[WFLY-16195] Upgrade the security-domain-to-domain quickstart

wildfly · Oct 7, 2022 · 5554522 · 5554522
1 parent 85e7925
commit 5554522
Show file tree

Hide file tree

Showing 5 changed files with 30 additions and 73 deletions.
diff --git a/security-domain-to-domain/README.adoc b/security-domain-to-domain/README.adoc
@@ -36,8 +36,7 @@ Application Server (`standalone.xml`)::
 
 * Defines a security domain in the `elytron` subsystem that uses the JDBC security realm to obtain the security data used to authenticate and authorize users.
 * Defined a second security domain in the `elytron` subsystem similar to the first but with different role mappings.
-* Defines an `http-authentication-factory` in the `elytron` subsystem that uses the security domain created in step 1 for BASIC authentication.
-* Adds an `application-security-domain` mapping in the `undertow` subsystem to map the Servlet security domain to the HTTP authentication factory defined in step 3.
+* Adds an `application-security-domain` mapping in the `undertow` subsystem to map the Servlet security domain to the security domain defined in step 1.
 * Adds an `application-security-domain` mapping in the `ejb3` subystem to map the EJBs security domain to the security domain defined in step 2.
 Database Configuration::
 
@@ -75,7 +74,7 @@ You can configure the server by running JBoss CLI commands. For your convenience
 * xref:back_up_standalone_server_configuration[Back up the {productName} standalone server configuration] as described above.
 * xref:start_the_eap_standalone_server[Start the {productName} server] with the standalone default profile as described above.
 
-. Review the `configure-server.cli` file in the root of this quickstart directory. This script adds security domain and HTTP authentication factory to the `elytron` subsystem in the server configuration and also configures the `undertow` subsystem to use the configured HTTP authentication factory for the Web application.
+. Review the `configure-server.cli` file in the root of this quickstart directory. This script adds security domains to the `elytron` subsystem in the server configuration and also configures the `undertow` and `ejb3` subsystems to use the configured security domains for the Web application and for EJBs.
 . Open a new command prompt, navigate to the root directory of this quickstart, and run the following command, replacing __{jbossHomeName}__ with the path to your server:
 +
 [source,subs="+quotes,attributes+",options="nowrap"]
@@ -148,55 +147,49 @@ After stopping the server, open the `__{jbossHomeName}__/standalone/configuratio
 
 . The `business-realm` security realm is just used for loading the identity as it accesses the EJB.
 
-. The following `role-decoder` was added to the `elytron` subsystem.
+. The JDBC realms in this quickstart store the roles associated with a principal in an attribute named `Roles`.
 +
-[source,xml,options="nowrap"]
-----
-<simple-role-decoder name="from-roles-attribute" attribute="roles"/>
-----
+Other realms might use different attributes for roles (such as `group`).
+If an attribute name other than "Roles" is used to store the roles, a `role-decoder` can be configured as follows:
++
+```
+/subsystem=elytron/simple-role-decoder=from-roles-attribute:add(attribute=ATTRIBUTE_NAME)
+```
 +
-The realms in this quickstart store the roles associated with a principal in an attribute named roles. Other realms might use different attributes for roles (such as `group`). The purpose of a `role-decoder` is to instruct the security domain how roles are to be retrieved from an authorized identity.
+The commands to create the security domains could then be updated to reference this `role-decoder`:
++
+```
+/subsystem=elytron/security-domain=entry-security-domain:add(default-realm=entry-realm, realms=[{realm=entry-realm, role-decoder=from-roles-attribute}], permission-mapper=default-permission-mapper, outflow-security-domains=[business-security-domain])
 
+/subsystem=elytron/security-domain=business-security-domain:add(default-realm=business-realm, realms=[{realm=business-realm, role-decoder=from-roles-attribute}], trusted-security-domains=[entry-security-domain])
+```
++
+The purpose of a `role-decoder` is to instruct the security domain how roles are to be retrieved from an authorized identity.
 . The following security domains were added to the `elytron` subsystem.
 +
 [source,xml,options="nowrap"]
 ----
 <security-domain name="entry-security-domain" default-realm="entry-realm" permission-mapper="default-permission-mapper" outflow-security-domains="business-security-domain">
-    <realm name="entry-realm" role-decoder="from-roles-attribute"/>
+    <realm name="entry-realm"/>
 </security-domain>
 
 <security-domain name="business-security-domain" default-realm="business-realm" trusted-security-domains="entry-security-domain">
-    <realm name="business-realm" role-decoder="from-roles-attribute"/>
+    <realm name="business-realm"/>
 </security-domain>
 ----
 +
 The `entry-security-domain` is configured to automatically outflow any identities to the `business-security-domain` and in return the `business-security-domain` is configured to trust any identities coming from the `entry-security-domain`.
 
