Geben Sie den Sicherheitskontext von WAR an andere Unterbereitstellungen innerhalb von EAR in WildFly 38 weiter ⇐ Java

[Anonymous]

Wir migrieren von WildFly 24 auf 38 und implementieren auch OIDC mit Keycloak. Wir stellen eine EAR mit mehreren EJB- und WAR-Unterbereitstellungen bereit.
Wenn ich eine EJB über Remoting von unserer Desktop-Anwendung aus aufrufe, funktioniert alles, der Sicherheitskontext wird ordnungsgemäß erstellt und das Einfügen von EJB-Beans aus einer anderen Unterbereitstellung funktioniert auch, der Sicherheitskontext wird an alle anderen EJB-Unterbereitstellungen weitergegeben.
Das Problem besteht darin, dass ich einen REST-Endpunkt von einem Browser in einen meiner treffe WARs, der Sicherheitskontext ist für diesen WAR korrekt, ctx.getCallerPrincipal().getName() gibt meinen angemeldeten Benutzer zurück, aber wenn ich ein EJB aus einer anderen Unterbereitstellung injiziere, ist in diesen Beans ctx der Aufrufer-Principal anonym.
Alles scheint im standalone.xml richtig verkabelt zu sein:
EJB3-Subsystem:

Code: Select all

elytron:Community-Subsystem:

Code: Select all

....

Hier funktioniert der JWT-Bereich ordnungsgemäß für Remote-Aufrufe
Im elytron-oidc-client-Subsystem habe ich alle meine WARs wie folgt:

Code: Select all

my-keycloak-realm
my-keycloak-client
true
https://mykeycloak.com
NONE
preferred_username
true

Im Undertow:Community-Subsystem:

Code: Select all

Undertow hat Folgendes im Header-Tag:
jboss-ejb3.xml in allen EJBs META_INF:

Code: Select all

*
mySecurityDomain

Lasty, in der WARs WEB-INF die jboss-web.xml:

Code: Select all

mySecurityDomain

Wenn ich die Undertow-Ressource mit dem Wildfly-CLI-Tool lese, erhalte ich die folgende Ausgabe:

