[WildFly 25.0.1] Migrating the standalone.xml from WildFly 24.0.1
Visto 357 veces
Saltar al primer mensaje no leído
Made Eka
30 ene 2023, 9:15:3830/1/23
a WildFly
Hi all,
I am about to migrate/convert my WildFly 24.0.1 "standalone.xml" to match the 25.0.1 configuration.
I got difficulties in converting the <security-domains> configs below. Please advise.
-------------------------------------------------------
-------------------------------------------------------
<subsystem xmlns="urn:jboss:domain:security:2.0">
<security-domains>
<security-domain name="other" cache-type="default">
<authentication>
<login-module code="Remoting" flag="optional">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
<login-module code="RealmDirect" flag="required">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
</authentication>
</security-domain>
<security-domain name="AAAFA" cache-type="default">
<authentication>
<login-module code="com.indus.core.common.utilities.auth.DomainAuthLoginModule" flag="requisite">
<module-option name="storePass" value="true"/>
<module-option name="domain" value="passport"/>
</login-module>
<login-module code="[customClass]" flag="required"/>
<login-module code="com.indus.core.common.utilities.auth.DomainRoleRetrievalLoginModule" flag="optional">
<module-option name="domain" value="passport"/>
</login-module>
<login-module code="com.indus.core.common.utilities.auth.SubjectProtectionLoginModule" flag="required"/>
</authentication>
</security-domain>
<security-domain name="AAAFA_LDAP" cache-type="default">
<authentication>
<login-module code="com.indus.core.common.utilities.auth.LDAPAuthLoginModule" flag="requisite">
<module-option name="storePass" value="true"/>
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.provider.url" value="[ldap url]"/>
<module-option name="java.naming.security.authentication" value="simple"/>
<module-option name="ldap.loginNameAttribute" value="[value]"/>
<module-option name="ldap.userIdAttribute" value="[value]"/>
<module-option name="ldap.searchBase" value="[value]"/>
<module-option name="ldap.searchUserDN" value="[value]"/>
<module-option name="ldap.searchUserPass" value="value"/>
<module-option name="ldap.isSSL" value="false"/>
</login-module>
<login-module code="[customClass]" flag="required"/>
<login-module code="com.indus.core.common.utilities.auth.DomainRoleRetrievalLoginModule" flag="optional">
<module-option name="domain" value="passport"/>
</login-module>
<login-module code="com.indus.core.common.utilities.auth.SubjectProtectionLoginModule" flag="required"/>
</authentication>
</security-domain>
<security-domain name="AAAFA_WS_LDAP" cache-type="default">
<authentication>
<login-module code="com.indus.core.common.utilities.auth.LDAPAuthLoginModule" flag="requisite">
<module-option name="storePass" value="true"/>
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.provider.url" value="[ldap url]"/>
<module-option name="java.naming.security.authentication" value="simple"/>
<module-option name="ldap.loginNameAttribute" value="[value]"/>
<module-option name="ldap.userIdAttribute" value="[value]"/>
<module-option name="ldap.searchBase" value="[value]"/>
<module-option name="ldap.searchUserDN" value="[value]"/>
<module-option name="ldap.searchUserPass" value="[value]"/>
<module-option name="ldap.isSSL" value="false"/>
</login-module>
<login-module code="com.indus.core.common.utilities.auth.DomainRoleRetrievalLoginModule" flag="optional">
<module-option name="domain" value="passport"/>
</login-module>
<login-module code="com.indus.core.common.utilities.auth.SubjectProtectionLoginModule" flag="required"/>
</authentication>
</security-domain>
<security-domain name="AAAFA_SSO" cache-type="default">
<authentication>
<login-module code="com.indus.core.common.utilities.auth.SSOAuthLoginModule" flag="requisite">
<module-option name="storePass" value="true"/>
</login-module>
<login-module code="[custom class]" flag="required"/>
<login-module code="com.indus.core.common.utilities.auth.DomainRoleRetrievalLoginModule" flag="optional">
<module-option name="domain" value="passport"/>
</login-module>
<login-module code="com.indus.core.common.utilities.auth.SubjectProtectionLoginModule" flag="required"/>
</authentication>
</security-domain>
<security-domain name="encrypted-aaafa-ds" cache-type="default">
<authentication>
<login-module code="org.picketbox.datasource.security.SecureIdentityLoginModule" flag="required">
<module-option name="username" value="[value]"/>
<module-option name="password" value="[value]"/>
