heruan/commands.cli

## commands.cli
Client Cert authentication with fallback to username / password authentication.

# Paths

./path=elytron.project:add(path=/home/darranl/src/wildfly10/wildfly-elytron)
./path=elytron.project.jks:add(path=src/test/resources/ca/jks, relative-to=elytron.project)
./path=elytron.project.properties:add(path=src/test/resources/org/wildfly/security/auth/realm, relative-to=elytron.project)

# KeyStores

./subsystem=elytron/key-store=localhost:add(type=jks, relative-to=elytron.project.jks, path=localhost.keystore, credential-reference={clear-text=Elytron})
./subsystem=elytron/key-store=beetles:add(type=jks, relative-to=elytron.project.jks, path=beetles.keystore, credential-reference={clear-text=Elytron})
./subsystem=elytron/key-store=ca:add(type=jks, relative-to=elytron.project.jks, path=ca.truststore, credential-reference={clear-text=Elytron})

# Key and Trust Managers

./subsystem=elytron/key-managers=localhost-manager:add(algorithm=SunX509, key-store=localhost, credential-reference={clear-text=Elytron})
./subsystem=elytron/trust-managers=ca-manager:add(algorithm=SunX509, key-store=ca)

# Realms

./subsystem=elytron/properties-realm=test-users:add(users-properties={relative-to=elytron.project.properties, path=clear.properties, plain-text=true, digest-realm-name=ManagementRealm}, groups-properties={relative-to=elytron.project.properties, path=groups.properties})
./subsystem=elytron/key-store-realm=key-store-realm:add(key-store=beetles)

# Mappers

./subsystem=elytron/constant-role-mapper=users:add(roles=[Users])
./subsystem=elytron/constant-realm-mapper=key-store-realm:add(realm-name=key-store-realm)
./subsystem=elytron/x500-attribute-principal-decoder=x500-decoder:add(attribute-name=CN, maximum-segments=1)

# Domain

./subsystem=elytron/security-domain=client-cert-domain:add(realms=[{realm=test-users},{realm=key-store-realm}], default-realm=test-users, principal-decoder=x500-decoder,permission-mapper=default-permission-mapper, role-mapper=users)

# HTTP Authentication Factory

./subsystem=elytron/http-authentication-factory=client-cert:add(http-server-mechanism-factory=global, security-domain=client-cert-domain, mechanism-configurations=[{mechanism-name=CLIENT_CERT, realm-mapper=key-store-realm},{mechanism-name=FORM}])

./subsystem=elytron/http-authentication-factory=client-cert-basic:add(http-server-mechanism-factory=global, security-domain=client-cert-domain, mechanism-configurations=[{mechanism-name=CLIENT_CERT, realm-mapper=key-store-realm},{mechanism-name=BASIC}])

# SASL Authentication

./subsystem=elytron/sasl-authentication-factory=client-cert-digest:add(sasl-server-factory=configured, security-domain=client-cert-domain, mechanism-configurations=[{mechanism-name=EXTERNAL, realm-mapper=key-store-realm},{mechanism-name=DIGEST-MD5, mechanism-realm-configurations=[{realm-name=ManagementRealm}]}])
./subsystem=elytron/configurable-sasl-server-factory=configured:write-attribute(name=filters,value=[{pattern-filter=JBOSS-LOCAL-USER}, {pattern-filter=DIGEST-MD5}, {pattern-filter=EXTERNAL}])

# SSLContext

./subsystem=elytron/server-ssl-context=localhost:add(key-managers=localhost-manager, trust-managers=ca-manager, security-domain=client-cert-domain, authentication-optional=true, want-client-auth=true, need-client-auth=false)

# Undertow Subsystem

batch
./subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=ssl-context, value=localhost)
./subsystem=undertow/server=default-server/https-listener=https:undefine-attribute(name=security-realm)
run-batch
./subsystem=undertow/application-security-domain=other:add(http-authentication-factory=client-cert, override-deployment-config=true)

