Version 5

    WildFly Elytron [1] is a new WildFly sub-project which will completely replace the combination of PicketBox and JAAS as the WildFly client and  server security mechanism.


    An "elytron" (ĕl´·ĭ·trŏn, plural "elytra") is the hard, protective casing over a wing of certain flying insects (e.g. beetles).


    High Level Summary


    • Establish and clearly define terminology around WildFly's security concepts.
    • Provide support for secure server-side authentication mechanisms (i.e. eliminating the historical "send the password everywhere" style of authentication and forwarding) supporting HTTP [2], SASL [3] (including SASL+GSSAPI [4]), and TLS [5] connection types, as well as supporting other authentication protocols in the future without change (such as RADIUS [6], GSS [7], EAP [8])
    • Provide a simple means to support multiple security associations per security context (one per authentication system, including local and remote application servers, remote databases, remote LDAP, etc.)
    • Provide support for password credential types using the standard JCE archetypal API structure (including but not limited to plain, UNIX DES/MD5/SHA crypt types, bcrypt, mechanism-specific pre-hashed passwords, etc.)
    • Provide SPIs to support all of the above, such that consumers such as Undertow, JBoss SASL, HornetQ etc. can use them directly with a minimum of integration overhead
    • Provide SPIs to support and maintain security contexts
    • Integrate seamlessly with PicketLink IDM and Keycloak projects
    • Provide SPIs to integrate with IDM systems (such as PicketLink) as well as simple/local user stores (such as KeyStores or plain files, and possibly also simple JDBC and/or LDAP backends as well)
    • Provide SPIs to support name rewriting and realm selection based on arbitrary, pluggable criteria
    • Provide a Remoting-based connection-bound authentication service to establish or forward authentication between systems
    • Provide SPIs to allow all Remoting-based protocols to reuse/share security contexts (EJB, JNDI, etc.)
    • Integrate seamlessly with Kerberos authentication schemes for all authentication mechanisms (including inbound and outbound identity propagation for all currently supporting protocols)
    • Provide improved integration with EE standards (JAAC and JASPIC)


    The following are presently non- or anti-goals:


    • Any provision to support JAAS Subject as a security context (due to performance and correctness concerns)†
    • Any provision to support JAAS LoginContext (due to tight integration with Subject)
    • Any provision to maintain API compatibility with PicketBox (this is not presently an established requirement and thus would add undue implementation complexity, if it is indeed even possible)
    • Replicate Kerberos-style ticket-based credential forwarding (just use Kerberos in this case)




    Real time discussions for Elytron have been moved to HipChat in the room 'wildfly-elytron' - if you do not have access to HipChat guest access is available at


    The wildfly-dev mailing list will also be used for discussions.


    Source and Issues

    In general security projects that relate to the core of WildFly will be hosted on GitHub under the following organisation: -

    WildFly Security · GitHub



    The source for WildFly Elytron is hosted at

    Issues relating specifically to Elytron can be tracked here



    Due to the close relationship the contents of the jboss-sasl project have now been merged under wildfly-elytron



    The security-manager project has also been merged under wildfly-elytron.

    Elytron Subsystem

    A new project has been created to hold the code for the elytron subsystem for when it is integrated within WildFly, at the time of writing this is just an empty subsystem ready for configuration items and services to be added: -

    wildfly-security/elytron-subsystem · GitHub


    The following command is all that is required to build the subsystem: -

    mvn install


    The include the subsystem in a distribution the following temporary project has been created: -


    The following command is sufficient to build this: -

    mvn install


    A couple of points to be aware of: -

    • Whilst in active development dependencies are defined as SNAPSHOTS
      • Where possible SNAPSHOTs are uploaded to Nexus at the time pull requests are merged.
    • Currently module definitions live in the distribution project, hopefully we will be able to move them over to the subsystem project at a later point.


    Project Documentation

    During development of the project documentation will be made available on GitHub, at the moment updates will be a manual periodic process so ping us if things are getting too out of day.


    Javadoc for Elytron itself can be found at

    As the subsystem progresses it's management model will be visible here



    A frequent question we are asked is how should you pronounce Elytron, the following dictionary entries help to confuse this so take your pick ;-)









    [6] and

    [7] and related