Created
May 17, 2017 15:00
-
-
Save kwart/38397e6e41813b233b351ef829e7e8e0 to your computer and use it in GitHub Desktop.
WildFly Elytron - Full SSL with fallback (Client Cert authentication with fallback to username / password authentication.)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Paths | |
./path=elytron.project:add(path=/home/darranl/src/wildfly10/wildfly-elytron) | |
./path=elytron.project.jks:add(path=src/test/resources/ca/jks, relative-to=elytron.project) | |
./path=elytron.project.properties:add(path=src/test/resources/org/wildfly/security/auth/realm, relative-to=elytron.project) | |
# KeyStores | |
./subsystem=elytron/key-store=localhost:add(type=jks, relative-to=elytron.project.jks, path=localhost.keystore, credential-reference={clear-text=Elytron}) | |
./subsystem=elytron/key-store=beetles:add(type=jks, relative-to=elytron.project.jks, path=beetles.keystore, credential-reference={clear-text=Elytron}) | |
./subsystem=elytron/key-store=ca:add(type=jks, relative-to=elytron.project.jks, path=ca.truststore, credential-reference={clear-text=Elytron}) | |
# Key and Trust Managers | |
./subsystem=elytron/key-managers=localhost-manager:add(algorithm=SunX509, key-store=localhost, credential-reference={clear-text=Elytron}) | |
./subsystem=elytron/trust-managers=ca-manager:add(algorithm=SunX509, key-store=ca) | |
# Realms | |
./subsystem=elytron/properties-realm=test-users:add(users-properties={relative-to=elytron.project.properties, path=clear.properties, plain-text=true, digest-realm-name=ManagementRealm}, groups-properties={relative-to=elytron.project.properties, path=groups.properties}) | |
./subsystem=elytron/key-store-realm=key-store-realm:add(key-store=beetles) | |
# Mappers | |
./subsystem=elytron/constant-role-mapper=users:add(roles=[Users]) | |
./subsystem=elytron/constant-realm-mapper=key-store-realm:add(realm-name=key-store-realm) | |
./subsystem=elytron/x500-attribute-principal-decoder=x500-decoder:add(attribute-name=CN, maximum-segments=1) | |
# Domain | |
./subsystem=elytron/security-domain=client-cert-domain:add(realms=[{realm=test-users},{realm=key-store-realm}], default-realm=test-users, principal-decoder=x500-decoder,permission-mapper=default-permission-mapper, role-mapper=users) | |
# HTTP Authentication Factory | |
./subsystem=elytron/http-authentication-factory=client-cert:add(http-server-mechanism-factory=global, security-domain=client-cert-domain, mechanism-configurations=[{mechanism-name=CLIENT_CERT, realm-mapper=key-store-realm},{mechanism-name=FORM}]) | |
./subsystem=elytron/http-authentication-factory=client-cert-basic:add(http-server-mechanism-factory=global, security-domain=client-cert-domain, mechanism-configurations=[{mechanism-name=CLIENT_CERT, realm-mapper=key-store-realm},{mechanism-name=BASIC}]) | |
# SASL Authentication | |
./subsystem=elytron/sasl-authentication-factory=client-cert-digest:add(sasl-server-factory=configured, security-domain=client-cert-domain, mechanism-configurations=[{mechanism-name=EXTERNAL, realm-mapper=key-store-realm},{mechanism-name=DIGEST-MD5, mechanism-realm-configurations=[{realm-name=ManagementRealm}]}]) | |
./subsystem=elytron/configurable-sasl-server-factory=configured:write-attribute(name=filters,value=[{pattern-filter=JBOSS-LOCAL-USER}, {pattern-filter=DIGEST-MD5}, {pattern-filter=EXTERNAL}]) | |
# SSLContext | |
./subsystem=elytron/server-ssl-context=localhost:add(key-managers=localhost-manager, trust-managers=ca-manager, security-domain=client-cert-domain, authentication-optional=true, want-client-auth=true, need-client-auth=false) | |
# Undertow Subsystem | |
batch | |
./subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=ssl-context, value=localhost) | |
./subsystem=undertow/server=default-server/https-listener=https:undefine-attribute(name=security-realm) | |
run-batch | |
./subsystem=undertow/application-security-domain=other:add(http-authentication-factory=client-cert, override-deployment-config=true) | |
# Management | |
./core-service=management/management-interface=http-interface:write-attribute(name=ssl-context, value=localhost) | |
./core-service=management/management-interface=http-interface:write-attribute(name=secure-socket-binding, value=management-https) | |
./core-service=management/management-interface=http-interface:write-attribute(name=http-authentication-factory, value=client-cert-basic) | |
./core-service=management/management-interface=http-interface:write-attribute(name=http-upgrade.sasl-authentication-factory, value=client-cert-digest) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
You know the difference between want-client-auth vs need-client-auth?