-
1. Re: Programmatic SASL authentication
dlofthouse Aug 28, 2018 6:10 AM (in response to sco0ter)Which application server version are you running on? Also how are you deploying the chat server?
From WildFly 11 WildFly Elytron is available and has APIs available to create a SaslAuthenticationFactory - this may be a suitable starting point to get a SaslServer integrated with the application server's security.
-
2. Re: Programmatic SASL authentication
sco0ter Aug 29, 2018 5:46 AM (in response to dlofthouse)I am currently testing on Wildfly 11. It is deployed as WAR or EAR.
The idea is to have a "core" authentication class, which uses standard Java API, like Sasl.createSaslServer or javax.security.auth.message.module.ServerAuthModule and from there it loads available or configured specific authentication logic, e.g. one for Wildfly's application-users.properties, which can be pluggable. These specific "modules" then uses e.g. Elytron.
My problem is rather that I don't see the "big picture", e.g. how to combine SASL with JASPIC. How to put the different technologies in place. I hope using Elytron API is straight foward eventually.
-
3. Re: Programmatic SASL authentication
dlofthouse Aug 30, 2018 5:48 AM (in response to sco0ter)I don't currently have a complete example for you but maybe it would be good if we put together an example at some point showing how it is possible to integrate with WildFly Elytron using SASL authentication.
The first step is you will require a reference to a WildFly Elytron SecurityDomain configured with an appropriate SecurityRealm, really there are two options for this: -
- Use the WildFly Elytron APIs to programatically assemble your own configuration.
- Obtain a reference to the SecurityDomain associated with the deployment.
All of our Javadoc for WildFly Elytron is published here WildFly Elytron Javadoc - for your example you should make use of the Public API Javadoc for 1.2.x
To ensure your deployment is associated with a SecurityDomain you will need to ensure you have an application-security-domain resource defined in the Undertow subsystem mapping from the name of the security domain specified by the deployment to a pre-configured http-authentication-factory. The http-authentication-factory in turn references a SecurityDomain and this is associated with the deployment.
Within the deployment you can then use the following API to obtain a reference to the SecurityDomain: -
SecurityDomain (WildFly Elytron 1.2.4.Final API)
The following class has been implemented to meet the needs of our testsuite, however it does illustrate the steps to take from having a reference to a SecurityDomain to having an instance of a SaslServer which is integrated with that SecurityDomain: -
wildfly-elytron/SaslServerBuilder.java at 1.2.x · wildfly-security/wildfly-elytron · GitHub
Generally these are the steps you would need to follow.
FYI from WildFly 14 it is possible to just reference the SecurityDomain directly from the application-security-domain resource where a custom http-authentication-factory definition is not needed.