úterý 24. ledna 2017

Enable Elytron in WildFly

Steps to enable Elytron in WildFly nightly builds.

There is an ongoing effort to bring a new security subsystem Elytron to WildFly and JBoss EAP. For some time a custom server profile named standalone-elytron.xml existed beside other profiles in standalone/configuration directory. It was possible to use it for playing with Elytron.

The custom Elytron profile was removed now.  The Elytron subsystem is newly introduced to all standard server profiles. The thing is, the Elytron is not used by default and users have to enable it in the subsystems themselves.

Let's look into how you can enable it.

Get WildFly nightly build

# Download WildFly nightly build
wget --user=guest --password=guest https://ci.wildfly.org/httpAuth/repository/downloadAll/WF_Nightly/.lastSuccessful/artifacts.zip
# unzip build artifacts zip. It contains WildFly distribution ZIP
unzip artifacts.zip
# get the WildFly distribution ZIP name as property
WILDFLY_DIST_ZIP=$(ls wildfly-*-SNAPSHOT.zip)
# unzip WildFly
unzip -q $WILDFLY_DIST_ZIP

Configure Elytron (default profile)

Use JBoss CLI to configure Elytron in subsystems.

wildfly-*-SNAPSHOT/bin/jboss-cli.sh << EOT
embed-server
/subsystem=undertow/application-security-domain=other:add(http-authentication-factory=application-http-authentication)
/subsystem=ejb3/application-security-domain=other:add(security-domain=ApplicationDomain)
/subsystem=batch-jberet:write-attribute(name=security-domain, value=ApplicationDomain)
/subsystem=remoting/http-connector=http-remoting-connector:write-attribute(name=sasl-authentication-factory, value=application-sasl-authentication)
/subsystem=remoting/http-connector=http-remoting-connector:undefine-attribute(name=security-realm)
/core-service=management/access=identity:add(security-domain=ManagementDomain)
/core-service=management/management-interface=http-interface:write-attribute(name=http-upgrade,value={enabled=true, sasl-authentication-factory=management-sasl-authentication})
/core-service=management/management-interface=http-interface:write-attribute(name=http-authentication-factory,value=management-http-authentication)
/core-service=management/management-interface=http-interface:undefine-attribute(name=security-realm)
reload

/core-service=management/security-realm=ManagementRealm:remove
/core-service=management/security-realm=ApplicationRealm/authentication=local:remove
/core-service=management/security-realm=ApplicationRealm/authentication=properties:remove
/core-service=management/security-realm=ApplicationRealm/authorization=properties:remove

stop-embedded-server
EOT

Configure Elytron (full profile)

The full profile contains messaging, so we can enable Elytron in there too:

wildfly-*-SNAPSHOT/bin/jboss-cli.sh << EOT
embed-server --server-config=standalone-full.xml
/subsystem=undertow/application-security-domain=other:add(http-authentication-factory=application-http-authentication)
/subsystem=ejb3/application-security-domain=other:add(security-domain=ApplicationDomain)
/subsystem=batch-jberet:write-attribute(name=security-domain, value=ApplicationDomain)
/subsystem=messaging-activemq/server=default:undefine-attribute(name=security-domain)
/subsystem=messaging-activemq/server=default:write-attribute(name=elytron-domain, value=ApplicationDomain)
/subsystem=remoting/http-connector=http-remoting-connector:write-attribute(name=sasl-authentication-factory, value=application-sasl-authentication)
/subsystem=remoting/http-connector=http-remoting-connector:undefine-attribute(name=security-realm)
/core-service=management/access=identity:add(security-domain=ManagementDomain)
/core-service=management/management-interface=http-interface:write-attribute(name=http-upgrade,value={enabled=true, sasl-authentication-factory=management-sasl-authentication})
/core-service=management/management-interface=http-interface:write-attribute(name=http-authentication-factory,value=management-http-authentication)
/core-service=management/management-interface=http-interface:undefine-attribute(name=security-realm)
reload

/core-service=management/security-realm=ManagementRealm:remove
/core-service=management/security-realm=ApplicationRealm/authentication=local:remove
/core-service=management/security-realm=ApplicationRealm/authentication=properties:remove
/core-service=management/security-realm=ApplicationRealm/authorization=properties:remove

stop-embedded-server
EOT

New issue (WFLY-7949) was reported to add a possibility to enable the Elytron in a single step.

Happy elytroning!