Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-11450

Adding application-security-domain in EJB subsystem requires server reload

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Cannot Reproduce
    • Icon: Critical Critical
    • None
    • 7.1.0.DR19
    • EJB
    • None
    • Hide

      Use https://github.com/jmartisk/mock-artifacts/tree/master/ejbclient/eap7.1-httpclient and its steps in README with some modifications:

      1) Omit step 3. Instead of it run:

      /subsystem=undertow/server=default-server/host=default-host/setting=http-invoker:remove()
reload
/subsystem=undertow/server=default-server/host=default-host/setting=http-invoker:add(http-authentication-factory=application-http-authentication)
/subsystem=security/security-domain=other/authentication=classic/login-module=RealmDirect:write-attribute(name=module-options,value={password-stacking=useFirstPass,realm=ManagementRealm})
reload

      2) Deploy application and try to run client side - it will failed because it tries to authorize through legacy ManagementRealm

      3) Call CLI command /subsystem=ejb3/application-security-domain=other:add(security-domain=ApplicationDomain) (and do NOT reload server) and try to run client side again - it will still fail because it still uses legacy ManagementRealm

      4) reload server and run client side again - it will pass because it starts to use Elytron ApplicationDomain

      Show
      Use https://github.com/jmartisk/mock-artifacts/tree/master/ejbclient/eap7.1-httpclient and its steps in README with some modifications: 1) Omit step 3. Instead of it run: /subsystem=undertow/server= default -server/host= default -host/setting=http-invoker:remove() reload /subsystem=undertow/server= default -server/host= default -host/setting=http-invoker:add(http-authentication-factory=application-http-authentication) /subsystem=security/security-domain=other/authentication=classic/login-module=RealmDirect:write-attribute(name=module-options,value={password-stacking=useFirstPass,realm=ManagementRealm}) reload 2) Deploy application and try to run client side - it will failed because it tries to authorize through legacy ManagementRealm 3) Call CLI command /subsystem=ejb3/application-security-domain=other:add(security-domain=ApplicationDomain) (and do NOT reload server) and try to run client side again - it will still fail because it still uses legacy ManagementRealm 4) reload server and run client side again - it will pass because it starts to use Elytron ApplicationDomain

      When application-security-domain is added in EJB subsystem then it is not used until server is reloaded. However CLI command does not set server to reload-required state, see:

      /subsystem=ejb3/application-security-domain=other:add(security-domain=ApplicationDomain)
{"outcome" => "success"}

            rhn-support-iweiss Ingo Weiss
            olukas Ondrej Lukas (Inactive)
            Michal Jurc Michal Jurc
            Michal Jurc Michal Jurc
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved:

                Estimated:
                Original Estimate - 4 hours
                4h
                Remaining:
                Time Spent - 3 hours Remaining Estimate - 1 hour
                1h
                Logged:
                Time Spent - 3 hours Remaining Estimate - 1 hour
                3h