# Management

./core-service=management/management-interface=http-interface:write-attribute(name=ssl-context, value=localhost)
./core-service=management/management-interface=http-interface:write-attribute(name=secure-socket-binding, value=management-https)
./core-service=management/management-interface=http-interface:write-attribute(name=http-authentication-factory, value=client-cert-basic)
./core-service=management/management-interface=http-interface:write-attribute(name=http-upgrade.sasl-authentication-factory, value=client-cert-digest)

## jboss-cli.xml
<?xml version='1.0' encoding='UTF-8'?>

<!--
   WildFly Command-line Interface configuration.
-->
<jboss-cli xmlns="urn:jboss:cli:3.1">

    <default-protocol use-legacy-override="true">remote+http</default-protocol>

    <!-- The default controller to connect to when 'connect' command is executed w/o arguments -->
    <default-controller>
        <protocol>remote+http</protocol>
        <host>localhost</host>
        <port>9990</port>
    </default-controller>

    <!-- Example controller alias named 'Test'
    <controllers>
        <controller name="Test">
            <protocol>remote+http</protocol>
            <host>localhost</host>
            <port>9990</port>
        </controller>
    </controllers>
    -->

    <validate-operation-requests>true</validate-operation-requests>

    <!-- Command and operation history log configuration -->
    <history>
        <enabled>true</enabled>
        <file-name>.jboss-cli-history</file-name>
        <file-dir>${user.home}</file-dir>
        <max-size>500</max-size>
    </history>

    <ssl>
        <key-store>/home/darranl/src/wildfly10/wildfly-elytron/src/test/resources/ca/jks/ladybird.keystore</key-store>
        <key-store-password>Elytron</key-store-password>
        <trust-store>/home/darranl/src/wildfly10/wildfly-elytron/src/test/resources/ca/jks/ca.truststore</trust-store>
        <trust-store-password>Elytron</trust-store-password>
        <modify-trust-store>false</modify-trust-store>
    </ssl>

    <!-- whether to resolve system properties specified as command argument or operation parameter values
                  in the CLI VM before sending the operation requests to the controller -->
    <resolve-parameter-values>false</resolve-parameter-values>


    <!-- Whether to write info and error messages to the terminal output -->
    <silent>false</silent>

    <!-- Whether to filter out commands and attributes based on user's permissions -->
    <access-control>false</access-control>

    <!-- Include the prompt with the command into the output for each command executed in non-interactive mode -->
    <echo-command>false</echo-command>

    <!-- Uncomment to set the command timeout. Element value is in seconds -->
    <!-- <command-timeout>30</command-timeout> -->

</jboss-cli>

## wildfly-confix.xml
<?xml version="1.0" encoding="UTF-8"?>

<!--
      Set with -Dwildfly.config.url=file:///home/darranl/src/wildfly10/cli-scripts/wildfly-config.xml
-->

<configuration>
    <authentication-client xmlns="urn:elytron:1.0">
        <key-stores>
            <key-store name="ladybird" type="jks" >
                <file name="/home/darranl/src/wildfly10/wildfly-elytron/src/test/resources/ca/jks/ladybird.keystore"/>
                <key-store-clear-password password="Elytron" />
            </key-store>
        </key-stores>
        <authentication-rules>
            <rule use-configuration="default" />
        </authentication-rules>
        <authentication-configurations>
            <configuration name="default">
                <allow-sasl-mechanisms names="JBOSS-LOCAL-USER EXTERNAL DIGEST-MD5 PLAIN ANONYMOUS" />
                <set-mechanism-properties>
                    <property key="wildfly.sasl.local-user.quiet-auth" value="true" />
                 </set-mechanism-properties>
                 <use-service-loader-providers />
             </configuration>
        </authentication-configurations>
        <ssl-context-rules>
            <rule use-ssl-context="default" />
        </ssl-context-rules>
        <ssl-contexts>
            <ssl-context name="default">
                <key-store-ssl-certificate key-store-name="ladybird" alias="ladybird">
                    <key-store-clear-password password="Elytron" />
                </key-store-ssl-certificate>
            </ssl-context>
        </ssl-contexts>
    </authentication-client>
</configuration>
	Client Cert authentication with fallback to username / password authentication.

