Since the feature development phase for WildFly 18 has now started, we wanted to highlight the security features that we are planning to work on for this release.

 

Planned Features

 

The features in this first set are ones that were actively developed during the WildFly 17 feature development phase. Many of these are now close to being merged:

 

  • WFCORE-4362 Make the certificate authority used by a certificate-authority-account configurable

Currently, WildFly only supports integration with the Let’s Encrypt certificate authority. Once the certificate authority is configurable, it will be possible to use this integration with other certificate authorities that implement the ACME protocol.

 

  • WFCORE-4227 Add the ability for the CLI SSL security commands to be able to obtain a server certificate from Let's Encrypt

The ssl enable-ssl-management and enable-ssl-http-server already make it possible to enable one-way and two-way SSL easily. These commands will soon be able to obtain certificates from Let’s Encrypt.

 

  • WFCORE-4361 Enhanced mapping of X509Certificate to the underlying identity

Currently, the mapping of an X.509 certificate chain to an identity is done by taking the subject distinguished name from the first certificate in the X.509 certificate chain as an X.500 principal. It will soon be possible to map an X.509 certificate chain to an identity by using a subject alternative name from the first certificate in the X.509 certificate chain.

 

  • WFCORE-3947 Support SSL Certificate revocation using OCSP

 

 

  • WFCORE-4447 Ability to load the attributes of an identity from multiple sources

Elytron already provides a very flexible approach to assigning roles and permissions to an identity based on arbitrary attributes loaded by a security realm. This enhancement will add support for loading the attributes from multiple security realms and aggregating the results together.

 

This feature request looks at adding support for RFC 5424 and RFC 3164 as well as some other enhancements related to reliability vs. speed.

 

The features in this second set are new ones that we are planning to work on:

 

  • ELY-1778 Enhance Audit Logging by Feature Parity with Legacy Security Auditing

This feature request looks at adding support for additional audit events as well as support for a new @Audit annotation.

 

  • WFCORE-4360 Support encrypted expression resolution using a CredentialStore

The previous Vault implementation was basically a repository of encrypted clear text strings that could be referenced using expressions in the management model. The new CredentialStore is a repository of credentials. This feature request will look into how the CredentialStore could be used to support encrypted values within the overall model.

 

  • WFCORE-629 Enable automatic encryption of passwords stored in configuration

 

  • ELY-816 Support for masked passwords in client XML config

 

  • WFLY-11697 Web Services Integration with WildFly Elytron

The WildFly Elytron integration added a new API and configuration file to configure the client side security for outgoing calls. This feature request is to increase the integration for web services clients.

 

  • WFCORE-4483 Add support for missing MP-JWT requirements

This one will look at adding adding some remaining items needed to support the MicroProfile JWT RBAC security specification.

 

This feature request looks at allowing users to configure how much output should appear when invoking certain operations on Elytron key-stores.

 

Feedback

 

Please keep in mind that this blog post is a summary of our general plans and not a guarantee that each of these features will be merged. However, this blog post does give an indication of our team’s current priorities. If any of these features are a priority for you, please let us know. Please also let us know if there are any security features that are missing that you would like to see prioritized as we can take this kind of feedback into account for future releases.