Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
WildFly Elytron - Full SSL with fallback (Client Cert authentication with fallback to username / password authentication.)
# Paths
./path=elytron.project:add(path=/home/darranl/src/wildfly10/wildfly-elytron)
./path=elytron.project.jks:add(path=src/test/resources/ca/jks, relative-to=elytron.project)
./path=elytron.project.properties:add(path=src/test/resources/org/wildfly/security/auth/realm, relative-to=elytron.project)
# KeyStores
./subsystem=elytron/key-store=localhost:add(type=jks, relative-to=elytron.project.jks, path=localhost.keystore, credential-reference={clear-text=Elytron})
./subsystem=elytron/key-store=beetles:add(type=jks, relative-to=elytron.project.jks, path=beetles.keystore, credential-reference={clear-text=Elytron})
./subsystem=elytron/key-store=ca:add(type=jks, relative-to=elytron.project.jks, path=ca.truststore, credential-reference={clear-text=Elytron})
# Key and Trust Managers
./subsystem=elytron/key-managers=localhost-manager:add(algorithm=SunX509, key-store=localhost, credential-reference={clear-text=Elytron})
./subsystem=elytron/trust-managers=ca-manager:add(algorithm=SunX509, key-store=ca)
# Realms
./subsystem=elytron/properties-realm=test-users:add(users-properties={relative-to=elytron.project.properties, path=clear.properties, plain-text=true, digest-realm-name=ManagementRealm}, groups-properties={relative-to=elytron.project.properties, path=groups.properties})
./subsystem=elytron/key-store-realm=key-store-realm:add(key-store=beetles)
# Mappers
./subsystem=elytron/constant-role-mapper=users:add(roles=[Users])
./subsystem=elytron/constant-realm-mapper=key-store-realm:add(realm-name=key-store-realm)
./subsystem=elytron/x500-attribute-principal-decoder=x500-decoder:add(attribute-name=CN, maximum-segments=1)
# Domain
./subsystem=elytron/security-domain=client-cert-domain:add(realms=[{realm=test-users},{realm=key-store-realm}], default-realm=test-users, principal-decoder=x500-decoder,permission-mapper=default-permission-mapper, role-mapper=users)
# HTTP Authentication Factory
./subsystem=elytron/http-authentication-factory=client-cert:add(http-server-mechanism-factory=global, security-domain=client-cert-domain, mechanism-configurations=[{mechanism-name=CLIENT_CERT, realm-mapper=key-store-realm},{mechanism-name=FORM}])
./subsystem=elytron/http-authentication-factory=client-cert-basic:add(http-server-mechanism-factory=global, security-domain=client-cert-domain, mechanism-configurations=[{mechanism-name=CLIENT_CERT, realm-mapper=key-store-realm},{mechanism-name=BASIC}])
# SASL Authentication
./subsystem=elytron/sasl-authentication-factory=client-cert-digest:add(sasl-server-factory=configured, security-domain=client-cert-domain, mechanism-configurations=[{mechanism-name=EXTERNAL, realm-mapper=key-store-realm},{mechanism-name=DIGEST-MD5, mechanism-realm-configurations=[{realm-name=ManagementRealm}]}])
./subsystem=elytron/configurable-sasl-server-factory=configured:write-attribute(name=filters,value=[{pattern-filter=JBOSS-LOCAL-USER}, {pattern-filter=DIGEST-MD5}, {pattern-filter=EXTERNAL}])
# SSLContext
./subsystem=elytron/server-ssl-context=localhost:add(key-managers=localhost-manager, trust-managers=ca-manager, security-domain=client-cert-domain, authentication-optional=true, want-client-auth=true, need-client-auth=false)
# Undertow Subsystem
batch
./subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=ssl-context, value=localhost)
./subsystem=undertow/server=default-server/https-listener=https:undefine-attribute(name=security-realm)
run-batch
./subsystem=undertow/application-security-domain=other:add(http-authentication-factory=client-cert, override-deployment-config=true)
# Management
./core-service=management/management-interface=http-interface:write-attribute(name=ssl-context, value=localhost)
./core-service=management/management-interface=http-interface:write-attribute(name=secure-socket-binding, value=management-https)
./core-service=management/management-interface=http-interface:write-attribute(name=http-authentication-factory, value=client-cert-basic)
./core-service=management/management-interface=http-interface:write-attribute(name=http-upgrade.sasl-authentication-factory, value=client-cert-digest)
@Harish-Murali

This comment has been minimized.

Copy link

@Harish-Murali Harish-Murali commented May 25, 2018

You know the difference between want-client-auth vs need-client-auth?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.