugging this or if I’ve missed a step when configuring my EJBs to use the datawave domain. Any suggestions would be appreciated.
Bartosz Baranowski
/subsystem=ejb3/application-security-domain=datawaveApp:add(security-domain=datawave)
vs
Laura Schanno
You pointed me in the right direction. It was indeed an issue with the application-security-domain configuration, I needed to use the name 'datawave' instead for the mapped ejb security domain, such as below.
/subsystem=ejb3/application-security-domain=datawave:add(security-domain=datawave)
The ejbs are now able to correctly discover the mapped datawave security domain. Thank you!