Elytron support in webservices security after upgrade EAP to 7.4.11

Posted on

Hello there :),
I would ask you about supporting elytron in ws-security. We have a webservice configured like this:

@WebService
@SOAPBinding(parameterStyle = ParameterStyle.BARE)
@HandlerChain(file = "handler-chains.xml")
@Policies({
        @Policy(uri = "classpath:/META-INF/wsdl/UserNameTokenPolicy.xml", placement = Policy.Placement.BINDING, includeInWSDL = true) })
@EndpointProperties({ @EndpointProperty(key = "ws-security.validate.token", value = "false") })
@InInterceptors(interceptors = { "org.jboss.wsf.stack.cxf.security.authentication.SubjectCreatingPolicyInterceptor" })

@SecurityDomain("ws-domain")
public class CommonDataWebServiceBean extends ReadBean {
}

Security domain is configured like this:

/subsystem=ejb3/application-security-domain=ws-domain:add(security-domain=c-ldap-domain)

And is pointing to elytron ldap backed domain:

/subsystem=elytron/dir-context=ldap-dc:add(url="$LDAP_URL", principal="$LDAP_PRINCIPAL", credential-reference=....
/subsystem=elytron/ldap-realm=c-ldap-realm:add(dir-context=ldap-dc....
/subsystem=elytron/security-domain=c-ldap-domain:add(realms=[{realm=c-ldap-realm...

FORM authentication using the same elytron security domain is working on web app without issues and authentication in webservices is working on EAP 7.4.9.
But after patch 7.4.11 we have following exception:

2023-07-05 17:52:49,147 WARNING [org.apache.cxf.phase.PhaseInterceptorChain] (default task-1) Interceptor for {http://cdata.webservice.example.com/}CommonDataWebServiceBeanService has thrown exception, unwinding now: java.lang.SecurityException: JBWS024057: Failed Authentication : Subject has not been created
    at org.jboss.ws.cxf.jbossws-cxf-server@5.4.8.Final-redhat-00001//org.jboss.wsf.stack.cxf.security.authentication.SubjectCreatingPolicyInterceptor.createSubject(SubjectCreatingPolicyInterceptor.java:133)
    at org.jboss.ws.cxf.jbossws-cxf-server@5.4.8.Final-redhat-00001//org.jboss.wsf.stack.cxf.security.authentication.SubjectCreatingPolicyInterceptor.handleMessage(SubjectCreatingPolicyInterceptor.java:106)
    at org.apache.cxf@3.4.10.redhat-00001//org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)
    at org.apache.cxf@3.4.10.redhat-00001//org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
    at org.apache.cxf.impl//org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:265)
    at org.jboss.ws.cxf.jbossws-cxf-server@5.4.8.Final-redhat-00001//org.jboss.wsf.stack.cxf.RequestHandlerImpl.handleHttpRequest(RequestHandlerImpl.java:110)
    at org.jboss.ws.cxf.jbossws-cxf-server@5.4.8.Final-redhat-00001//org.jboss.wsf.stack.cxf.transport.ServletHelper.callRequestHandler(ServletHelper.java:134)
    at org.jboss.ws.cxf.jbossws-cxf-server@5.4.8.Final-redhat-00001//org.jboss.wsf.stack.cxf.CXFServletExt.invoke(CXFServletExt.java:88)
    at org.apache.cxf.impl//org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:304)
    at org.apache.cxf.impl//org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:217)
    at javax.servlet.api@2.0.0.Final-redhat-00001//javax.servlet.http.HttpServlet.service(HttpServlet.java:523)
    at org.jboss.ws.cxf.jbossws-cxf-server@5.4.8.Final-redhat-00001//org.jboss.wsf.stack.cxf.CXFServletExt.service(CXFServletExt.java:136)
    at org.jboss.ws.spi@3.4.0.Final-redhat-00001//org.jboss.wsf.spi.deployment.WSFServlet.service(WSFServlet.java:140)
    at javax.servlet.api@2.0.0.Final-redhat-00001//javax.servlet.http.HttpServlet.service(HttpServlet.java:590)
    at io.undertow.servlet@2.2.24.SP1-redhat-00001//io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
    at io.undertow.servlet@2.2.24.SP1-redhat-00001//io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
    at io.undertow.servlet@2.2.24.SP1-redhat-00001//io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
    at io.undertow.servlet@2.2.24.SP1-redhat-00001//io.undertow.servlet.handlers.RedirectDirHandler.handleRequest(RedirectDirHandler.java:68)
    at org.wildfly.extension.undertow@7.4.11.GA-redhat-00002//org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
    at io.undertow.servlet@2.2.24.SP1-redhat-00001//io.undertow.servlet.handlers.SendErrorPageHandler.handleRequest(SendErrorPageHandler.java:52)
    at io.undertow.core@2.2.24.SP1-redhat-00001//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
    at io.undertow.servlet@2.2.24.SP1-redhat-00001//io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:275)
    at io.undertow.servlet@2.2.24.SP1-redhat-00001//io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:79)
    at io.undertow.servlet@2.2.24.SP1-redhat-00001//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:134)
    at io.undertow.servlet@2.2.24.SP1-redhat-00001//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:131)
    at io.undertow.servlet@2.2.24.SP1-redhat-00001//io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
    at io.undertow.servlet@2.2.24.SP1-redhat-00001//io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
    at org.wildfly.extension.undertow@7.4.11.GA-redhat-00002//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1555)
    at org.wildfly.extension.undertow@7.4.11.GA-redhat-00002//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1555)
    at org.wildfly.extension.undertow@7.4.11.GA-redhat-00002//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1555)
    at org.wildfly.extension.undertow@7.4.11.GA-redhat-00002//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1555)
    at io.undertow.servlet@2.2.24.SP1-redhat-00001//io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:255)
    at io.undertow.servlet@2.2.24.SP1-redhat-00001//io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:79)
    at io.undertow.servlet@2.2.24.SP1-redhat-00001//io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:100)
    at io.undertow.core@2.2.24.SP1-redhat-00001//io.undertow.server.Connectors.executeRootHandler(Connectors.java:393)
    at io.undertow.core@2.2.24.SP1-redhat-00001//io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:852)
    at org.jboss.threads@2.4.0.Final-redhat-00001//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
    at org.jboss.threads@2.4.0.Final-redhat-00001//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1990)
    at org.jboss.threads@2.4.0.Final-redhat-00001//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
    at org.jboss.threads@2.4.0.Final-redhat-00001//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
    at org.jboss.xnio@3.8.9.Final-redhat-00001//org.xnio.XnioWorker$WorkerThreadFactory$1$1.run(XnioWorker.java:1282)
    at java.base/java.lang.Thread.run(Thread.java:833)
Caused by: java.lang.NullPointerException: Cannot invoke "org.wildfly.security.credential.PasswordCredential.getPassword(java.lang.Class)" because the return value of "org.wildfly.security.auth.server.RealmIdentity.getCredential(java.lang.Class)" is null
    at org.jboss.ws.cxf.jbossws-cxf-server@5.4.8.Final-redhat-00001//org.jboss.wsf.stack.cxf.security.authentication.SubjectCreator.createSubject(SubjectCreator.java:178)
    at org.jboss.ws.cxf.jbossws-cxf-server@5.4.8.Final-redhat-00001//org.jboss.wsf.stack.cxf.security.authentication.SubjectCreatingPolicyInterceptor.createSubject(SubjectCreatingPolicyInterceptor.java:129)
    ... 41 more

Is elytron supported in ws-security? And above is a proper way to configure ws-security in JBoss?
Thank you for your help.

WZ

Responses