We use a elytron/token-realm with a elytron/http-authentication-factory and the BEARER_TOKEN mechanism to authenticate users. The system consists of two applications, running in separate wildfly instances. One application remotely invokes EJBs of the other application. We would like the identity of the current user to be propagated over the remote EJB call.
I am trying to set up Identity propagation according to the JBoss documentation.
BEARER_TOKEN is listed as a supported mechanism. The ejb system is configured to use the new HTTP transport (call target is http://server:port/wildfly-services), instead of the remote+http protocol.
I would expect the bearer token to be added as an HTTP “Authorization: Bearer” header by the forwarding server, when making the ejb call to the receiving server, however this does not happen and the HTTP response is 401.
This is the configuration of the forwarding server:
/subsystem=ejb3/application-security-domain=other:write-attribute(name=security-domain,value=ApplicationDomain)
/subsystem=elytron/authentication-configuration=remote-ejb-configuration:add(security-domain=ApplicationDomain)
/subsystem=elytron/authentication-context=remote-ejb-context:add(match-rules=[{authentication-configuration=remote-ejb-configuration}])
/socket-binding-group=standard-sockets/remote-destination-outbound-socket-binding=remote-partner-ejb/:add(host="server",port="8080")
/subsystem=remoting/remote-outbound-connection=remote-ejb:add(outbound-socket-binding-ref=remote-partner-ejb, authentication-context=remote-ejb-context)
/subsystem=undertow/server=default-server/host=default-host/setting=http-invoker:undefine-attribute(name=security-realm)
/subsystem=undertow/server=default-server/host=default-host/setting=http-invoker:write-attribute(name=http-authentication-factory, value=jwt-http-authentication)
And here is the error seen on the forwarding server side:
Caused by: javax.naming.AuthenticationException: WFHTTP000013: Authentication failed (full response ClientResponse{responseHeaders={Connection=[keep-alive], WWW-Authenticate=[Bearer realm="jwt-realm"], Set-Cookie=[JSESSIONID=0BAxZeBpW-RuStmtGFylfbYBpypUJYsqLMlsrw04.partner-as-76d77b7f5c-6bcb6; path=/wildfly-services], Server=[nginx/1.23.3], Content-Type=[text/html], Content-Length=[77], Date=[Mon, 09 Jan 2023 10:34:00 GMT]}, responseCode=401, status='Unauthorized', protocol=HTTP/1.1})
There is a quickstart showing identity propagation, but it uses SASL authentication, which does not support BEARER_TOKEN mechanism
Has anyone had luck with a setup like this?
