Skip to end of metadata
Go to start of metadata

Elytron Subsystem

WildFly Elytron is a security framework used to unify security across the entire application server. The elytron subsystem enables a single point of configuration for securing both applications and the management interfaces. WildFly Elytron also provides a set of APIs and SPIs for providing custom implementations of functionality and integrating with the elytron subsystem.

In addition, there are several other important features of the WildFly Elytron:

  • Stronger authentication mechanisms for HTTP and SASL authentication.
  • Improved architecture that allows for SecurityIdentities to be propagated across security domains and transparently transformed ready to be used for authorization. This transformation takes place using configurable role decoders, role mappers, and permission mappers.
  • Centralized point for SSL/TLS configuration including cipher suites and protocols.
  • SSL/TLS optimizations such as eager SecureIdentity construction and closely tying authorization to establishing an SSL/TLS connection. Eager SecureIdentity construction eliminates the need for a SecureIdentity to be constructed on a per-request basis. Closely tying authentication to establishing an SSL/TLS connection enables permission checks to happen BEFORE the first request is received.
  • A secure credential store that replaces the previous vault implementation to store clear text credentials.

The new elytron subsystem exists in parallel to the legacy security subsystem and legacy core management authentication. Both the legacy and Elytron methods may be used for securing the management interfaces as well as providing security for applications.

Get Started using the Elytron Subsystem

To get started using Elytron, refer to these topics:

Provided components

Wildfly Elytron provides a default set of implementations in the elytron subsystem.

Factories

Component Description
aggregate-http-server-mechanism-factory An HTTP server factory definition where the HTTP server factory is an aggregation of other HTTP server factories.
aggregate-sasl-server-factory A SASL server factory definition where the SASL server factory is an aggregation of other SASL server factories.
configurable-http-server-mechanism-factory A SASL server factory definition where the SASL server factory is an aggregation of other SASL server factories.
configurable-sasl-server-factory A SASL server factory definition where the SASL server factory is an aggregation of other SASL server factories.
custom-credential-security-factory A custom credential SecurityFactory definition.
http-authentication-factory Resource containing the association of a security domain with a HttpServerAuthenticationMechanismFactory.
kerberos-security-factory A security factory for obtaining a GSSCredential for use during authentication.
mechanism-provider-filtering-sasl-server-factory A SASL server factory definition that enables filtering by provider where the factory was loaded using a provider.
provider-http-server-mechanism-factory An HTTP server factory definition where the HTTP server factory is an aggregation of factories from the provider list.
provider-sasl-server-factory A SASL server factory definition where the SASL server factory is an aggregation of factories from the provider list.
sasl-authentication-factory Resource containing the association of a security domain with a SaslServerFactory.
service-loader-http-server-mechanism-factory An HTTP server factory definition where the HTTP server factory is an aggregation of factories identified using a ServiceLoader
service-loader-sasl-server-factory A SASL server factory definition where the SASL server factory is an aggregation of factories identified using a ServiceLoader

Principal Transformers

Component Description
aggregate-principal-transformer A principal transformer definition where the principal transformer is an aggregation of other principal transformers.
chained-principal-transformer A principal transformer definition where the principal transformer is a chaining of other principal transformers.
constant-principal-transformer A principal transformer definition where the principal transformer always returns the same constant.
custom-principal-transformer A custom principal transformer definition.
regex-principal-transformer A regular expression based principal transformer
regex-validating-principal-transformer A regular expression based principal transformer which uses the regular expression to validate the name.

Principal Decoders

Component Description
aggregate-principal-decoder A principal decoder definition where the principal decoder is an aggregation of other principal decoders.
concatenating-principal-decoder A principal decoder definition where the principal decoder is a concatenation of other principal decoders.
constant-principal-decoder Definition of a principal decoder that always returns the same constant.
custom-principal-decoder Definition of a custom principal decoder.
x500-attribute-principal-decoder Definition of a X500 attribute based principal decoder.

Realm Mappers

Component Description
constant-realm-mapper Definition of a constant realm mapper that always returns the same value.
custom-realm-mapper Definition of a custom realm mapper
mapped-regex-realm-mapper Definition of a realm mapper implementation that first uses a regular expression to extract the realm name, this is then converted using the configured mapping of realm names.
simple-regex-realm-mapper Definition of a simple realm mapper that attempts to extract the realm name using the capture group from the regular expression, if that does not provide a match then the delegate realm mapper is used instead.

