forked from wildfly/wildfly
-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request wildfly#11914 from darranl/WFLY-7186
[WFLY-7186] EE Security API Integration with WildFly Elytron
- Loading branch information
Showing
21 changed files
with
720 additions
and
49 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
46 changes: 46 additions & 0 deletions
46
docs/src/main/asciidoc/_elytron/Elytron_and_Java_EE_Security.adoc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,46 @@ | ||
[[Elytron_and_Java_EE_Security]] | ||
= Elytron and Java EE Security | ||
|
||
[abstract] | ||
== Introduction | ||
|
||
Starting from WildFly 15 an implementation of the Servlet Profile from Java Authentication SPI for Containers (JSR-196 / JASPI) specification has been included in the application server, in addition to making JASPI available for deployments using WildFly Elytron it also makes it possible to make use of EE Security with WildFly Elytron. | ||
|
||
== Activation | ||
|
||
EE Security with WildFly Elytron is available out of the box with just a couple of small steps required. | ||
|
||
=== Define JACC Policy | ||
|
||
The `SecurityContext` API makes use of JACC to access the current authenticated identity, if deployments are going to make use of this API then a JACC policy needs to be activated in the WildFly Elytron subsystem. If this API is not being used then the activation can be skipped. | ||
|
||
[source, ruby] | ||
---- | ||
/subsystem=security:write-attribute(name=initialize-jacc, value=false) | ||
/subsystem=elytron/policy=jacc:add(jacc-policy={}) | ||
:reload | ||
---- | ||
|
||
As is shown in the example no specific configuration is required other than the presence of a default JACC policy, additionally after making these changes the server needs to be reloaded to ensure the new policy activates correctly. | ||
|
||
=== Add `application-security-domain` mapping | ||
|
||
As with all deployments a mapping is required from the security domain defined for the deployment to either a WildFly Elytron security domain or http authentication factory to activate security backed by WildFly Elytron. | ||
|
||
All web applications deployed to WildFly have a security domain which will be resolved in the following order: - | ||
|
||
. From the deployment descriptors / annotations of the deployment being deployed. | ||
. The value defined on the `default-security-domain` attribute on the Undertow subsystem. | ||
. Default to 'other'. | ||
|
||
An `application-security-domain` resource then needs to be added to map from the deployment's security domain. | ||
|
||
The simplest approach is to add a mapping for `other`, then no further configuration will be required and provided the deployment does not define it's own security domain and provided no alternative default is specified all deployments will match this mapping. | ||
|
||
[source, ruby] | ||
---- | ||
/subsystem=undertow/application-security-domain=other:add(security-domain=ApplicationDomain, integrated-jaspi=false) | ||
---- | ||
|
||
The EE Security API is built on JASPI. Within JASPI we support two different modes of operation 'integrated', and 'non-integrated'. In integrated mode any identity being established during authentication is expected to exist in the associated security domain. With the EE Security APIs however it is quite likely an alternative store will be in use so configuration the mapping to use 'non-integrated' JASPI allows for identities to be dynamically created as required. | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
107 changes: 107 additions & 0 deletions
107
...ration/elytron/src/test/java/org/wildfly/test/integration/elytron/securityapi/Policy.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,107 @@ | ||
/* | ||
* Copyright 2018 Red Hat, Inc. | ||
* | ||
* Licensed under the Apache License, Version 2.0 (the "License"); | ||
* you may not use this file except in compliance with the License. | ||
* You may obtain a copy of the License at | ||
* | ||
* http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, software | ||
* distributed under the License is distributed on an "AS IS" BASIS, | ||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
* See the License for the specific language governing permissions and | ||
* limitations under the License. | ||
*/ | ||
|
||
package org.wildfly.test.integration.elytron.securityapi; | ||
|
||
import org.jboss.as.controller.PathAddress; | ||
import org.jboss.as.controller.client.ModelControllerClient; | ||
import org.jboss.as.controller.operations.common.Util; | ||
import org.jboss.as.test.integration.management.util.CLIWrapper; | ||
import org.jboss.as.test.integration.security.common.Utils; | ||
import org.jboss.dmr.ModelNode; | ||
import org.jboss.logging.Logger; | ||
import org.wildfly.test.security.common.elytron.AbstractConfigurableElement; | ||
|
||
import net.sf.ehcache.config.generator.model.elements.ConfigurationElement; | ||
|
||
/** | ||
* A {@link ConfigurationElement} to add a policy definition to the Elytron subsystem. | ||
* | ||
* @author <a href="mailto:darran.lofthouse@jboss.com">Darran Lofthouse</a> | ||
*/ | ||
class Policy extends AbstractConfigurableElement { | ||
|
||
private static final Logger LOGGER = Logger.getLogger(Utils.class); | ||
|
||
private final PathAddress address; | ||
private final boolean jaccPolicy; | ||
|
||
Policy(Builder builder) { | ||
super(builder); | ||
this.address = PathAddress.pathAddress().append("subsystem", "elytron").append("policy", name); | ||
this.jaccPolicy = builder.jaccPolicy; | ||
} | ||
|
||
@Override | ||
public void create(ModelControllerClient client, CLIWrapper cli) throws Exception { | ||
ModelNode add = Util.createAddOperation(address); | ||
if (jaccPolicy) { | ||
add.get("jacc-policy").setEmptyObject(); | ||
} | ||
LOGGER.tracef("Adding policy (%s)", add.toString()); | ||
|
||
Utils.applyUpdate(add, client); | ||
} | ||
|
||
@Override | ||
public void remove(ModelControllerClient client, CLIWrapper cli) throws Exception { | ||
Utils.applyUpdate(Util.createRemoveOperation(address), client); | ||
} | ||
|
||
/** | ||
* Create a new {@link Builder} to build a policy definition. | ||
* | ||
* @return a new {@link Builder} to build a policy definition. | ||
*/ | ||
static Builder builder() { | ||
return new Builder(); | ||
} | ||
|
||
/** | ||
* Builder to build a policy resource in the elytron subsystem. | ||
*/ | ||
public static final class Builder extends AbstractConfigurableElement.Builder<Builder> { | ||
|
||
private boolean jaccPolicy; | ||
|
||
/** | ||
* With an empty JACC policy. | ||
* | ||
* @return this {@link Builder} to allow method chaining. | ||
*/ | ||
public Builder withJaccPolicy() { | ||
jaccPolicy = true; | ||
|
||
return this; | ||
} | ||
|
||
/** | ||
* Build a new Policy {@link ConfigurationElement} | ||
* | ||
* @return a new Policy {@link ConfigurationElement} | ||
*/ | ||
public Policy build() { | ||
return new Policy(this); | ||
} | ||
|
||
@Override | ||
protected Builder self() { | ||
return this; | ||
} | ||
|
||
} | ||
|
||
} |
Oops, something went wrong.