Adding security domain element (authentication, authorization, acl, audit, identity-trust or mapping) turns server to reload-required, but reload causes element disappear. It happens only if you reload server before any next setting of added element. Steps to reproduce: 1. run standalone server: cd EAP_HOME/bin ./standalone.sh 2. run CLI: cd EAP_HOME/bin ./jboss-cli.sh -c 3. execute commands in CLI: 3.1. add security domain: /subsystem=security/security-domain=JBossTestDomain:read-resource(recursive=true) 3.2. add element for authentication: /subsystem=security/security-domain=JBossTestDomain/authentication=classic:add() you gain: "outcome" => "success", "response-headers" => { "operation-requires-reload" => true, "process-state" => "reload-required" } 3.3. reload server: :reload() 3.4. add authentication settings: /subsystem=security/security-domain=JBossTestDomain/authentication=classic/login-module=UsersRoles:add(code=UsersRoles, flag=required, module-options=[("usersProperties"=>"/home/user/testing/users.properties"), ("rolesProperties"=>"/home/user/testing/roles.properties")]) Result of command is "outcome" => "failed", because authentication element disappeared after server reload. If you run command from 3.4. before command from 3.3. then setting of security domain is added right.
Too late for 6.2. I expect the issue is the xml marshaller does not persist an empty authentication element. Workaround is to finish all necessary configuration before reloading. Recommended practice in any multi-step configuration exercise is to use a CLI batch to group related operations into a single unit of work.
I would not be surprised if the empty element is not allowed according to the schema.
In that case there's a missing Stage.MODEL validation step in the add handler to confirm presence of required children. I expect there are more than a few cases of that kind of thing scattered about. The downside to adding the validation step is the user is forced to use a batch, so I'm not sure adding them in 6.x is the right thing to do.
+1 I think loosing an intermediate change is going to be better than mandating they make the change in one step even though doing it as one is the right thing to do. Loosing the intermediate change does not break existing scripts or cause a review of all documentation and quick starts that may have ever described how to add a domain.
The question from my PoV is, if the "reload-required" response is really necessary here. The user experience is not good now. E.g. A user wants to add a security domain with one login-module. So he'll create a new domain, then add the authentication=classic element, but then the server responses "I need a reload". And the user beliefs the server and makes :reload. Then he try to add his login-module, but the operation fails, because authentication node is missing. FAIL.
One additional point in relation to https://bugzilla.redhat.com/show_bug.cgi?id=1029928#c5 Administrators SHOULD NEVER be executing :reload solely because the server says a reload is required - they SHOULD execute reload at the point where they want the change they have made to be activated. In the sequence of steps described here the administrator has not reached the point where they have changes that are ready to be activated as they have not completed the security domain definition.
*** Bug 1265492 has been marked as a duplicate of this bug. ***