	# Paths

	./path=elytron.project:add(path=/home/darranl/src/wildfly10/wildfly-elytron)
	./path=elytron.project.jks:add(path=src/test/resources/ca/jks, relative-to=elytron.project)
	./path=elytron.project.properties:add(path=src/test/resources/org/wildfly/security/auth/realm, relative-to=elytron.project)

	# KeyStores

	./subsystem=elytron/key-store=localhost:add(type=jks, relative-to=elytron.project.jks, path=localhost.keystore, credential-reference={clear-text=Elytron})
	./subsystem=elytron/key-store=beetles:add(type=jks, relative-to=elytron.project.jks, path=beetles.keystore, credential-reference={clear-text=Elytron})
	./subsystem=elytron/key-store=ca:add(type=jks, relative-to=elytron.project.jks, path=ca.truststore, credential-reference={clear-text=Elytron})

	# Key and Trust Managers

	./subsystem=elytron/key-managers=localhost-manager:add(algorithm=SunX509, key-store=localhost, credential-reference={clear-text=Elytron})
	./subsystem=elytron/trust-managers=ca-manager:add(algorithm=SunX509, key-store=ca)

	# Realms

	./subsystem=elytron/properties-realm=test-users:add(users-properties={relative-to=elytron.project.properties, path=clear.properties, plain-text=true, digest-realm-name=ManagementRealm}, groups-properties={relative-to=elytron.project.properties, path=groups.properties})
	./subsystem=elytron/key-store-realm=key-store-realm:add(key-store=beetles)

	# Mappers

	./subsystem=elytron/constant-role-mapper=users:add(roles=[Users])
	./subsystem=elytron/constant-realm-mapper=key-store-realm:add(realm-name=key-store-realm)
	./subsystem=elytron/x500-attribute-principal-decoder=x500-decoder:add(attribute-name=CN, maximum-segments=1)

	# Domain

	./subsystem=elytron/security-domain=client-cert-domain:add(realms=[{realm=test-users},{realm=key-store-realm}], default-realm=test-users, principal-decoder=x500-decoder,permission-mapper=default-permission-mapper, role-mapper=users)

	# HTTP Authentication Factory

	./subsystem=elytron/http-authentication-factory=client-cert:add(http-server-mechanism-factory=global, security-domain=client-cert-domain, mechanism-configurations=[{mechanism-name=CLIENT_CERT, realm-mapper=key-store-realm},{mechanism-name=FORM}])

	./subsystem=elytron/http-authentication-factory=client-cert-basic:add(http-server-mechanism-factory=global, security-domain=client-cert-domain, mechanism-configurations=[{mechanism-name=CLIENT_CERT, realm-mapper=key-store-realm},{mechanism-name=BASIC}])

	# SASL Authentication

	./subsystem=elytron/sasl-authentication-factory=client-cert-digest:add(sasl-server-factory=configured, security-domain=client-cert-domain, mechanism-configurations=[{mechanism-name=EXTERNAL, realm-mapper=key-store-realm},{mechanism-name=DIGEST-MD5, mechanism-realm-configurations=[{realm-name=ManagementRealm}]}])
	./subsystem=elytron/configurable-sasl-server-factory=configured:write-attribute(name=filters,value=[{pattern-filter=JBOSS-LOCAL-USER}, {pattern-filter=DIGEST-MD5}, {pattern-filter=EXTERNAL}])

	# SSLContext

	./subsystem=elytron/server-ssl-context=localhost:add(key-managers=localhost-manager, trust-managers=ca-manager, security-domain=client-cert-domain, authentication-optional=true, want-client-auth=true, need-client-auth=false)

	# Undertow Subsystem

	batch
	./subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=ssl-context, value=localhost)
	./subsystem=undertow/server=default-server/https-listener=https:undefine-attribute(name=security-realm)
	run-batch
	./subsystem=undertow/application-security-domain=other:add(http-authentication-factory=client-cert, override-deployment-config=true)

