1

We plan to migrate from Picketbox to Elytron and face the following problem:

With Picketbox a custom login module can use functionality of (or even can reside in) a deployment module (e.g. an EAR in wildfly/standalone/deployments) to implement authentication on the server side:

<subsystem xmlns="urn:jboss:domain:security:2.0">
    <security-domains>
        ...
        <security-domain name="MyDomain" cache-type="default">
            <authentication>
                <login-module name="MyLoginModule" code="de.example.wildfly.MyLoginModule" flag="required" module="deployment.de.example.wildfly.login"/>
            </authentication>
        </security-domain>

My first try was to use a custom realm in Elytron. But as far as I understand, a custom realm needs to be a "static" module (meaning it is located under wildfly/modules/...) and thus cannot access "dynamically" deployed modules (see https://developer.jboss.org/message/984198#984198).

<subsystem xmlns="urn:wildfly:elytron:7.0" final-providers="combined-providers" disallowed-providers="OracleUcrypto">
    ...
    <security-domains>
        <security-domain name="MyDomain" default-realm="MyRealm" permission-mapper="default-permission-mapper">
            <realm name="MyRealm" role-decoder="from-roles-attribute" />
        </security-domain>
    </security-domains>
    <security-realms>
        ...
        <custom-realm name="MyRealm" module="de.example.wildfly.login" class-name="de.example.wildfly.MyCustomRealm" />

(I omitted some more of the security domain configuration)

When I try to load a Spring context (that is located in an EAR in order to access some custom classes from the EAR) in MyCustomRealm, I get the following error:

org.springframework.beans.factory.access.BootstrapException: Unable to initialize group definition. Group resource name [classpath:applicationContext-appServerBase.xml], factory key [applicationContextEjb]; nested exception is org.springframework.beans.factory.BeanDefinitionStoreException: IOException parsing XML document from class path resource [applicationContext-appServerBase.xml]; nested exception is java.io.FileNotFoundException: class path resource [applicationContext-appServerBase.xml] cannot be opened because it does not exist

Which is no surprise, because my realm does not depend on the ear or any jar from therein, where the application context is located.

How can authentication (specifically for EJB calls) be customized on server side by using classes from a deployment module (EAR) in Elytron?

Olaf Ziems
  • 69
  • 8

1 Answers1

0

Maybe https://github.com/AntonYudin/wildfly-securityrealm-ejb is exactly what you are looking for. It creates a SecurityRealm that can be configured with the address of an EJB that's deployed with your application.

The EJB has to be Stateless and must implement the method Map<String, Object> authenticate(String, String) which is called with a username and a password.

I guess you have to return a map that contains all roles and groups the user belongs to or null if the credentials are invalid.

Kevin H.
  • 41
  • 2
  • Time was running up so we chose to not migrate to Elytron but stay with Picketbox instead. Due to lack of time I cannot confirm that the suggested workaround will really work, but I am pretty sure that it will. So I am accepting this answer as a correct one and keep it in my mind for the next release of our software. Thanks a lot! – Olaf Ziems Jul 22 '19 at 06:09