WildFly Elytron is a security framework used to unify security across the entire application server. The elytron subsystem enables a single point of configuration for securing both applications and the management interfaces. WildFly Elytron also provides a set of APIs and SPIs for providing custom implementations of functionality and integrating with the elytron subsystem.
In addition, there are several other important features of the WildFly Elytron:
- Stronger authentication mechanisms for HTTP and SASL authentication.
- Improved architecture that allows for SecurityIdentities to be propagated across security domains and transparently transformed ready to be used for authorization. This transformation takes place using configurable role decoders, role mappers, and permission mappers.
- Centralized point for SSL/TLS configuration including cipher suites and protocols.
- SSL/TLS optimizations such as eager SecureIdentity construction and closely tying authorization to establishing an SSL/TLS connection. Eager SecureIdentity construction eliminates the need for a SecureIdentity to be constructed on a per-request basis. Closely tying authentication to establishing an SSL/TLS connection enables permission checks to happen BEFORE the first request is received.
- A secure credential store that replaces the previous vault implementation to store clear text credentials.
The new elytron subsystem exists in parallel to the legacy security subsystem and legacy core management authentication. Both the legacy and Elytron methods may be used for securing the management interfaces as well as providing security for applications.
To get started using Elytron, refer to these topics:
- Use the default Elytron components for application and management authentication
- Secure an application with a new identity store stored in a filesystem or database.
- Set up one-way SSL/TLS for applications or the management interfaces.
- Set up two-way SSL/TLS for applications or the management interfaces.
- Create a credential store and use it with your SSL/TLS configuration.
- Use certificate-based authentication with applications.
- Override an application's authentication configuration with Elytron authentication.
- Configure Kerberos authentication for applications.
- Secure applications and the management interfaces with an LDAP-based identity store.
Wildfly Elytron provides a default set of implementations in the elytron subsystem.
|aggregate-http-server-mechanism-factory||An HTTP server factory definition where the HTTP server factory is an aggregation of other HTTP server factories.|
|aggregate-sasl-server-factory||A SASL server factory definition where the SASL server factory is an aggregation of other SASL server factories.|
|configurable-http-server-mechanism-factory||A SASL server factory definition where the SASL server factory is an aggregation of other SASL server factories.|
|configurable-sasl-server-factory||A SASL server factory definition where the SASL server factory is an aggregation of other SASL server factories.|
|custom-credential-security-factory||A custom credential SecurityFactory definition.|
|http-authentication-factory||Resource containing the association of a security domain with a HttpServerAuthenticationMechanismFactory.|
|kerberos-security-factory||A security factory for obtaining a GSSCredential for use during authentication.|
|mechanism-provider-filtering-sasl-server-factory||A SASL server factory definition that enables filtering by provider where the factory was loaded using a provider.|
|provider-http-server-mechanism-factory||An HTTP server factory definition where the HTTP server factory is an aggregation of factories from the provider list.|
|provider-sasl-server-factory||A SASL server factory definition where the SASL server factory is an aggregation of factories from the provider list.|
|sasl-authentication-factory||Resource containing the association of a security domain with a SaslServerFactory.|
|service-loader-http-server-mechanism-factory||An HTTP server factory definition where the HTTP server factory is an aggregation of factories identified using a ServiceLoader|
|service-loader-sasl-server-factory||A SASL server factory definition where the SASL server factory is an aggregation of factories identified using a ServiceLoader|
|aggregate-principal-transformer||A principal transformer definition where the principal transformer is an aggregation of other principal transformers.|
|chained-principal-transformer||A principal transformer definition where the principal transformer is a chaining of other principal transformers.|
|constant-principal-transformer||A principal transformer definition where the principal transformer always returns the same constant.|
|custom-principal-transformer||A custom principal transformer definition.|
|regex-principal-transformer||A regular expression based principal transformer|
|regex-validating-principal-transformer||A regular expression based principal transformer which uses the regular expression to validate the name.|
|aggregate-principal-decoder||A principal decoder definition where the principal decoder is an aggregation of other principal decoders.|
|concatenating-principal-decoder||A principal decoder definition where the principal decoder is a concatenation of other principal decoders.|
|constant-principal-decoder||Definition of a principal decoder that always returns the same constant.|
|custom-principal-decoder||Definition of a custom principal decoder.|
|x500-attribute-principal-decoder||Definition of a X500 attribute based principal decoder.|
|constant-realm-mapper||Definition of a constant realm mapper that always returns the same value.|
|custom-realm-mapper||Definition of a custom realm mapper|
|mapped-regex-realm-mapper||Definition of a realm mapper implementation that first uses a regular expression to extract the realm name, this is then converted using the configured mapping of realm names.|
|simple-regex-realm-mapper||Definition of a simple realm mapper that attempts to extract the realm name using the capture group from the regular expression, if that does not provide a match then the delegate realm mapper is used instead.|
|aggregate-realm||A realm definition that is an aggregation of two realms, one for the authentication steps and one for loading the identity for the authorization steps.|
|caching-realm||A realm definition that enables caching to another security realm. Caching strategy is Least Recently Used where least accessed entries are discarded when maximum number of entries is reached.|
|custom-modifiable-realm||Custom realm configured as being modifiable will be expected to implement the ModifiableSecurityRealm interface. By configuring a realm as being modifiable management operations will be made available to manipulate the realm.|
|custom-realm||A custom realm definitions can implement either the s SecurityRealm interface or the ModifiableSecurityRealm interface. Regardless of which interface is implemented management operations will not be exposed to manage the realm. However other services that depend on the realm will still be able to perform a type check and cast to gain access to the modification API.|
|filesystem-realm||A simple security realm definition backed by the filesystem.|
|identity-realm||A security realm definition where identities are represented in the management model.|
|jdbc-realm||A security realm definition backed by database using JDBC.|
|key-store-realm||A security realm definition backed by a keystore.|
|ldap-realm||A security realm definition backed by LDAP.|
|properties-realm||A security realm definition backed by properties files.|
|token-realm||A security realm definition capable of validating and extracting identities from security tokens.|
|trust-managers||A trust manager definition for creating the TrustManager list as used to create an SSL context.|
|custom-permission-mapper||Definition of a custom permission mapper.|
|logical-permission-mapper||Definition of a logical permission mapper.|
|simple-permission-mapper||Definition of a simple configured permission mapper.|
|constant-permission-mapper||Definition of a permission mapper that always returns the same constant.|
|custom-role-decoder||Definition of a custom RoleDecoder|
|simple-role-decoder||Definition of a simple RoleDecoder that takes a single attribute and maps it directly to roles.|
|add-prefix-role-mapper||A role mapper definition for a role mapper that adds a prefix to each provided.|
|add-suffix-role-mapper||A role mapper definition for a role mapper that adds a suffix to each provided.|
|constant-role-mapper||A role mapper definition where a constant set of roles is always returned.|
|aggregate-role-mapper||A role mapper definition where the role mapper is an aggregation of other role mappers.|
|logical-role-mapper||A role mapper definition for a role mapper that performs a logical operation using two referenced role mappers.|
|custom-role-mapper||Definition of a custom role mapper|
|client-ssl-context||An SSLContext for use on the client side of a connection.|
|filtering-key-store||A filtering keystore definition, which provides a keystore by filtering a key-store.|
|key-managers||A key manager definition for creating the key manager list as used to create an SSL context.|
|key-store||A keystore definition.|
|ldap-key-store||An LDAP keystore definition, which loads a keystore from an LDAP server.|
|server-ssl-context||An SSL context for use on the server side of a connection.|
|aggregate-providers||An aggregation of two or more Provider resources.|
|authentication-configuration||An individual authentication configuration definition, which is used by clients deployed to Wildfly and other resources for authenticating when making a remote connection.|
|authentication-context||An individual authentication context definition, which is used to supply an ssl-context and authentication-configuration when clients deployed to Wildfly and other resources make a remoting connection.|
|credential-store||Credential store to keep alias for sensitive information such as passwords for external services.|
|dir-context||The configuration to connect to a directory (LDAP) server.|
|provider-loader||A definition for a provider loader.|
|security-domain||A security domain definition.|
|security-property||A definition of a security property to be set.|
WildFly provides a set of components configured by default. While these components are ready to use, the legacy security subsystem and legacy core management authentication is still used by default. To configure WildFly to use the these configured components as well as create new ones, see the Using the Elytron Subsystem section.
