使用Elytron进行WIldfly和JavaEE安全配置

Question

I'm trying to became more familiar with Wildfly security configuration and have some problems with understanding of relation between options in server side configs like standalone.xml and application side configs like web.xml and jboss-web.xml.

I have several question about this configuration which was based on Wildfly servlet security example. I already try it out and it works but several things are not clear for me.

1. How I see the basic type of authentication is defined in Authentication Factory on server side and in web.xml on application side. Which one have a priority. Is that obligatory to declare it twice.
2. The name of realm 'RealmUsersRoles'. Is it mean the same entity in server side configs and web.xml
3. In ideal case I want to get explanation of interconnection between all security entities which are mentioned in this configuration.

Here is JBoss CLI configuration script

# 1. Add the JDBC security realm creation
/subsystem=elytron/jdbc-realm=servlet-security-jdbc-realm:add(\
principal-query=[\
{sql="SELECT PASSWORD FROM USERS WHERE USERNAME = ?", data-source="MySQLDS", clear-password-mapper={password-index=1}},\
{sql="SELECT R.NAME, 'Roles' FROM USERS_ROLES UR INNER JOIN ROLES R ON R.ID = UR.ROLE_ID INNER JOIN USERS U ON U.ID = UR.USER_ID WHERE U.USERNAME = ?", data-source="MySQLDS", attribute-mapping=[{index=1, to=roles}]}])

# 2. Add a simple role decoder for the "roles" attribute mapping
/subsystem=elytron/simple-role-decoder=from-roles-attribute:add(attribute=roles)

# 3. Configure the servlet-security-quickstart security domain
/subsystem=elytron/security-domain=servlet-security-quickstart-sd:add(\
default-realm=servlet-security-jdbc-realm, \
realms=[{realm=servlet-security-jdbc-realm, role-decoder=from-roles-attribute}], \
permission-mapper=default-permission-mapper)

# 4. Configure the HTTP Authentication Factory
/subsystem=elytron/http-authentication-factory=servlet-security-quickstart-http-auth:add(\
http-server-mechanism-factory=global,\
security-domain=servlet-security-quickstart-sd,\
mechanism-configurations=[{mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name=RealmUsersRoles}]}])

# 5. Configure Undertow's application security domain
/subsystem=undertow/application-security-domain=servlet-security-quickstart:add(\
http-authentication-factory=servlet-security-quickstart-http-auth)

web.xml

<?xml version="1.0"?>
<web-app version="3.1" xmlns="http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd">

    <login-config>
        <auth-method>BASIC</auth-method>
        <realm-name>RealmUsersRoles</realm-name>
    </login-config>
</web-app>

jboss-web.xml

<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
    <security-domain>servlet-security-quickstart</security-domain>
</jboss-web>

Here is a link to Wildfly example I use as a base https://github.com/wildfly/quickstart/tree/master/servlet-security

Here is all my code based on this example with some modifications https://github.com/usharik/GeekBrainsJavaEE/tree/master/lesson8-security

Answer 1

1. You need to configure the basic type of authentication in the server configuration but not in web.xml
2. The name of realm is not important. It is just displayed in the browser when you get the 401 Unauthorized (the WWW-Authenticate header). If the ream name is configured in web.xml it is used, otherwise the one from the server config is used.