-. The following `http-authentication-factory` was added to the `elytron` subsystem.
-+
-[source,xml,options="nowrap"]
-----
-<http-authentication-factory name="security-domain-to-domain-http" security-domain="entry-security-domain" http-server-mechanism-factory="global">
-    <mechanism-configuration>
-        <mechanism mechanism-name="BASIC">
-            <mechanism-realm realm-name="RealmUsersRoles"/>
-        </mechanism>
-    </mechanism-configuration>
-</http-authentication-factory>
-----
-+
-It basically defines an HTTP authentication factory for the BASIC mechanism that relies on the `entry-security-domain` security domain to authenticate and authorize access to Web applications.
-
 . The following `application-security-domain` was added to the `undertow` subsystem.
 +
 [source,xml,options="nowrap"]
 ----
 <application-security-domains>
-    <application-security-domain name="EntryDomain" http-authentication-factory="security-domain-to-domain-http"/>
+    <application-security-domain name="EntryDomain" security-domain="entry-security-domain"/>
 </application-security-domains>
 ----
 +
-This configuration tells `Undertow` that applications with the `EntryDomain` security domain, as defined in the `jboss-web.xml` or by using the `@SecurityDomain` annotation in the Servlet class, should use the `http-authentication-factory` named `security-domain-to-domain-http`.
+This configuration tells `Undertow` that applications with the `EntryDomain` security domain, as defined in the `jboss-web.xml` or by using the `@SecurityDomain` annotation in the Servlet class, should use the `security-domain` named `entry-security-domain`.
 
 . The following `application-security-domain` was added to the `ejb3` subsystem.
 +
@@ -247,34 +240,12 @@ Caller Has Role 'Manager'=true
 
 This shows that the user `quickstartUser` calls the servlet and has role `User` but does not have the role `Manager`, as the call reaches the EJB the principal is still `quickstartUser` but now the identity does not have the role `User` and instead has the role `Manager`.
 
-== Server Log: Expected Warnings and Errors
-
-You will see the following warning in the server log. You can ignore it.
-
-[source,options="nowrap"]
-----
-HHH000431: Unable to determine H2 database version, certain features may not work
-----
-
 // Undeploy the Quickstart
 include::../shared-doc/undeploy-the-quickstart.adoc[leveloffset=+1]
 
 // Restore the {productName} Standalone Server Configuration
 include::../shared-doc/restore-standalone-server-configuration.adoc[leveloffset=+1]
 
-== Restore the Server Configuration
-
-You can restore the original server configuration by running the `restore-configuration.cli` script provided in the root directory of this quickstart or by manually restoring the back-up copy the configuration file.
-
-// Additional informatin about this script
-This script removes the `application-security-domain` configurations from the `ejb3` and `undertow` subsystem, the `http-authentication-factory`, `security-domain`, `security-realm` and `role-decoder` configuration from the `elytron` subsystem and it also removes the `datasource` used for this quickstart. You should see the following result when you run the script:
-
-[source,options="nowrap"]
-----
-The batch executed successfully
-process-state: reload-required
-----
-
 // Restore the {productName} Standalone Server Configuration Manually
 include::../shared-doc/restore-standalone-server-configuration-manual.adoc[leveloffset=+2]
 // Run the Quickstart in Red Hat CodeReady Studio or Eclipse

diff --git a/security-domain-to-domain/configure-server.cli b/security-domain-to-domain/configure-server.cli
@@ -8,28 +8,21 @@ batch
 # Add the JDBC security realms
 /subsystem=elytron/jdbc-realm=entry-realm:add(principal-query=[{sql="SELECT PASSWORD FROM USERS WHERE USERNAME = ?", data-source="SecurityDomainToDomainDS", \
     clear-password-mapper={password-index=1}},{sql="SELECT R.NAME, 'Roles' FROM ENTRY_ROLES ER INNER JOIN ROLES R ON R.ID = ER.ROLE_ID INNER JOIN USERS U ON U.ID = ER.USER_ID WHERE U.USERNAME = ?", \
-    data-source="SecurityDomainToDomainDS", attribute-mapping=[{index=1, to=roles}]}])
+    data-source="SecurityDomainToDomainDS", attribute-mapping=[{index=1, to=Roles}]}])
 
