Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-959

Allow more flexibility in the way EJB authentication is handled with regards to remoting and security-realms

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: None
    • Fix Version/s: 11.0.0.Final
    • Component/s: EJB
    • Labels:
      None

      Description

      My confusion is around the remoting/security-realm setup in the use case
      where multiple EJBs are deployed that use different security-domains and
      the EJBs will be invoked by remote standalone clients. For example,
      ejbX needs to be in the sec-domain-X security-domain, while ejbY needs to
      be in the sec-domain-Y security-domain.

      In this situation, the authentication checks are going to be handled by
      the security-realm that is associated with the remote connector that is
      configured to be used by the EJB subsystem.

      It looks like the security-realm can either handle the authentication
      checks directly (properties file, ldap, etc) or it can defer to the
      jaas security-domain. In both of those situations, it seems that the
      EJBs are limited to a single authentication point. The EJB
      authentication is either going to be handled by a single security-realm
      or the security-realm will defer to a single security-domain.

      I could configure the security-domain to have multiple login modules. I
      assume the same thing could be done with the security-realm.

      Basically the problem that I am trying to solve boils down to this: the
      authentication checks for remote EJBs appear to be checked by either a
      single security-realm or a single security-domain. Is there a way to
      change this?

      One idea I had was to add another remote connector to the EJB subsystem.
      Unfortunately, this does not appear to be possible.

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                dehort Derek Horton
              • Votes:
                8 Vote for this issue
                Watchers:
                13 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: