I’ve already asked this on stackoverflow without success, sorry for cross-posting, but I’d like to try my luck here as well:
I am currently securing some (legacy) JEE webapps running in WildFly 10 with Keycloak using the JBoss EAP/WildFly Adapter.
Most of the webapps have a <security-domain>
defined in their jboss-web.xml
and some EJBs are annotated with @SecurityDomain
.
Even if I change the value of <security-domain>
to “keycloak”, I get WFLYSEC0027: Invalid User
. Since the Keycloak docs don’t mention the use of <security-domain>
, I have removed it and all appears to work fine.
@SecurityDomain
seems to be ignored, it seems I can set any value I want, and the Keycloak docs say:
The security context is propagated to the EJB tier automatically.
So, with a webapp secured with Keycloak, are <security-domain>
and @SecurityDomain
redundant and can be removed?