The section describing how to migrate from database accessible via JDBC datasource based authentication using PicketBox to Elytron. This section will illustrate some equivalent configuration using PicketBox security domains and show the equivalent configuration using Elytron but will not repeat the steps to wire it all together covered in the previous sections.
These configuration examples are developed against a test database with users table like:
For authentication purposes the username will be matched against the 'username' column, password will be expected in hex-encoded MD5 hash in 'password' column. User role for authorization purposes will be taken from 'role' column.
The following commands can create a PicketBox security domain configured to use database accessible via JDBC datasource to verify a username and password and to assign roles.
This results in the following configuration.
Within the Elytron subsystem to use database accesible via JDBC you need to define jdbc-realm:
This results in the following overall configuration:
In comparison with PicketBox solution, Elytron jdbc-realm use one SQL query to obtain all user attributes and credentials. Their extraction from SQL result specifies mappers.
When using a n:m-relation beetween user and roles (which means: the user has multiple roles), the previous configuration does not work.
Here you need two configure two principal queries:
The second query needs an attribute mapping to decode the selected rolename column (index 1):
The role decoder is referenced by the security domain: