Skip to end of metadata
Go to start of metadata

Using Elytron within WildFly

Using the Out of the Box Elytron Components

Securing Management Interfaces

You can find more details on the enabling WildFly to use the out of the box Elytron components for securing the management interfaces in the Default Management Authentication Configuration section.

Securing Applications

The elytron subsystem provides application-http-authentication by default which can be used to secure applications. For more details on how application-http-authentication is configured, see the Out of the Box Configuration section.

To configure applications to use application-http-authentication, see Configure Applications to Use Elytron or Legacy Security for Authentication. You can also override the default behavior of all applications using the steps in Override an Application's Authentication Configuration.


WildFly does provide a default one-way SSL/TLS configuration using the legacy core management authentication but does not provide one in the elytron subsystem. You can find more details on configuring SSL/TLS using the elytron subsystem for both the management interfaces as well as for applications in Configure SSL/TLS

Using Elytron with Other Subsystems

In addition to securing applications and management interfaces, Elytron also integrates with other subsystems in WildFly.

Subsystem Details
batch-jberet You can configure the batch-jberet to run batch jobs using an Elytron security domain.
datasources You can use a credential store or an Elytron security domain to provide authentication information in a datasource definition.
messaging-activemq You can secure remote connections to the remote connections used by the messaging-activemq subsystem.
iiop-openjdk You can use the elytron subsystem to configure SSL/TLS between clients and servers using the iiop-openjdk subsystem.
mail You can use a credential store to provide authentication information in a server definition in the mail subsystem.
undertow You can use the elytron subsystem to configure both SSL/TLS and application authentication.

Undertow Subsystem

EJB Subsystem

Configuration can be added to the EJB subsystem to map a security domain name referenced in a deployment to an Elytron security domain:

Which results in:

Note: If the deployment was already deployed at this point the application server should be reloaded or the deployment redeployed for the application security domain mapping to take effect.

An application-security-domain has two main attributes:

  • name - the name of the security domain as specified in a deployment
  • security-domain - a reference to the Elytron security domain that should be used

When an application security domain mapping is configured for a bean in a deployment, this indicates that security should be handled by Elytron.

WebServices Subsystem

There is adapter in webservices subsystem to make authentication works for elytron security domain automatically. Like configure with legacy security domain, you can configure elytron security domain in deployment descriptor or annotation to secure webservice endpoint.

Legacy Security Subsystem

As previously described, Elytron based security is configured by chaining together different capability references to form a complete security policy. To allow an incremental migration from the legacy Security subsystem some of the major components of this subsystem can be mapped to Elytron capabilities and used within an Elytron based set up.

Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.