Since WildFly 18 will be released in a few weeks, just wanted to highlight the new security features that will be included in this release.
Certificate Authority Configuration
Since WildFly 14, it's possible to obtain and manage certificates from Let’s Encrypt using the WildFly CLI. WildFly 18 now adds the ability to make use of any certificate authority that implements the Automatic Certificate Management Environment (ACME) protocol. More details can be found in this blog post.
Simplified SSL Configuration with Let’s Encrypt
It is now possible to use the ssl enable-ssl-management and enable-ssl-http-server commands to easily enable one-way and two-way SSL using certificates obtained automatically from Let’s Encrypt. Details on how to get started with these commands can be found here.
SSL Certificate Revocation Checking using OCSP
Certificate revocation checks can now be performed using the Online Certificate Status Protocol (OCSP) in addition to certificate revocation lists (CRL). Details on how to configure an Elytron trust manager to perform certificate revocation checks can be found here.
Enhanced X509Certificate Identity Mapping
Prior to WildFly 18, the mapping of an X.509 certificate chain to an identity was done by taking the subject distinguished name from the first certificate in the X.509 certificate chain as an X.500 principal. It is now possible to map an X.509 certificate chain to an identity by using a subject alternative name from the first certificate in the X.509 certificate chain. For a complete overview of this feature, take a look at this blog post.
Identity Attribute Aggregation
Elytron already had a very flexible approach for assigning roles and permissions to an identity based on arbitrary attributes loaded by a security realm. This feature adds support for loading the attributes from multiple security realms and aggregating the results together. Check out this blog post for more details on this feature.
Aggregate Realm Principal Transformer Configuration
It is now possible to configure a principal transformer for an aggregate realm that will be used to transform the principal after the authentication identity is obtained but before the authorization identity is obtained. A complete example on how to configure and make use of this principal transformer can be found here.
Enhanced Audit Logging
Support for both RFC 5424 and RFC 3164 have now been added to Elytron’s audit logging capabilities as well as the ability to configure how many times Elytron should attempt to send messages to a syslog server when an error is encountered during sending. More details on this feature can be found here.
Masked Password Support
It is now possible to specify masked passwords when using the Elytron Authentication Client. Check out this blog post for examples on how to make use of masked passwords.
Where to Find More Information
As always, be sure to check out our blog posts page, where we collect references to all our blog posts on Elytron features. If there is an Elytron topic you’d like to see a blog post on, feel free to leave a comment on that page to ask for it. Questions on Elytron are also welcome on WildFly’s user forums.
To learn more about the Elytron subsystem, take a look at the Elytron documentation.