Realms

Component Description
aggregate-realm A realm definition that is an aggregation of two realms, one for the authentication steps and one for loading the identity for the authorization steps.
caching-realm A realm definition that enables caching to another security realm. Caching strategy is Least Recently Used where least accessed entries are discarded when maximum number of entries is reached.
custom-modifiable-realm Custom realm configured as being modifiable will be expected to implement the ModifiableSecurityRealm interface. By configuring a realm as being modifiable management operations will be made available to manipulate the realm.
custom-realm A custom realm definitions can implement either the s SecurityRealm interface or the ModifiableSecurityRealm interface. Regardless of which interface is implemented management operations will not be exposed to manage the realm. However other services that depend on the realm will still be able to perform a type check and cast to gain access to the modification API.
filesystem-realm A simple security realm definition backed by the filesystem.
identity-realm A security realm definition where identities are represented in the management model.
jdbc-realm A security realm definition backed by database using JDBC.
key-store-realm A security realm definition backed by a keystore.
ldap-realm A security realm definition backed by LDAP.
properties-realm A security realm definition backed by properties files.
token-realm A security realm definition capable of validating and extracting identities from security tokens.
trust-managers A trust manager definition for creating the TrustManager list as used to create an SSL context.

Permission Mappers

Component Description
custom-permission-mapper Definition of a custom permission mapper.
logical-permission-mapper Definition of a logical permission mapper.
simple-permission-mapper Definition of a simple configured permission mapper.
constant-permission-mapper Definition of a permission mapper that always returns the same constant.

Role Decoders

Component Description
custom-role-decoder Definition of a custom RoleDecoder
simple-role-decoder Definition of a simple RoleDecoder that takes a single attribute and maps it directly to roles.

Role Mappers

Component Description
add-prefix-role-mapper A role mapper definition for a role mapper that adds a prefix to each provided.
add-suffix-role-mapper A role mapper definition for a role mapper that adds a suffix to each provided.
constant-role-mapper A role mapper definition where a constant set of roles is always returned.
aggregate-role-mapper A role mapper definition where the role mapper is an aggregation of other role mappers.
logical-role-mapper A role mapper definition for a role mapper that performs a logical operation using two referenced role mappers.
custom-role-mapper Definition of a custom role mapper

SSL Components

Component Description
client-ssl-context An SSLContext for use on the client side of a connection.
filtering-key-store A filtering keystore definition, which provides a keystore by filtering a key-store.
key-managers A key manager definition for creating the key manager list as used to create an SSL context.
key-store A keystore definition.
ldap-key-store An LDAP keystore definition, which loads a keystore from an LDAP server.
server-ssl-context An SSL context for use on the server side of a connection.

Other

Component Description
aggregate-providers An aggregation of two or more Provider[] resources.
authentication-configuration An individual authentication configuration definition, which is used by clients deployed to Wildfly and other resources for authenticating when making a remote connection.
authentication-context An individual authentication context definition, which is used to supply an ssl-context and authentication-configuration when clients deployed to Wildfly and other resources make a remoting connection.
credential-store Credential store to keep alias for sensitive information such as passwords for external services.
dir-context The configuration to connect to a directory (LDAP) server.
provider-loader A definition for a provider loader.
security-domain A security domain definition.
security-property A definition of a security property to be set.

Out of the Box Configuration

WildFly provides a set of components configured by default. While these components are ready to use, the legacy security subsystem and legacy core management authentication is still used by default. To configure WildFly to use the these configured components as well as create new ones, see the Using the Elytron Subsystem section.

