-
1. Re: How to disable legacy security and enable Elytron in WF 11 ?
gir489 Sep 21, 2017 1:43 PM (in response to mylos78)WildFly 11 CR1 is now available! · WildFly
While WildFly 11 introduces a new security infrastructure, the existing security-domain and security-realm configurations and APIs are all present and internally mapped to Elytron. To further ease the impact of this change, WildFly 11’s default configurations still use the legacy security-domains and security-realms. A subsequent release will convert the default configurations over to the new configuration model.
Does it even matter?
-
2. Re: How to disable legacy security and enable Elytron in WF 11 ?
dlofthouse Sep 21, 2017 1:50 PM (in response to mylos78)If you want to switch everything to use WildFly Elytron instead of the legacy configuration there is an enable-elytron.cli script within the 'docs/examples' folder.
The reason we didn't do this by default with WildFly 11 was to give users an opportunity to migrate individual aspects of their model as they were ready.
-
3. Re: How to disable legacy security and enable Elytron in WF 11 ?
mylos78 Sep 22, 2017 3:34 AM (in response to dlofthouse)Thanks for your comments. Just a clarification: as I understand the existing security domain is mapped to elytron: does it mean that I can add Login modules either to the legacy security subsystem or to elytron and it will work much the same way ?
Thanks
-
4. Re: How to disable legacy security and enable Elytron in WF 11 ?
dlofthouse Sep 22, 2017 4:57 AM (in response to mylos78)The WildFly Elytron subsystem is build around security realms rather than LoginModules so LoginModules are not directly supported, however if you have a security domain in the legacy security subsystem you can map it to an elytron-realm resource so it can be referenced from the elytron subsystem: -
[standalone@localhost:9990 /] ./subsystem=security/elytron-realm=*:read-resource-description
{
"outcome" => "success",
"result" => [{
"address" => [
("subsystem" => "security"),
("elytron-realm" => "*")
],
"outcome" => "success",
"result" => {
"description" => "The configuration of an Elytron-compatible realm that delegates authentication decisions to a legacy security domain.",
"capabilities" => [{
"name" => "org.wildfly.security.security-realm",
"dynamic" => true
}],
"access-constraints" => {
"sensitive" => {"elytron-security" => {"type" => "security"}},
"application" => {"elytron-security" => {"type" => "security"}}
},
"attributes" => {
"apply-role-mappers" => {
"type" => BOOLEAN,
"description" => "Indicates to the realm if it should apply the role mappers defined in the legacy domain to the roles obtained from authenticated Subjects or not.",
"expressions-allowed" => true,
"required" => false,
"nillable" => true,
"default" => true,
"access-type" => "read-write",
"storage" => "configuration",
"restart-required" => "resource-services"
},
"legacy-jaas-config" => {
"type" => STRING,
"description" => "The name of the legacy security domain to which authentication will be delegated.",
"expressions-allowed" => false,
"required" => true,
"nillable" => false,
"min-length" => 1L,
"max-length" => 2147483647L,
"access-constraints" => {"sensitive" => {"security-domain-ref" => {"type" => "core"}}},
"access-type" => "read-write",
"storage" => "configuration",
"restart-required" => "resource-services"
}
},
"operations" => undefined,
"notifications" => undefined,
"children" => {}
}
}]
}
-
5. Re: How to disable legacy security and enable Elytron in WF 11 ?
mylos78 Sep 22, 2017 8:10 AM (in response to dlofthouse)Thanks for sharing this information!