CODEWITHSUNDEEP
javaauthenticationjbosswildflyelytron
peatle_pp
peatle_pp

Reputation: 41

multi-module ear and elytron - A SecurityDomain has already been associated with the specified ClassLoader

I have an ear with at least 2 WARs inside. One should be none restricted, so no auth at all, and the other one should be restricted by keycloak. This is done via an overlay-file for just this WAR. Deploying this ear leads to the error:

ttp-wf     |     "jboss.deployment.subunit.\"test-ear-2024.3.0-SNAPSHOT.ear\".\"test-web-2024.3.0-SNAPSHOT.war\".undertow-deployment.UndertowDeploymentInfoService" => "Failed to start service
ttp-wf     |     Caused by: java.lang.IllegalStateException: ELY01148: A SecurityDomain has already been associated with the specified ClassLoader",

We know it has been working till wildfly 26, after that it was "jakarta"-time. This may be some hint.

Overlay:

<login-config>
    <auth-method>OIDC</auth-method>
</login-config>
...
<security-constraint>
        <display-name>security-domain</display-name>
        <web-resource-collection>
            <web-resource-name>security-domain</web-resource-name>
            <url-pattern>/html/internal/admin/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>role.admin</role-name>
        </auth-constraint>
    </security-constraint>

jboss-cli

deployment-overlay add \
        --name=configKeycloakAuth \
        --content=/WEB-INF/web.xml=/entrypoint-wildfly-cli/config_oidc_web.xml \
        --deployments=config-web-*.war \
        --redeploy-affected
    set configVersion=2024.1.0
    /subsystem=elytron-oidc-client/secure-deployment=config-web-$configVersion.war:add( \
        provider-url=$ttpWebKeycloakBaseUrl/realms/$ttpWebKeycloakRealm, \
        client-id=$ttpWebKeycloakClientId, \
        ssl-required=$ttpWebKeycloakSslRequired, \
        confidential-port=$ttpWebKeycloakConfidentialPort, \
        use-resource-role-mappings=$ttpWebKeycloakUseResourceRoleMappings \
    )

The EAR also has ear-subdeployments-isolated=false and it should be like that.

The web.xml in the non-restricted WAR does not declare any security-domain. But setting security-domain=none is also not allowed.

Wildfly: 35

The wildfly on DEBUG-Log does not tell me more.

Is it even possible to do it like this or there should be maybe some new way doing that, but I couldn't figure it out. I appriciate any help, thanks.

Upvotes: 1

Views: 45

Answers (0)

Related Questions