Menu
What is the main difference between security-domain and security-realm in WildFly?
standalone.xml
<security-domain name="foo">
<authentication>
<login-module code="..." flag="...">
</login-module>
</authentication>
</security-domain>
and
<security-realm name="foo">
<authentication>
<local default-user="..." allowed-users="..."
skip-group-loading="..."/>
<properties path="..." relative-to="..."/>
</authentication>
<authorization>
<properties path="..." relative-to="..."/>
</authorization>
</security-realm>
361
Within WildFly we make use of security realms to secure access to the management interfaces, these same realms are used to secure inbound access as exposed by JBoss Remoting such as remote JNDI and EJB access, the realms are also used to define an identity for the server - this identity can be used for both inbound ...
A security realm comprises mechanisms for protecting WebLogic resources. Each security realm consists of a set of configured security providers, users, groups, security roles, and security policies (see Figure 4-1).
A security realm is a series of mappings between users and passwords, and users and roles. Security realms are a mechanism for adding authentication and authorization to your EJB and Web applications.
A security domain is considered to be an application or collection of applications that all trust a common security token for authentication, authorization or session management.
Answer updated (2018-06-08) to reflect WildFly Elytron naming. WildFly Elytron is a new security subsystem introduced in WildFly 11 (and JBoss EAP 7.1). Both security subsystems - legacy one and the Elytron - have notion of security domains and security realms but the meaning is different.
The Security Domains are used mainly for defining security of deployed applications.
The standard authentication in security domains is based on JAAS javax.security.auth.spi.LoginModule implementations. Application can come up with custom login module(s).
The Security Realms are used mainly for configuration security of server management interfaces and remoting.
The realm authentication is based on provided implementations of javax.security.auth.callback.CallbackHandler. AFAIK it's not possible to provide own CallbackHandler implementation.
A security domain can delegate authentication to a security realm by using the "RealmDirect" login module.
A security realm can delegate authentication to a security domain by using "jaas" authentication configuration
See also this response by JBoss security developer Darran Lofthouse.
The Security Realms encapsulate access to user repositories (DB - jdbc-realm, LDAP - ldap-realm, property file - properties-realm, ...). Compared to legacy security it's on a similar level as JAAS Login Modules. An API is provided so custom realms can be implemented.
The Security Domain represents a security policy which uses Security Realms for authentication. Security domains can be used in management security as well as in the application security. A successful authentication against a security domain produces a SecurityIdentity which represents the current user.
Read Elytron subsystem chapter in JBoss EAP documentation to get a more detailed overview of Elytron components.
To learn more about controlling authentication flow in Elytron security domains read this article from Darran Lofthouse.
If you are migrating from Legacy to Elytron security, you can expose a Legacy Security Domain as an Elytron Security Realm. Read more about this scenario in the Elytron Subsystem Migration guide
67
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