 /subsystem=elytron/jdbc-realm=business-realm:add(principal-query=[{sql="SELECT PASSWORD FROM USERS WHERE USERNAME = ?", data-source="SecurityDomainToDomainDS", \
     clear-password-mapper={password-index=1}},{sql="SELECT R.NAME, 'Roles' FROM BUSINESS_ROLES BR INNER JOIN ROLES R ON R.ID = BR.ROLE_ID INNER JOIN USERS U ON U.ID = BR.USER_ID WHERE U.USERNAME = ?", \
-    data-source="SecurityDomainToDomainDS", attribute-mapping=[{index=1, to=roles}]}])
-
-# Add a simple role decoder for the "roles" attribute mapping
-/subsystem=elytron/simple-role-decoder=from-roles-attribute:add(attribute=roles)
+    data-source="SecurityDomainToDomainDS", attribute-mapping=[{index=1, to=Roles}]}])
 
 # Configure the security domains
-/subsystem=elytron/security-domain=entry-security-domain:add(default-realm=entry-realm, realms=[{realm=entry-realm, role-decoder=from-roles-attribute}], \
+/subsystem=elytron/security-domain=entry-security-domain:add(default-realm=entry-realm, realms=[{realm=entry-realm}], \
     permission-mapper=default-permission-mapper, outflow-security-domains=[business-security-domain])
 
-/subsystem=elytron/security-domain=business-security-domain:add(default-realm=business-realm, realms=[{realm=business-realm, role-decoder=from-roles-attribute}], \
+/subsystem=elytron/security-domain=business-security-domain:add(default-realm=business-realm, realms=[{realm=business-realm}], \
     trusted-security-domains=[entry-security-domain])
 
-# Configure the HTTP Authentication Factory
-/subsystem=elytron/http-authentication-factory=security-domain-to-domain-http:add(http-server-mechanism-factory=global, security-domain=entry-security-domain, \
-    mechanism-configurations=[{mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name=RealmUsersRoles}]}])
-
 # Configure Undertow's application security domain
-/subsystem=undertow/application-security-domain=EntryDomain:add(http-authentication-factory=security-domain-to-domain-http)
+/subsystem=undertow/application-security-domain=EntryDomain:add(security-domain=entry-security-domain)
 # Configure the EJB3 Subsystem application security domain
 /subsystem=ejb3/application-security-domain=BusinessDomain:add(security-domain=business-security-domain)
 

diff --git a/security-domain-to-domain/pom.xml b/security-domain-to-domain/pom.xml
@@ -137,7 +137,6 @@
                 <type>war</type>
                 <scope>compile</scope>
             </dependency>
-
         </dependencies>
     </dependencyManagement>
 

diff --git a/security-domain-to-domain/restore-configuration.cli b/security-domain-to-domain/restore-configuration.cli
@@ -9,16 +9,10 @@ batch
 # Remove Undertow's application security domain
 /subsystem=undertow/application-security-domain=EntryDomain:remove()
 
-# Remove the HTTP Authentication Factory
-/subsystem=elytron/http-authentication-factory=security-domain-to-domain-http:remove()
-
 # Remove the security domains
 /subsystem=elytron/security-domain=business-security-domain:remove()
 /subsystem=elytron/security-domain=entry-security-domain:remove()
 
-# Remove a simple role decoder for the "roles" attribute mapping
-/subsystem=elytron/simple-role-decoder=from-roles-attribute:remove()
-
 # Remove the security realms
 /subsystem=elytron/jdbc-realm=business-realm:remove()
 /subsystem=elytron/jdbc-realm=entry-realm:remove()

diff --git a/security-domain-to-domain/web/src/main/resources/META-INF/persistence.xml b/security-domain-to-domain/web/src/main/resources/META-INF/persistence.xml
@@ -15,11 +15,11 @@
     See the License for the specific language governing permissions and
     limitations under the License.
 -->
-<persistence version="2.1"
-    xmlns="http://xmlns.jcp.org/xml/ns/persistence" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+<persistence version="3.0"
+    xmlns="https://jakarta.ee/xml/ns/persistence" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xsi:schemaLocation="
-        http://xmlns.jcp.org/xml/ns/persistence
-        http://xmlns.jcp.org/xml/ns/persistence/persistence_2_1.xsd">
+        https://jakarta.ee/xml/ns/persistence
+        https://jakarta.ee/xml/ns/persistence/persistence_3_0.xsd">
     <persistence-unit name="primary">
         <jta-data-source>java:jboss/datasources/SecurityDomainToDomainDS</jta-data-source>
         <properties>