Default Component Description
ApplicationDomain The ApplicationDomain security domain uses ApplicationRealm and groups-to-roles for authentication. It also uses default-permission-mapper to assign the login permission.
ManagementDomain The ManagementDomain security domain uses two security realms for authentication: ManagementRealm with groups-to-roles and local with super-user-mapper. It also uses default-permission-mapper to assign the login permission.
local (security realm) The local security realm does no authentication and sets the identity of principals to $local
ApplicationRealm The ApplicationRealm security realm is a properties realm that authenticates principals using application-users.properties and assigns roles using application-roles.properties. These files are located under jboss.server.config.dir, which by default, maps to EAP_HOME/standalone/configuration. They are also the same files used by the legacy security default configuration.
ManagementRealm The ManagementRealm security realm is a properties realm that authenticates principals using mgmt-users.properties and assigns roles using mgmt-groups.properties. These files are located under jboss.server.config.dir, which by default, maps to EAP_HOME/standalone/configuration. They are also the same files used by the legacy security default configuration.
default-permission-mapper The default-permission-mapper mapper is a constant permission mapper that uses org.wildfly.security.auth.permission.LoginPermission to assign the login permission and org.wildfly.extension.batch.jberet.deployment.BatchPermission to assign permission for batch jobs. The batch permissions are start, stop, restart, abandon, and read which aligns with javax.batch.operations.JobOperator.
local (mapper) The local mapper is a constant role mapper that maps to the local security realm. This is used to map authentication to the local security realm.
groups-to-roles The groups-to-roles mapper is a simple-role-decoder that will decode the groups information of a principal and use it for the role information.
super-user-mapper The super-user-mapper mapper is a constant role mapper that maps the SuperUser role to a principal.
management-http-authentication The management-http-authentication http-authentication-factory can be used for doing authentication over http. It uses the global provider-http-server-mechanism-factory to filter authentication mechanism and uses ManagementDomain for authenticating principals. It accepts the DIGEST authentication mechanisms and exposes it as ManagementRealm to applications.
application-http-authentication The application-http-authentication http-authentication-factory can be used for doing authentication over http. It uses the global provider-http-server-mechanism-factory to filter authentication mechanism and uses ApplicationDomain for authenticating principals. It accepts BASIC and FORM authentication mechanisms and exposes BASIC as Application Realm to applications.
global (provider-http-server-mechanism-factory) This is the HTTP server factory mechanism definition used to list the provided authentication mechanisms when creating an http authentication factory.
management-sasl-authentication The management-sasl-authentication sasl-authentication-factory can be used for authentication using SASL. It uses the configured sasl-server-factory to filter authentication mechanisms, which also uses the global provider-sasl-server-factory to filter by provider names. management-sasl-authentication uses the ManagementDomain security domain for authentication of principals. It also maps authentication using JBOSS-LOCAL-USER mechanisms using the local realm mapper and authentication using DIGEST-MD5 to ManagementRealm.
application-sasl-authentication The application-sasl-authentication sasl-authentication-factory can be used for authentication using SASL. It uses the configured sasl-server-factory to filter authentication mechanisms, which also uses the global provider-sasl-server-factory to filter by provider names. application-sasl-authentication uses the ApplicationDomain security domain for authentication of principals.
global (provider-sasl-server-factory) This is the SASL server factory definition used to create SASL authentication factories.
elytron (mechanism-provider-filtering-sasl-server-factor) This is used to filter which sasl-authentication-factory is used based on the provider. In this case, elytron will match on the WildFlyElytron provider name.
configured (configurable-sasl-server-factory) This is used to filter sasl-authentication-factory is used based on the mechanism name. In this case, configured will match on JBOSS-LOCAL-USER and DIGEST-MD5. It also sets the wildfly.sasl.local-user.default-user to $local.
combined-providers Is an aggregate provider that aggreates the elytron and openssl provider loaders.
elytron A provider loader
openssl A provider loader

Default WildFly Configuration

Default Application Authentication Configuration

By default, applications are secured using legacy security domains. Applications must specify a security domain in their web.xml as well as the authentication method. If no security domain is specified by the application, WildFly will use the provided other legacy security domain.

Update WildFly to Use the Default Elytron Components for Application Authentication

Default Elytron Application HTTP Authentication Configuration

By default, the application-http-authentication http-authentication-factory is provided for application http authentication.

The application-http-authentication http-authentication-factory is configured to use the ApplicationDomain security domain.

The ApplicationDomain security domain is backed by the ApplicationRealm Elytron security realm, which is a properties-based realm.

Default Management Authentication Configuration

By default, the WildFly management interfaces are secured by the legacy core management authentication.

Default Configuration

WildFly does provide management-http-authentication and management-sasl-authentication in the elytron subsystem for securing the management interfaces as well.

Update WildFly to Use the Default Elytron Components for Management Authentication

Set http-authentication-factory to use management-http-authentication
Set sasl-authentication-factory to use management-sasl-authentication
Undefine security-realm
Reload WildFly for the changes to take affect.

The management interfaces are now secured using the default components provided by the 'elytron' subsystem.

Default Elytron Management HTTP Authentication Configuration

When you access the management interface over HTTP, for example when using the web-based management console, WildFly will use the management-http-authentication http-authentication-factory.

The management-http-authentication http-authentication-factory, is configured to use the ManagementDomain security domain.

The ManagementDomain security domain is backed by the ManagementRealm Elytron security realm, which is a properties-based realm.

Default Elytron Management CLI Authentication

By default, the management CLI (jboss-cli.sh) is configured to connect over remotehttp.

Default jboss-cli.xml

This will establish a connection over HTTP and use HTTP upgrade to change the communication protocol to native. The HTTP upgrade connection is secured in the http-upgrade section of the http-interface using a sasl-authentication-factory.

Example Configuration with Default Components

The default sasl-authentication-factory is management-sasl-authentication.

The management-sasl-authentication sasl-authentication-factory specifies JBOSS-LOCAL-USER and DIGEST-MD5 mechanisms.

JBOSS-LOCAL-USER Realm

The local Elytron security realm is for handling silent authentication for local users.

The ManagementRealm Elytron security realm is the same realm used in the management-http-authentication http-authentication-factory.

Comparing Legacy Approaches to Elytron Approaches

Labels:
None
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.