When using either PicketBox or the legacy security realms it is possible to define a configuration where authentication is performed against one identity store whilst the information used for authorization is loaded from a different store, when using WildFly Elytron this can be achieved by using an aggregate security realm.
The example here makes use of a properties file for authentication and then searches LDAP to load group / role information. Both of these are based on the previous examples within this document so the environmental information is not repeated here.
A PicketBox based security domain can be created by using the following CLI commands: -
This results in the following domain definition: -
During an authentication attempt the 'UsersRoles' login module will first be called to perform authentication based on the supplied credential, then the 'LdapExtLoginModule' will be called which will proceed to query LDAP to load the roles for the identity.
An equivalent configuration can also be created using the legacy security realms with the following commands: -
This results in the following realm definition: -
As with the PicketBox example, authentication is first performed using the properties file - then group searching is performed against LDAP.
The equivalent WildFly Elytron configuration can be defined with the following commands: -
This results in the following definitions: -
Within the WildFly Elytron example a new security realm 'aggregate-realm' has been defined, this definition specifies which of the defined security realms should be used for the authentication step and which of the security realms should be used for the loading of the identity used for subsequent authorization decisions.