jbosswildflywildfly-9securitydomain

Wildfly 9 security domains won't work


I'm migrating a big web app from jboss as 6 to wildfly 9, and encountered a few impediments on the way.

One of them is the security domain.

The relevant part of the standalone.xml is as follows:

<subsystem xmlns="urn:jboss:domain:security:1.2">
    <security-domains>
        <security-domain name="other" cache-type="default">
            <authentication>
                <login-module code="Remoting" flag="optional">
                    <module-option name="password-stacking" value="useFirstPass"/>
                </login-module>
                <login-module code="RealmDirect" flag="required">
                    <module-option name="password-stacking" value="useFirstPass"/>
                </login-module>
            </authentication>
        </security-domain>
        <security-domain name="jboss-web-policy" cache-type="default">
            <authorization>
                <policy-module code="Delegating" flag="required"/>
            </authorization>
        </security-domain>
        <security-domain name="jboss-ejb-policy" cache-type="default">
            <authorization>
                <policy-module code="Delegating" flag="required"/>
            </authorization>
        </security-domain>
        <security-domain name="mydomain" cache-type="default">
            <authentication>
                <login-module code="foo.token.LoginModule" flag="required">
                    <module-option name="hashAlgorithm" value="SHA-512"/>
                    <module-option name="hashEncoding" value="base64"/>
                    <module-option name="unauthenticatedIdentity" value="guest"/>
                    <module-option name="dsJndiName" value="jdbc/fooDS"/>
                    <module-option name="principalsQuery" value="select ..."/>
                    <module-option name="rolesQuery" value="select o.name, 'Roles' from roles up join ef_usuario ..."/>
                </login-module>
            </authentication>
        </security-domain>
    </security-domains>
</subsystem>

The foo.token.LoginModule.java is something like this:

@NoArgsConstructor
public class FooLoginModule extends DatabaseServerLoginModule {

    private Principal principal;
    private String userName;

    @Override
    public boolean login() throws LoginException {
        super.loginOk = false;
        super.loginOk = tryLogin();
        return super.loginOk;
    }

    protected boolean tryLogin() throws LoginException {
        if (doesSomeAdditionalLoginValidation()) {
            createPrincipal();
            return true;
        }
        return false;
    }

    @VisibleForTesting
    protected UserResourceClient createUserResourceClient() {
        return new UserResourceClient( createAuth(), createEndPoint() );
    }

    private EndPoint createEndPoint() {
        return new EndPointProvider( ... ).create();
    }

    private Auth createAuth() {
        return new AuthProvider( ... ).createAuth();
    }

    private void createPrincipal() throws LoginException {
        try {
            principal = createIdentity( userName );
        } catch (Exception e) {
            throw new LoginException( PROCESSING_FAILED + "Failed to create principal: " + e.getMessage() );
        }
    }

    @Override
    protected String getUsername() {
        return userName;
    }

    @Override
    protected Principal getIdentity() {
        return principal;
    }

}

The app is deployed as an ear, so, in .war files I have a jboss-web.xml and in .jar files I have a jboss-app.xml. jboss-web:

<jboss-web>
    <security-domain>mydomain</security-domain>
</jboss-web>

jboss-app:

<?xml version="1.0" encoding="UTF-8"?>
<jboss-app>
    <security-domain>mydomain</security-domain>
</jboss-app>

But, when I try the app tries to use a Stateless bean annotated with @SecurityDomain("mydomain"), I get access errors:

19:35:40,530 ERROR [org.jboss.as.ejb3.invocation] (default task-26) WFLYEJB0034: EJB Invocation failed on component FooService for method public java.lang.String foo.service.blah.FooService.find(): javax.ejb.EJBAccessException: WFLYEJB0364: Invocation on method: public java.lang.String foo.service.blah.FooService.find() of bean: FooService is not allowed

The FooService's code looks like:

@Stateless
@SecurityDomain("mydomain")
public class FooService {

    public List<Foo> find() {
        return ...;
    }
}

I see that the prefix java:/jaas/ has to be removed from everywhere, and I did it, but still this won't work.

Can't find any other thing that seems related to that in migration guides.

What am I missing?


Solution

  • In essence, the default behavior change.

    On JBoss AS, the default behavior was to @PermitAll if no role was specified, in Wildfly, it is configurable by default-missing-method-permissions-deny-access, and it is default to @DenyAll.

    I changed my standalone.xml to something like this:

    <subsystem xmlns="urn:jboss:domain:ejb3:3.0">
        <!-- other stuff -->
        <default-missing-method-permissions-deny-access value="false"/>
        <!-- other stuff -->
    </subsystem>
    

    And it worked as before.