	# Management

	./core-service=management/management-interface=http-interface:write-attribute(name=ssl-context, value=localhost)
	./core-service=management/management-interface=http-interface:write-attribute(name=secure-socket-binding, value=management-https)
	./core-service=management/management-interface=http-interface:write-attribute(name=http-authentication-factory, value=client-cert-basic)
	./core-service=management/management-interface=http-interface:write-attribute(name=http-upgrade.sasl-authentication-factory, value=client-cert-digest)
	<?xml version='1.0' encoding='UTF-8'?>

	<!--
	WildFly Command-line Interface configuration.
	-->
	<jboss-cli xmlns="urn:jboss:cli:3.1">

	<default-protocol use-legacy-override="true">remote+http</default-protocol>

	<!-- The default controller to connect to when 'connect' command is executed w/o arguments -->
	<default-controller>
	<protocol>remote+http</protocol>
	<host>localhost</host>
	<port>9990</port>
	</default-controller>

	<!-- Example controller alias named 'Test'
	<controllers>
	<controller name="Test">
	<protocol>remote+http</protocol>
	<host>localhost</host>
	<port>9990</port>
	</controller>
	</controllers>
	-->

	<validate-operation-requests>true</validate-operation-requests>

	<!-- Command and operation history log configuration -->
	<history>
	<enabled>true</enabled>
	<file-name>.jboss-cli-history</file-name>
	<file-dir>${user.home}</file-dir>
	<max-size>500</max-size>
	</history>

	<ssl>
	<key-store>/home/darranl/src/wildfly10/wildfly-elytron/src/test/resources/ca/jks/ladybird.keystore</key-store>
	<key-store-password>Elytron</key-store-password>
	<trust-store>/home/darranl/src/wildfly10/wildfly-elytron/src/test/resources/ca/jks/ca.truststore</trust-store>
	<trust-store-password>Elytron</trust-store-password>
	<modify-trust-store>false</modify-trust-store>
	</ssl>

	<!-- whether to resolve system properties specified as command argument or operation parameter values
	in the CLI VM before sending the operation requests to the controller -->
	<resolve-parameter-values>false</resolve-parameter-values>


	<!-- Whether to write info and error messages to the terminal output -->
	<silent>false</silent>

	<!-- Whether to filter out commands and attributes based on user's permissions -->
	<access-control>false</access-control>

	<!-- Include the prompt with the command into the output for each command executed in non-interactive mode -->
	<echo-command>false</echo-command>

	<!-- Uncomment to set the command timeout. Element value is in seconds -->
	<!-- <command-timeout>30</command-timeout> -->

	</jboss-cli>
	<?xml version="1.0" encoding="UTF-8"?>

	<!--
	Set with -Dwildfly.config.url=file:///home/darranl/src/wildfly10/cli-scripts/wildfly-config.xml
	-->

	<configuration>
	<authentication-client xmlns="urn:elytron:1.0">
	<key-stores>
	<key-store name="ladybird" type="jks" >
	<file name="/home/darranl/src/wildfly10/wildfly-elytron/src/test/resources/ca/jks/ladybird.keystore"/>
	<key-store-clear-password password="Elytron" />
	</key-store>
	</key-stores>
	<authentication-rules>
	<rule use-configuration="default" />
	</authentication-rules>
	<authentication-configurations>
	<configuration name="default">
	<allow-sasl-mechanisms names="JBOSS-LOCAL-USER EXTERNAL DIGEST-MD5 PLAIN ANONYMOUS" />
	<set-mechanism-properties>
	<property key="wildfly.sasl.local-user.quiet-auth" value="true" />
	</set-mechanism-properties>
	<use-service-loader-providers />
	</configuration>
	</authentication-configurations>
	<ssl-context-rules>
	<rule use-ssl-context="default" />
	</ssl-context-rules>
	<ssl-contexts>
	<ssl-context name="default">
	<key-store-ssl-certificate key-store-name="ladybird" alias="ladybird">
	<key-store-clear-password password="Elytron" />
	</key-store-ssl-certificate>
	</ssl-context>
	</ssl-contexts>
	</authentication-client>
	</configuration>