Porting a legacy JEE8 app from WF10 to WF26
78 views
Skip to first unread message
matinh
Mar 22, 2022, 10:47:28 AM3/22/22
to WildFly
Hi!
I'm in the process of porting an enterprise application with a
JSF webapp and EJBs from WildFly 10 to WildFly 26 (JavaEE 8). The
application uses an AuthenticationPlugIn (LoginModule) and its
own security-interceptor that checks for annotations on EJBs.
But only on remote EJB calls. Local EJB calls from the webapp are
always granted by the security-interceptor. The webapp itself
uses Apache Shiro for securing web-pages and backing-beans.
While porting I have a few goals that I want to achieve:
* get rid of the home-brewed security interceptor and annotations
* use portable mechanisms for authentication and authorization
* stay with Apache Shiro for webapp security
I've a few questions now:
1) I read about IdentityStores which seems like a nice idea where
to put my code that was earlier located in the
Login-Module. However, it seems IdentityStores are only
intended for HttpAuthenticationMechanism which specifically is
not used for endpoints such as remote EJB beans.
Is that true? Is there some similar functionality that I could
use for remote EJB security as well?
2) I couldn't find anything about integrating Apache Shiro with
Would this be a valid approach? Any other ideas on integrating
Shiro with WildFly/Elytron?
3) My idea is, that I keep the approach to allow all calls from
the webapp (CDI-beans, servlet) to EJBs. I read about
JBOSS-LOCAL-USER, but if I understand it correctly this is not
exactly what I want. How do I configure WildFly to allow all
local calls (where "local" means from the same WildFly
instance or from the same EAR).
Many thanks in advance!
- martin
I'm in the process of porting an enterprise application with a
JSF webapp and EJBs from WildFly 10 to WildFly 26 (JavaEE 8). The
application uses an AuthenticationPlugIn (LoginModule) and its
own security-interceptor that checks for annotations on EJBs.
But only on remote EJB calls. Local EJB calls from the webapp are
always granted by the security-interceptor. The webapp itself
uses Apache Shiro for securing web-pages and backing-beans.
As our application has different mechanisms for authentication
(database, ldap, other custom variations), the login-module currently
handles all of this in a central place.
While porting I have a few goals that I want to achieve:
* get rid of the home-brewed security interceptor and annotations
* use portable mechanisms for authentication and authorization
* stay with Apache Shiro for webapp security
I've a few questions now:
1) I read about IdentityStores which seems like a nice idea where
to put my code that was earlier located in the
Login-Module. However, it seems IdentityStores are only
intended for HttpAuthenticationMechanism which specifically is
not used for endpoints such as remote EJB beans.
Is that true? Is there some similar functionality that I could
use for remote EJB security as well?
2) I couldn't find anything about integrating Apache Shiro with
WildFly 26. However, I could probably do a programmatic container
login via SecurityContext.authenticate() after a successfull shiro
login (or the other way around).Would this be a valid approach? Any other ideas on integrating
Shiro with WildFly/Elytron?
3) My idea is, that I keep the approach to allow all calls from
the webapp (CDI-beans, servlet) to EJBs. I read about
JBOSS-LOCAL-USER, but if I understand it correctly this is not
exactly what I want. How do I configure WildFly to allow all
local calls (where "local" means from the same WildFly
instance or from the same EAR).
Many thanks in advance!
- martin
Reply all
Reply to author
Forward
0 new messages