Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 3. Propagating an identity from a Servlet to a Jakarta Enterprise Bean when using OIDC

You can propagate the security identity obtained from an OpenID Connect (OIDC) provider from a Servlet to Jakarta Enterprise Beans in two ways:

  • Using the same virtual security domain to secure both Servlet and Jakarta Enterprise Beans.
  • Propagating the identity from a virtual security domain associated with a Servlet to the security domain securing Jakarta Enterprise Beans.

3.1. Identity propagation to Jakarta Enterprise Beans when using OIDC

When you secure an application with OpenID Connect (OIDC), the elytron-oidc-client subsystem automatically creates a virtual security domain for you. You can propagate the security identity in the virtual security domain, obtained from the OIDC provider, to Jakarta Enterprise Beans that your application invokes.

The following table illustrates the required configurations depending on the security domain you use and how the applications are deployed.

Security domain to use to secure Jakarta Enterprise BeansServlet and Jakarta Enterprise Beans are in the same WAR or EARServlet and Jakarta Enterprise Beans are in different WAR or EAR

Virtual security domain

No configuration is required.

The virtual security domain automatically outflows the security identity to the Jakarta Enterprise Beans provided that no security domain configuration has been explicitly specified for the Jakarta Enterprise Beans.

Configure as follows:

A different security domain

To outflow a security identity from a virtual security domain to another security domain, you must configure the following resources:

  • virtual-security-domain: Specify that security identities established by a virtual security domain should automatically be outflowed to other security domains.
  • security-domain: Indicate that it should trust security identities established by the virtual security domain you configured.

For more information, see Propagating identity from virtual security domain to a security domain.

3.2. Securing Jakarta Enterprise Beans applications using virtual security domain

You can use the virtual security domain created by the elytron-oidc-client subsystem to secure Jakarta Enterprise Beans both when the Jakarta Enterprise Beans is located in the same deployment as the Servlet that invokes it, and when they are located in different deployments.

If the Jakarta Enterprise Beans is located in the same deployment as the Servlet invoking it, no configuration is required to outflow a security identity from the Servlet to the Jakarta Enterprise Beans.

Follow the steps in this procedure to outflow a security identity from a Servlet to Jakarta Enterprise Beans that are located in different deployments.

Prerequisites

  • You have secured the application from which you invoke the Jakarta Enterprise Beans using an OpenID Connect (OIDC) provider.
  • You have created the Jakarta Enterprise Beans to secure.

Procedure

  1. Create a virtual-security-domain resource referencing the WAR that contains the Servlet secured with OIDC or the EAR that contains a subdeployment that is secured with OIDC.

    Syntax

    Copy to Clipboard Toggle word wrap 
    /subsystem=elytron/virtual-security-domain=<deployment_name>:add()

    Example

    Copy to Clipboard Toggle word wrap 
    /subsystem=elytron/virtual-security-domain=simple-ear-example.ear:add()

  2. Add org.jboss.ejb3.annotation.SecurityDomain annotation in the Jakarta Enterprise Beans application referencing the virtual security domain resource to use to secure the application.

    Syntax

    Copy to Clipboard Toggle word wrap 
    @SecurityDomain("<deployment_name>")

    Example

    Copy to Clipboard Toggle word wrap 
    ...
@SecurityDomain("simple-ear-example.ear")
@Remote(RemoteHello.class)
@Stateless
public class RemoteHelloBean implements RemoteHello {

  @Resource
  private SessionContext context;

  @Override
  public String whoAmI() {
    return context.getCallerPrincipal().getName();
  }

}

    If you invoke this Jakarta Enterprise Beans from a Servlet secured with OIDC, the principal returned by whoAmI () will match the principal the Servlet obtained from the OIDC provider.

  3. Deploy the Jakarta Enterprise Beans.

    Example

    Copy to Clipboard Toggle word wrap 
    $ mvn wildfly:deploy

Additional resources

3.3. Propagating identity from virtual security domain to a security domain

You can propagate the security identity from a virtual security domain, obtained from an OpenID Connect (OIDC) provider to a different security domain. You might want to do this if you want the security identity’s roles to be determined by the security domain you propagate the identity to and not the virtual security domain.

The steps in the following procedure apply both when the Servlet invoking a Jakarta Enterprise Beans and the Jakarta Enterprise Beans are in the same deployment and when they are in separate deployments.

Prerequisites

  • You have secured the application from which you invoke the Jakarta Enterprise Beans using an OIDC provider.
  • You have created the Jakarta Enterprise Beans to secure.
  • You secured the Jakarta Enterprise Beans with a security domain.

Procedure

  1. Create a virtual-security-domain resource referencing the WAR that contains the Servlet secured with OIDC or the EAR that contains a subdeployment that is secured with OIDC.

    Syntax

    Copy to Clipboard Toggle word wrap 
    /subsystem=elytron/virtual-security-domain=<deployment_name>:add(outflow-security-domains=[<domain_to_propagate_to>])

    Example

    Copy to Clipboard Toggle word wrap 
    /subsystem=elytron/virtual-security-domain=simple-ear-example.ear:add(outflow-security-domains=[exampleEJBSecurityDomain])

  2. Update the security domain configuration for the Jakarta Enterprise Beans to trust the virtual-security-domain.

    Syntax

    Copy to Clipboard Toggle word wrap 
    /subsystem=elytron/security-domain=<security_domain_name>:write-attribute(name=trusted-virtual-security-domains,value=[<deployment_name>])

    Example

    Copy to Clipboard Toggle word wrap 
    /subsystem=elytron/security-domain=exampleEJBSecurityDomain:write-attribute(name=trusted-virtual-security-domains,value=[simple-ear-example.ear])

  3. Reload the server.

    Copy to Clipboard Toggle word wrap 
    reload

  4. Deploy the Jakarta Enterprise Beans.

    Example

    Copy to Clipboard Toggle word wrap 
    $ mvn wildfly:deploy

Additional resources

Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat, Inc.