help needed on migrate wildfly datasource to use Elytron security

492 views
Skip to first unread message

Arulkumar Ponnusamy

unread,
Sep 15, 2021, 6:31:25 AM9/15/21
to WildFly
Hi,
our application currently uses the customized security domain for reading the database credentials store. Now, i want to migrate that customized security domain to elytron security.
I know we can use the credentials store for storing the password and reference it in datasource security. But, this allows the username to be plain text which is not allowed as per our security policy.

So, is there any way we can write the custom code which can be referenced for datasource authentication.

my datasource configuration

                <datasource enabled="true" jndi-name="java:/poolname" jta="false" pool-name="test" statistics-enabled="true" use-java-context="false">
                    <connection-url>jdbc:postgresql://localhost:5432/test</connection-url>
                    <driver-class>org.postgresql.Driver</driver-class>
                    <driver>Postgres</driver>
                    <pool>
                        <min-pool-size>0</min-pool-size>
                        <initial-pool-size>0</initial-pool-size>
                        <max-pool-size>50</max-pool-size>
                        <flush-strategy>InvalidIdleConnections</flush-strategy>
                    </pool>
                    <security>
                        <security-domain>testdbcredentials</security-domain>
                    </security>
                    .............................
                </datasource>

        <subsystem xmlns="urn:jboss:domain:security:2.0">
            <security-domains>
                <security-domain cache-type="default" name="testdbcredentials">
                    <authentication>
                        <login-module code="com.abcd.security.DatabaseCredentialModule" flag="required" module="com.abcd.security.auth"/>
                    </authentication>
                </security-domain>
              ..............................

any reference/guide would be great helpful.

Darran Lofthouse

unread,
Sep 15, 2021, 6:42:54 AM9/15/21
to WildFly
Have a look at the following for encrypted expression support https://docs.wildfly.org/24/WildFly_Elytron_Security.html#EncryptedExpressions

Arulkumar Ponnusamy

unread,
Sep 15, 2021, 11:37:45 PM9/15/21
to WildFly
Hi Darran,
Thanks for the pointer. However, it will be huge effort to move it to encryptedExpression for our existing customer to upgrade. The effort would be less if we able to use custom security realm/domain using our existing logic to new elytron module.

So, will it possible to use elytron security-realm/domains in datasource?
Thanks
Arulkumar Ponnusamy

Darran Lofthouse

unread,
Sep 16, 2021, 9:41:26 AM9/16/21
to WildFly
No it will not, there is no relationship between the realms or domains and datasources in this way.

Some form of pluggable authenticators I think is something that could be interesting for things like datasources, not just for username / password authentication but also for other authentication types but for now such a feature does not exist.
Reply all
Reply to author
Forward
0 new messages