5 Replies Latest reply on Sep 22, 2017 8:10 AM by Mylos Kathos

    How to disable legacy security and enable Elytron in WF 11 ?

    Mylos Kathos Master

      Hi all,

      I can see the lastest release of WildFly 11 has both Elytron and the legacy security subsystem. When starting, the legacy subsystem seems the default one:

       

      2017-09-21 15:37:46,229 INFO  [org.jboss.as.security] (ServerService Thread Pool -- 41) WFLYSEC0002: Activating Security Subsystem

      2017-09-21 15:37:46,240 INFO  [org.jboss.as.security] (MSC service thread 1-2) WFLYSEC0001: Current PicketBox version=5.0.2.Final

       

      Are they supposed to be active at the same time ? How do I switch off the legacy security subsystem and turn on Elytron ?

      Thanks

      Mylos

        • 1. Re: How to disable legacy security and enable Elytron in WF 11 ?
          gir489 Newbie

          WildFly 11 CR1 is now available! · WildFly

          While WildFly 11 introduces a new security infrastructure, the existing security-domain and security-realm configurations and APIs are all present and internally mapped to Elytron. To further ease the impact of this change, WildFly 11’s default configurations still use the legacy security-domains and security-realms. A subsequent release will convert the default configurations over to the new configuration model.

           

          Does it even matter?

          • 2. Re: How to disable legacy security and enable Elytron in WF 11 ?
            Darran Lofthouse Master

            If you want to switch everything to use WildFly Elytron instead of the legacy configuration there is an enable-elytron.cli script within the 'docs/examples' folder.

             

            The reason we didn't do this by default with WildFly 11 was to give users an opportunity to migrate individual aspects of their model as they were ready.

            • 3. Re: How to disable legacy security and enable Elytron in WF 11 ?
              Mylos Kathos Master

              Thanks for your comments. Just a clarification: as I understand the existing security domain is mapped to elytron: does it mean that I can add Login modules either to the legacy security subsystem or to elytron and it will work much the same way ?

              Thanks

              • 4. Re: How to disable legacy security and enable Elytron in WF 11 ?
                Darran Lofthouse Master

                The WildFly Elytron subsystem is build around security realms rather than LoginModules so LoginModules are not directly supported, however if you have a security domain in the legacy security subsystem you can map it to an elytron-realm resource so it can be referenced from the elytron subsystem: -

                 

                [standalone@localhost:9990 /] ./subsystem=security/elytron-realm=*:read-resource-description

                {

                    "outcome" => "success",

                    "result" => [{

                        "address" => [

                            ("subsystem" => "security"),

                            ("elytron-realm" => "*")

                        ],

                        "outcome" => "success",

                        "result" => {

                            "description" => "The configuration of an Elytron-compatible realm that delegates authentication decisions to a legacy security domain.",

                            "capabilities" => [{

                                "name" => "org.wildfly.security.security-realm",

                                "dynamic" => true

                            }],

                            "access-constraints" => {

                                "sensitive" => {"elytron-security" => {"type" => "security"}},

                                "application" => {"elytron-security" => {"type" => "security"}}

                            },

                            "attributes" => {

                                "apply-role-mappers" => {

                                    "type" => BOOLEAN,

                                    "description" => "Indicates to the realm if it should apply the role mappers defined in the legacy domain to the roles obtained from authenticated Subjects or not.",

                                    "expressions-allowed" => true,

                                    "required" => false,

                                    "nillable" => true,

                                    "default" => true,

                                    "access-type" => "read-write",

                                    "storage" => "configuration",

                                    "restart-required" => "resource-services"

                                },

                                "legacy-jaas-config" => {

                                    "type" => STRING,

                                    "description" => "The name of the legacy security domain to which authentication will be delegated.",

                                    "expressions-allowed" => false,

                                    "required" => true,

                                    "nillable" => false,

                                    "min-length" => 1L,

                                    "max-length" => 2147483647L,

                                    "access-constraints" => {"sensitive" => {"security-domain-ref" => {"type" => "core"}}},

                                    "access-type" => "read-write",

                                    "storage" => "configuration",

                                    "restart-required" => "resource-services"

                                }

                            },

                            "operations" => undefined,

                            "notifications" => undefined,

                            "children" => {}

                        }

                    }]

                }

                • 5. Re: How to disable legacy security and enable Elytron in WF 11 ?
                  Mylos Kathos Master

                  Thanks for sharing this information!