Difference between security-realm and security-domain in WildFly

jboss wildfly wildfly-8
Johnny Willer picture Johnny Willer · Jun 24, 2015 · Viewed 13.3k times · Source

What is the main difference between security-domain and security-realm in WildFly?

standalone.xml

               <security-domain name="foo">             
                    <authentication>
                        <login-module code="..." flag="...">                           
                        </login-module>                                         
                    </authentication>
                </security-domain>

and

        <security-realm name="foo">
            <authentication>
                <local default-user="..." allowed-users="..." 
skip-group-loading="..."/>
                <properties path="..." relative-to="..."/>
            </authentication>
            <authorization>
                <properties path="..." relative-to="..."/>
            </authorization>
        </security-realm>

Answer

kwart picture kwart · Jun 25, 2015

Answer updated (2018-06-08) to reflect WildFly Elytron naming. WildFly Elytron is a new security subsystem introduced in WildFly 11 (and JBoss EAP 7.1). Both security subsystems - legacy one and the Elytron - have notion of security domains and security realms but the meaning is different.

Legacy security

The Security Domains are used mainly for defining security of deployed applications. The standard authentication in security domains is based on JAAS javax.security.auth.spi.LoginModule implementations. Application can come up with custom login module(s).

The Security Realms are used mainly for configuration security of server management interfaces and remoting. The realm authentication is based on provided implementations of javax.security.auth.callback.CallbackHandler. AFAIK it's not possible to provide own CallbackHandler implementation.

A security domain can delegate authentication to a security realm by using the "RealmDirect" login module.

A security realm can delegate authentication to a security domain by using "jaas" authentication configuration

See also this response by JBoss security developer Darran Lofthouse.

Elytron security

The Security Realms encapsulate access to user repositories (DB - jdbc-realm, LDAP - ldap-realm, property file - properties-realm, ...). Compared to legacy security it's on a similar level as JAAS Login Modules. An API is provided so custom realms can be implemented.

The Security Domain represents a security policy which uses Security Realms for authentication. Security domains can be used in management security as well as in the application security. A successful authentication against a security domain produces a SecurityIdentity which represents the current user.

Read Elytron subsystem chapter in JBoss EAP documentation to get a more detailed overview of Elytron components.

To learn more about controlling authentication flow in Elytron security domains read this article from Darran Lofthouse.

In the middle between Legacy and Elytron security

If you are migrating from Legacy to Elytron security, you can expose a Legacy Security Domain as an Elytron Security Realm. Read more about this scenario in the Elytron Subsystem Migration guide

Related questions

How to change default port 8080 in WildFly

I just started JAVA EE development with WildFly 8.2. My first problem is how to change the default port 8080 to something else? I found many xml files containing below line. <socket-binding name="http" port="${jboss.http.port:8080}"/> but I …

Read More
JBoss WildFly: Starts but can't connect?

I just configured JBoss WildFly. It is running and it is accessible from the same machine, everything is working fine... My problem is that it is not accessible from another system (I mean in a network, the server (hosted machine) …

Read More
Right way to configure the log in Wildfly 8.2

I have confusion in setting up the log in Wildfly-8.2.0. Initially I had used my own logging system, with log4j.xml built into the WAR file, all worked very well. But, when I make any changes to the log …

Read More