javajbosswildflyelytron

Wildfly Security Subsystem: Migrating from Legacy to Elytron, security-domain not found


I am trying to migrate a project from using Legacy Security to using Elytron Security.

Until now (Legacy), all that was required for the authentication to work, was to create a Security Domain in Subsystems -> Security with the correct name ("referencesApplicationDomain").

My web.xml:

<web-app ..>
    ...
    <login-config>
        <auth-method>BASIC</auth-method>
        <realm-name>referencesApplicationDomain</realm-name>
    </login-config>
    <security-role>
        <role-name>authenticated</role-name>
    </security-role>
    <security-role>
        <role-name>anonymous</role-name>
    </security-role>
    <security-constraint>
        <web-resource-collection>
            ....
        </web-resource-collection>
    </security-constraint>
        <auth-constraint>
            <role-name>authenticated</role-name>
        </auth-constraint>
    </security-constraint>
...
</web-app>

My jboss-web.xml:

<jboss-web ...>
    <deny-uncovered-http-methods>false</deny-uncovered-http-methods>
    <context-root>/references</context-root>
    <security-domain>referencesApplicationDomain</security-domain>
</jboss-web>

Of course our idea is to make our application work with Elytron only.

The problem is, however, I don't see where to create the security domain in Elytron.

I followed the Wildfly Elytron Documentation to create the security-domain as well as the http factory using jboss-cli.

When I check in jboss-cli, I see the security domain was created.

When I try to start the Wildfly server however, I get the following error:

"WFLYCTL0412: Required services that are not installed:" => [
        "jboss.security.security-domain.referencesApplicationDomain"
    ],
    "WFLYCTL0180: Services with missing/unavailable dependencies" => [
        "jboss.deployment.unit.\"references-war-1.0.11-SNAPSHOT.war\".component.BranchService.CREATE is missing [jboss.security.security-domain.java:/jaas/referencesApplicationDomain]"
    ]

It seems like jboss is trying to find the security-domain in the old security subsystem instead of Elytron. But I don't understand why?

Small remark: I want to use the ApplicaationRealm, to use the users and groups inside the jboss configuration files.


Solution

  • Turns out, that is not needed with Elytron (in fact, it is for Legacy only). So the solution is just removing these from the xml files:

    web.xml

    <web-app ..>
        ...
        <login-config>
            <auth-method>BASIC</auth-method>
            <!--<realm-name>referencesApplicationDomain</realm-name>-->
        </login-config>
    </web-app>
    

    jboss-web.xml:

    <jboss-web ...>
        <deny-uncovered-http-methods>false</deny-uncovered-http-methods>
        <context-root>/references</context-root>
        <!--<security-domain>referencesApplicationDomain</security-domain>-->
    </jboss-web>
    

    This works, because per default, the undertow system of Wildlfly is using ApplicationRealm as the default-security-domain. You can verify that by looking at your standalone.xml.