Code: Select all

[standalone@localhost:29990 /] /subsystem=undertow:read-resource(recursive=true)
{
"outcome" => "success",
"result" => {
"default-security-domain" => "mySecurityDomain",
"default-server" => "default-server",
"default-servlet-container" => "default",
"default-virtual-host" => "default-host",
"instance-id" => expression "${jboss.node.name}",
"obfuscate-session-route" => false,
"statistics-enabled" => expression "${wildfly.undertow.statistics-enabled:${wildfly.statistics-enabled:false}}",
"application-security-domain" => {"mySecurityDomain" => {
"enable-jacc" => false,
"enable-jaspi" => true,
"http-authentication-factory" => undefined,
"integrated-jaspi" => true,
"override-deployment-config" => false,
"security-domain" => "ApplicationDomain",
"setting" => undefined
}},
"buffer-cache" => {"default" => {
"buffer-size" => 1024,
"buffers-per-region" => 1024,
"max-regions" => 10
}},
"byte-buffer-pool" => {"default" => {
"buffer-size" => undefined,
"direct" => undefined,
"leak-detection-percent" => 0,
"max-pool-size" => undefined,
"thread-local-cache-size" => 12
}},
"configuration" => {
"filter" => {
"custom-filter" => undefined,
"error-page" => undefined,
"expression-filter" => undefined,
"gzip" => undefined,
"mod-cluster" => undefined,
"request-limit" => undefined,
"response-header" => undefined,
"rewrite" => undefined
},
"handler" => {
"file" => undefined,
"reverse-proxy" => undefined
}
},
"server" => {"default-server" => {
"default-host" => "default-host",
"servlet-container" => "default",
"ajp-listener" => undefined,
"host" => {"default-host" => {
"alias" => ["localhost"],
"default-response-code" => 404,
"default-web-module" => "ROOT.war",
"disable-console-redirect" => false,
"queue-requests-on-start" => true,
"filter-ref" => undefined,
"location" => undefined,
"setting" => {
"access-log" => {
"directory" => "access-log",
"extended" => false,
"pattern" => "%h %l %u %t \"%r\"  %s %b",
"predicate" => undefined,
"prefix" => "access.",
"relative-to" => undefined,
"rotate" => true,
"suffix" => ".log",
"use-server-log" => false,
"worker" => "default"
},
"http-invoker" => {
"http-authentication-factory" => "application-http-authentication",
"path" => "wildfly-services",
"security-realm" => undefined
}
}
}},
"http-listener" => {"default" => {
"allow-encoded-slash" => false,
"allow-equals-in-cookie-value" => false,
"allow-unescaped-characters-in-url" => false,
"always-set-keep-alive" => true,
"buffer-pipelined-data" => false,
"buffer-pool" => "default",
"certificate-forwarding" => false,
"decode-url" => true,
"disallowed-methods" => ["TRACE"],
"enable-http2" => true,
"enabled" => true,
"http2-enable-push" => true,
"http2-header-table-size" => 4096,
"http2-initial-window-size" => 65535,
"http2-max-concurrent-streams" => undefined,
"http2-max-frame-size" => 16384,
"http2-max-header-list-size" => undefined,
"max-buffered-request-size" => 16384,
"max-connections" => undefined,
"max-cookies" => 200,
"max-header-size" => 1048576,
"max-headers" => 200,
"max-parameters" => 1000,
"max-post-size" => 10485760L,
"no-request-timeout" => 60000,
"proxy-address-forwarding" => false,
"proxy-protocol" => false,
"read-timeout" => 90000,
"receive-buffer" => undefined,
"record-request-start-time" => false,
"redirect-socket" => "http",
"request-parse-timeout" => undefined,
"require-host-http11" => false,
"resolve-peer-address" => false,
"rfc6265-cookie-validation" => false,
"secure" => false,
"send-buffer" => undefined,
"socket-binding" => "http",
"tcp-backlog" => 10000,
"tcp-keep-alive" => undefined,
"url-charset" => "UTF-8",
"worker" => "default",
"write-timeout" => 90000
}},
"https-listener" => undefined
}},
"servlet-container" => {"default" => {
"allow-non-standard-wrappers" => false,
"allow-orphan-session" => false,
"default-buffer-cache" => "default",
"default-cookie-version" => 0,
"default-encoding" => undefined,
"default-session-timeout" => 30,
"directory-listing" => undefined,
"disable-caching-for-secured-pages" => true,
"disable-file-watch-service" => false,
"disable-session-id-reuse" => false,
"eager-filter-initialization" => false,
"file-cache-max-file-size" => 10485760,
"file-cache-metadata-size" => 100,
"file-cache-time-to-live" =>  undefined,
"ignore-flush" => false,
"max-sessions" => undefined,
"preserve-path-on-forward" => false,
"proactive-authentication" => true,
"session-id-length" => 30,
"stack-trace-on-error" => "local-only",
"use-listener-encoding" => false,
"mime-mapping" => undefined,
"setting" => {
"jsp" => {
"check-interval" => 0,
"development" => false,
"disabled" => false,
"display-source-fragment" => true,
"dump-smap" => false,
"error-on-use-bean-invalid-class-attribute" => false,
"generate-strings-as-char-arrays" => false,
"java-encoding" => "UTF8",
"keep-generated" => true,
"mapped-file" => true,
"modification-test-interval" => 4,
"optimize-scriptlets" => false,
"recompile-on-fail" => false,
"scratch-dir" => undefined,
"smap" => true,
"source-vm" => "1.8",
"tag-pooling" => true,
"target-vm" => "1.8",
"trim-spaces" => false,
"x-powered-by" => true
},
"websockets" => {
"buffer-pool" => "default",
"deflater-level" => 0,
"dispatch-to-worker" => true,
"per-message-deflate" => false,
"worker" => "default"
}
},
"welcome-file" => undefined
}}
}
}

Nach meinem Verständnis übergeben sowohl das EJB3-Subsystem als auch das Undertow-Subsystem die Authentifizierung und Autorisierung an Elytron, das den Sicherheitskontext für ApplicationDomain erstellt, und sowohl EJB3 als auch Undertow sind damit verbunden.
Es gibt nirgendwo Einschränkungen in web.xml oder application.xml
Was habe ich übersehen?