I have a wildfly 8.2.0.Final running. I use two oracle datasources, one <datasource> and one <xa-datasource>. I want to have my DB passwords encrypted and managed to do that for the datasource using a security-domain but not for the xa-datasource. I haven't found documentation or other postings with a solution for this problem.
Here is what I've done:
<datasources>
<datasource jta="false" jndi-name="java:/myproject/jdbc/datasources/jdbc" pool-name="my_JDBC_DS" enabled="true" use-ccm="false">
<connection-url>jdbc:oracle:thin:@localhost:1521:DB</connection-url>
<driver-class>oracle.jdbc.driver.OracleDriver</driver-class>
<driver>oracle</driver>
<pool>
<min-pool-size>1</min-pool-size>
<max-pool-size>50</max-pool-size>
</pool>
<security>
<security-domain>databaseSecure</security-domain>
</security>
<validation>
<check-valid-connection-sql>select 1 from dual</check-valid-connection-sql>
<validate-on-match>true</validate-on-match>
<background-validation>false</background-validation>
</validation>
</datasource>
<xa-datasource jndi-name="java:/myproject/jdbc/datasources/db_tx" pool-name="MYTXDS" enabled="true" use-ccm="false">
<xa-datasource-property name="URL">
jdbc:oracle:thin:@localhost:1521:DB
</xa-datasource-property>
<xa-datasource-property name="User">
scott
</xa-datasource-property>
<xa-datasource-property name="Password">
tiger
</xa-datasource-property>
<driver>oracle</driver>
<security>
<user-name>scott</user-name>
<password>tiger</password>
</security>
<xa-pool>
<min-pool-size>1</min-pool-size>
<max-pool-size>50</max-pool-size>
<wrap-xa-resource>false</wrap-xa-resource>
</xa-pool>
<validation>
<check-valid-connection-sql>select 1 from dual</check-valid-connection-sql>
<validate-on-match>true</validate-on-match>
<background-validation>false</background-validation>
</validation>
<statement>
<prepared-statement-cache-size>32</prepared-statement-cache-size>
<share-prepared-statements>true</share-prepared-statements>
</statement>
</xa-datasource>
<drivers>
<driver name="oracle" module="oracle">
<xa-datasource-class>oracle.jdbc.xa.client.OracleXADataSource</xa-datasource-class>
</driver>
</drivers>
</datasources>
...
<security-domain name="databaseSecure" cache-type="default">
<authentication>
<login-module code="org.picketbox.datasource.security.SecureIdentityLoginModule" flag="required">
<module-option name="username" value="scott"/>
<module-option name="password" value="-170dd0fbd8c13748"/>
</login-module>
</authentication>
</security-domain>
I've tried removing the xa-datasource-property entries for user and password and referring to the security-domain both nested in the security-tag and on the same level as the properties. Both attempts did not work, with the latter the wildfly exits early because of problems parsing the standalone.xml, with the latter the deployment fails.
To show the most promising attempt, this is how I tried to refer to the security-domain:
<xa-datasource jndi-name="java:/myproject/jdbc/datasources/db_tx" pool-name="MYTXDS" enabled="true" use-ccm="false">
<xa-datasource-property name="URL">
jdbc:oracle:thin:@localhost:1521:DB
</xa-datasource-property>
<driver>oracle</driver>
<security>
<security-domain>databaseSecure</security-domain>
</security>
<xa-pool>
<min-pool-size>1</min-pool-size>
<max-pool-size>50</max-pool-size>
<wrap-xa-resource>false</wrap-xa-resource>
</xa-pool>
<validation>
<check-valid-connection-sql>select 1 from dual</check-valid-connection-sql>
<validate-on-match>true</validate-on-match>
<background-validation>false</background-validation>
</validation>
<statement>
<prepared-statement-cache-size>32</prepared-statement-cache-size>
<share-prepared-statements>true</share-prepared-statements>
</statement>
</xa-datasource>
Doing that the wildfly runs into a javax.resource.ResourceException: No matching credentials in Subject!
I've debugged into the code and although I'm missing the code for the last few classes in the call stack I see that the Subject actually has the credentials as properties but still the AccessController.doPrivilegedcall fails, leading to the above mentioned exception.
You see I'm kind of lost, any suggestions?
I figured it out what I did wrong (by debugging wildfly and staring hard at my working JBoss 4 config..). In my security-domain configuration I had only set username and password. To make it work I needed to ad the "managedConnectionFactoryName" as well and declare a security-domain for each data source.
I now have the following configuration:
<datasources>
<datasource jta="false" jndi-name="java:/myproject/jdbc/datasources/jdbc" pool-name="my_JDBC_DS" enabled="true" use-ccm="false">
<connection-url>jdbc:oracle:thin:@localhost:1521:DB</connection-url>
<driver-class>oracle.jdbc.driver.OracleDriver</driver-class>
<driver>oracle</driver>
<pool>
<min-pool-size>1</min-pool-size>
<max-pool-size>50</max-pool-size>
</pool>
<security>
<security-domain>jdbcDatabaseSecure</security-domain>
</security>
<validation>
<check-valid-connection-sql>select 1 from dual</check-valid-connection-sql>
<validate-on-match>true</validate-on-match>
<background-validation>false</background-validation>
</validation>
</datasource>
<xa-datasource jndi-name="java:/myproject/jdbc/datasources/db_tx" pool-name="MYTXDS" enabled="true" use-ccm="false">
<xa-datasource-property name="URL">
jdbc:oracle:thin:@localhost:1521:DB
</xa-datasource-property>
<driver>oracle</driver>
<security>
<security-domain>txDatabaseSecure</security-domain>
</security>
<xa-pool>
<min-pool-size>1</min-pool-size>
<max-pool-size>50</max-pool-size>
<wrap-xa-resource>false</wrap-xa-resource>
</xa-pool>
<validation>
<check-valid-connection-sql>select 1 from dual</check-valid-connection-sql>
<validate-on-match>true</validate-on-match>
<background-validation>false</background-validation>
</validation>
<statement>
<prepared-statement-cache-size>32</prepared-statement-cache-size>
<share-prepared-statements>true</share-prepared-statements>
</statement>
</xa-datasource>
<drivers>
<driver name="oracle" module="oracle">
<xa-datasource-class>oracle.jdbc.xa.client.OracleXADataSource</xa-datasource-class>
</driver>
</drivers>
</datasources>
...
<security-domain name="jdbcDatabaseSecure" cache-type="default">
<authentication>
<login-module code="org.picketbox.datasource.security.SecureIdentityLoginModule" flag="required">
<module-option name="username" value="scott"/>
<module-option name="password" value="-170dd0fbd8c13748"/>
<module-option name = "managedConnectionFactoryName" value="jdbcDatabaseSecure" />
</login-module>
</authentication>
</security-domain>
<security-domain name="txDatabaseSecure" cache-type="default">
<authentication>
<login-module code="org.picketbox.datasource.security.SecureIdentityLoginModule" flag="required">
<module-option name="username" value="scott"/>
<module-option name="password" value="-170dd0fbd8c13748"/>
<module-option name = "managedConnectionFactoryName" value="txDatabaseSecure" />
</login-module>
</authentication>
</security-domain>
And now it works.