authenticationejbwildflyelytron

Wildfly 17 Elytron: server side authentication with classes from EAR


We plan to migrate from Picketbox to Elytron and face the following problem:

With Picketbox a custom login module can use functionality of (or even can reside in) a deployment module (e.g. an EAR in wildfly/standalone/deployments) to implement authentication on the server side:

<subsystem xmlns="urn:jboss:domain:security:2.0">
    <security-domains>
        ...
        <security-domain name="MyDomain" cache-type="default">
            <authentication>
                <login-module name="MyLoginModule" code="de.example.wildfly.MyLoginModule" flag="required" module="deployment.de.example.wildfly.login"/>
            </authentication>
        </security-domain>

My first try was to use a custom realm in Elytron. But as far as I understand, a custom realm needs to be a "static" module (meaning it is located under wildfly/modules/...) and thus cannot access "dynamically" deployed modules (see https://developer.jboss.org/message/984198#984198).

<subsystem xmlns="urn:wildfly:elytron:7.0" final-providers="combined-providers" disallowed-providers="OracleUcrypto">
    ...
    <security-domains>
        <security-domain name="MyDomain" default-realm="MyRealm" permission-mapper="default-permission-mapper">
            <realm name="MyRealm" role-decoder="from-roles-attribute" />
        </security-domain>
    </security-domains>
    <security-realms>
        ...
        <custom-realm name="MyRealm" module="de.example.wildfly.login" class-name="de.example.wildfly.MyCustomRealm" />

(I omitted some more of the security domain configuration)

When I try to load a Spring context (that is located in an EAR in order to access some custom classes from the EAR) in MyCustomRealm, I get the following error:

org.springframework.beans.factory.access.BootstrapException: Unable to initialize group definition. Group resource name [classpath:applicationContext-appServerBase.xml], factory key [applicationContextEjb]; nested exception is org.springframework.beans.factory.BeanDefinitionStoreException: IOException parsing XML document from class path resource [applicationContext-appServerBase.xml]; nested exception is java.io.FileNotFoundException: class path resource [applicationContext-appServerBase.xml] cannot be opened because it does not exist

Which is no surprise, because my realm does not depend on the ear or any jar from therein, where the application context is located.

How can authentication (specifically for EJB calls) be customized on server side by using classes from a deployment module (EAR) in Elytron?


Solution

  • Maybe https://github.com/AntonYudin/wildfly-securityrealm-ejb is exactly what you are looking for. It creates a SecurityRealm that can be configured with the address of an EJB that's deployed with your application.

    The EJB has to be Stateless and must implement the method Map<String, Object> authenticate(String, String) which is called with a username and a password.

    I guess you have to return a map that contains all roles and groups the user belongs to or null if the credentials are invalid.