|ApplicationDomain||The ApplicationDomain security domain uses ApplicationRealm and groups-to-roles for authentication. It also uses default-permission-mapper to assign the login permission.|
|ManagementDomain||The ManagementDomain security domain uses two security realms for authentication: ManagementRealm with groups-to-roles and local with super-user-mapper. It also uses default-permission-mapper to assign the login permission.|
|local (security realm)||The local security realm does no authentication and sets the identity of principals to $local|
|ApplicationRealm||The ApplicationRealm security realm is a properties realm that authenticates principals using application-users.properties and assigns roles using application-roles.properties. These files are located under jboss.server.config.dir, which by default, maps to EAP_HOME/standalone/configuration. They are also the same files used by the legacy security default configuration.|
|ManagementRealm||The ManagementRealm security realm is a properties realm that authenticates principals using mgmt-users.properties and assigns roles using mgmt-groups.properties. These files are located under jboss.server.config.dir, which by default, maps to EAP_HOME/standalone/configuration. They are also the same files used by the legacy security default configuration.|
|default-permission-mapper||The default-permission-mapper mapper is a constant permission mapper that uses org.wildfly.security.auth.permission.LoginPermission to assign the login permission and org.wildfly.extension.batch.jberet.deployment.BatchPermission to assign permission for batch jobs. The batch permissions are start, stop, restart, abandon, and read which aligns with javax.batch.operations.JobOperator.|
|local (mapper)||The local mapper is a constant role mapper that maps to the local security realm. This is used to map authentication to the local security realm.|
|groups-to-roles||The groups-to-roles mapper is a simple-role-decoder that will decode the groups information of a principal and use it for the role information.|
|super-user-mapper||The super-user-mapper mapper is a constant role mapper that maps the SuperUser role to a principal.|
|management-http-authentication||The management-http-authentication http-authentication-factory can be used for doing authentication over http. It uses the global provider-http-server-mechanism-factory to filter authentication mechanism and uses ManagementDomain for authenticating principals. It accepts the DIGEST authentication mechanisms and exposes it as ManagementRealm to applications.|
|application-http-authentication||The application-http-authentication http-authentication-factory can be used for doing authentication over http. It uses the global provider-http-server-mechanism-factory to filter authentication mechanism and uses ApplicationDomain for authenticating principals. It accepts BASIC and FORM authentication mechanisms and exposes BASIC as Application Realm to applications.|
|global (provider-http-server-mechanism-factory)||This is the HTTP server factory mechanism definition used to list the provided authentication mechanisms when creating an http authentication factory.|
|management-sasl-authentication||The management-sasl-authentication sasl-authentication-factory can be used for authentication using SASL. It uses the configured sasl-server-factory to filter authentication mechanisms, which also uses the global provider-sasl-server-factory to filter by provider names. management-sasl-authentication uses the ManagementDomain security domain for authentication of principals. It also maps authentication using JBOSS-LOCAL-USER mechanisms using the local realm mapper and authentication using DIGEST-MD5 to ManagementRealm.|
|application-sasl-authentication||The application-sasl-authentication sasl-authentication-factory can be used for authentication using SASL. It uses the configured sasl-server-factory to filter authentication mechanisms, which also uses the global provider-sasl-server-factory to filter by provider names. application-sasl-authentication uses the ApplicationDomain security domain for authentication of principals.|
|global (provider-sasl-server-factory)||This is the SASL server factory definition used to create SASL authentication factories.|
|elytron (mechanism-provider-filtering-sasl-server-factor)||This is used to filter which sasl-authentication-factory is used based on the provider. In this case, elytron will match on the WildFlyElytron provider name.|
|configured (configurable-sasl-server-factory)||This is used to filter sasl-authentication-factory is used based on the mechanism name. In this case, configured will match on JBOSS-LOCAL-USER and DIGEST-MD5. It also sets the wildfly.sasl.local-user.default-user to $local.|
|combined-providers||Is an aggregate provider that aggreates the elytron and openssl provider loaders.|
|elytron||A provider loader|
|openssl||A provider loader|
Default WildFly Configuration
By default, applications are secured using legacy security domains. Applications must specify a security domain in their web.xml as well as the authentication method. If no security domain is specified by the application, WildFly will use the provided other legacy security domain.
By default, the application-http-authentication http-authentication-factory is provided for application http authentication.
The application-http-authentication http-authentication-factory is configured to use the ApplicationDomain security domain.
The ApplicationDomain security domain is backed by the ApplicationRealm Elytron security realm, which is a properties-based realm.
By default, the WildFly management interfaces are secured by the legacy core management authentication.
WildFly does provide management-http-authentication and management-sasl-authentication in the elytron subsystem for securing the management interfaces as well.
The management interfaces are now secured using the default components provided by the 'elytron' subsystem.
When you access the management interface over HTTP, for example when using the web-based management console, WildFly will use the management-http-authentication http-authentication-factory.
The management-http-authentication http-authentication-factory, is configured to use the ManagementDomain security domain.
The ManagementDomain security domain is backed by the ManagementRealm Elytron security realm, which is a properties-based realm.
By default, the management CLI (jboss-cli.sh) is configured to connect over remotehttp.
This will establish a connection over HTTP and use HTTP upgrade to change the communication protocol to native. The HTTP upgrade connection is secured in the http-upgrade section of the http-interface using a sasl-authentication-factory.
Example Configuration with Default Components
The default sasl-authentication-factory is management-sasl-authentication.
The management-sasl-authentication sasl-authentication-factory specifies JBOSS-LOCAL-USER and DIGEST-MD5 mechanisms.
The local Elytron security realm is for handling silent authentication for local users.
The ManagementRealm Elytron security realm is the same realm used in the management-http-authentication http-authentication-factory.