PicketLink provides a wealth of security functionality, including identity management, federation and authorization in various forms. Unfortunately, WildFly 8.2 with PicketLink 2.7.0.Final suffers from integration issues and documentation gap that makes it very hard to deploy PicketLink in a multi-module enterprise application. The issues discussed below are described ad nauseam in PLINK-666.
This guide assumes you have PicketLink installed as a WildFly-scoped module rather than shipping PicketLink libraries in your EAR or WAR lib directory. Since I’m using PicketLink Subsystem for WildFly 8, this is the scenario described here. I have not found any evidence of anyone successfully using PicketLink when JARs were shipped in an EAR lib directory propagating PicketLink to subdeployments.
Firstly, there is an issue of classloading of PicketLink classes simultaneously to:
- EAR-scoped application libs
- EJB modules
- WAR modules
The classloading in an EAR is controlled by declaring module dependencies via jboss-deployment-structure.xml descriptor file. For an EAR, only the top-level descriptor is considered, with descriptors inside the contained subdeployments being ignored with the following message:
2015-03-10 13:04:52,844 WARN [org.jboss.as.server.deployment] (MSC service thread 1-5) JBAS015850: /content/scenario3-ear-1.0.0-SNAPSHOT.ear/scenario3-war.war/WEB-INF/jboss-deployment-structure.xml in subdeployment ignored. jboss-deployment-structure.xml is only parsed for top level deployments.
Secondly, when vanilla PicketLink libraries are deployed as WildFly-scoped modules, there are CDI class resolution problems resulting in the following warnings, and a consequent failure of class resolution:
2015-03-10 15:44:31,353 WARN [org.jboss.as.weld] (default task-1) JBAS016018: Using deployment classloader to load proxy classes for module org.picketlink.core.api:main. Package-private access will not work. To fix this the module should declare dependencies on [org.jboss.weld.core, org.jboss.weld.spi]
This issue has been resolved in <a href=/2015/picketlink-subsystem-for-wildfly-8-ver-2-7-0-final-1-released/”>PicketLink Subsystem for WildFly 8 Release 2.7.0.Final.1
Finally, this is what an EAR-level jboss-deployment-structure.xml descriptor file would look like, when WildFly-deployed PicketLink libraries or subsystem is used. In the below descriptor PicketLink is fully functional when accessed from EAR-scoped application library JARs, core-web.war module and core-ejb.jar module. Note, that you have to declare a dependency set for every subdeployment module you’d like to be able to utilize PicketLink.
<?xml version="1.0" encoding="UTF-8"?> <jboss-deployment-structure xmlns="urn:jboss:deployment-structure:1.2"> <deployment> <dependencies> <!-- You must configure the PicketLink dependency to your deployment. The dependency above is a reference to a static module from WildFly modules directory. --> <module name="org.picketlink.core.api" meta-inf="import" annotations="true"></module> <module name="org.picketlink.idm.api" meta-inf="import" annotations="true"></module> <module name="org.picketlink.core" meta-inf="import" annotations="true"></module> <module name="org.picketlink.idm" meta-inf="import" annotations="true"></module> <module name="org.picketlink.common" meta-inf="import" annotations="true"></module> <module name="org.picketlink.idm.schema" meta-inf="import" annotations="true"></module> </dependencies> </deployment> <sub-deployment name="core-web.war"> <dependencies> <!-- You must configure the PicketLink dependency to your deployment. The dependency above is a reference to a static module from WildFly modules directory. --> <module name="org.picketlink.core.api" meta-inf="import" annotations="true"></module> <module name="org.picketlink.idm.api" meta-inf="import" annotations="true"></module> <module name="org.picketlink.core" meta-inf="import" annotations="true"></module> <module name="org.picketlink.idm" meta-inf="import" annotations="true"></module> <module name="org.picketlink.common" meta-inf="import" annotations="true"></module> <module name="org.picketlink.idm.schema" meta-inf="import" annotations="true"></module> </dependencies> </sub> <sub-deployment name="core-ejb.jar"> <dependencies> <!-- You must configure the PicketLink dependency to your deployment. The dependency above is a reference to a static module from WildFly modules directory. --> <module name="org.picketlink.core.api" meta-inf="import" annotations="true"></module> <module name="org.picketlink.idm.api" meta-inf="import" annotations="true"></module> <module name="org.picketlink.core" meta-inf="import" annotations="true"></module> <module name="org.picketlink.idm" meta-inf="import" annotations="true"></module> <module name="org.picketlink.common" meta-inf="import" annotations="true"></module> <module name="org.picketlink.idm.schema" meta-inf="import" annotations="true"></module> </dependencies> </sub> </jboss>