<module-option name="managedConnectionFactoryName" value="jboss.jca:service=LocalTxCM,name=aaaas_fa_ds"/>
</login-module>
</authentication>
</security-domain>
<security-domain name="encrypted-aaaas-ds" cache-type="default">
<authentication>
<login-module code="org.picketbox.datasource.security.SecureIdentityLoginModule" flag="required">
<module-option name="username" value="[value]"/>
<module-option name="password" value="[value]"/>
<module-option name="managedConnectionFactoryName" value="jboss.jca:service=LocalTxCM,name=aaaas_as_ds"/>
</login-module>
</authentication>
</security-domain>
<security-domain name="jboss-web-policy" cache-type="default">
<authorization>
<policy-module code="Delegating" flag="required"/>
</authorization>
</security-domain>
<security-domain name="jaspitest" cache-type="default">
<authentication-jaspi>
<login-module-stack name="dummy">
<login-module code="Dummy" flag="optional"/>
</login-module-stack>
<auth-module code="Dummy"/>
</authentication-jaspi>
</security-domain>
<security-domain name="jboss-ejb-policy" cache-type="default">
<authorization>
<policy-module code="Delegating" flag="required"/>
</authorization>
</security-domain>
</security-domains>
</subsystem>
<security-domains>
<security-domain name="other" cache-type="default">
<authentication>
<login-module code="Remoting" flag="optional">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
<login-module code="RealmDirect" flag="required">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
</authentication>
</security-domain>
<security-domain name="AAAFA" cache-type="default">
<authentication>
<login-module code="com.indus.core.common.utilities.auth.DomainAuthLoginModule" flag="requisite">
<module-option name="storePass" value="true"/>
<module-option name="domain" value="passport"/>
</login-module>
<login-module code="[customClass]" flag="required"/>
<login-module code="com.indus.core.common.utilities.auth.DomainRoleRetrievalLoginModule" flag="optional">
<module-option name="domain" value="passport"/>
</login-module>
<login-module code="com.indus.core.common.utilities.auth.SubjectProtectionLoginModule" flag="required"/>
</authentication>
</security-domain>
<security-domain name="AAAFA_LDAP" cache-type="default">
<authentication>
<login-module code="com.indus.core.common.utilities.auth.LDAPAuthLoginModule" flag="requisite">
<module-option name="storePass" value="true"/>
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.provider.url" value="[ldap url]"/>
<module-option name="java.naming.security.authentication" value="simple"/>
<module-option name="ldap.loginNameAttribute" value="[value]"/>
<module-option name="ldap.userIdAttribute" value="[value]"/>
<module-option name="ldap.searchBase" value="[value]"/>
<module-option name="ldap.searchUserDN" value="[value]"/>
<module-option name="ldap.searchUserPass" value="value"/>
<module-option name="ldap.isSSL" value="false"/>
</login-module>
<login-module code="[customClass]" flag="required"/>
<login-module code="com.indus.core.common.utilities.auth.DomainRoleRetrievalLoginModule" flag="optional">
<module-option name="domain" value="passport"/>
</login-module>
<login-module code="com.indus.core.common.utilities.auth.SubjectProtectionLoginModule" flag="required"/>
</authentication>
</security-domain>
<security-domain name="AAAFA_WS_LDAP" cache-type="default">
<authentication>
<login-module code="com.indus.core.common.utilities.auth.LDAPAuthLoginModule" flag="requisite">
<module-option name="storePass" value="true"/>
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.provider.url" value="[ldap url]"/>
<module-option name="java.naming.security.authentication" value="simple"/>
<module-option name="ldap.loginNameAttribute" value="[value]"/>
<module-option name="ldap.userIdAttribute" value="[value]"/>
<module-option name="ldap.searchBase" value="[value]"/>
<module-option name="ldap.searchUserDN" value="[value]"/>
<module-option name="ldap.searchUserPass" value="[value]"/>
<module-option name="ldap.isSSL" value="false"/>
</login-module>
<login-module code="com.indus.core.common.utilities.auth.DomainRoleRetrievalLoginModule" flag="optional">
<module-option name="domain" value="passport"/>
</login-module>
<login-module code="com.indus.core.common.utilities.auth.SubjectProtectionLoginModule" flag="required"/>
</authentication>
</security-domain>
<security-domain name="AAAFA_SSO" cache-type="default">
<authentication>
<login-module code="com.indus.core.common.utilities.auth.SSOAuthLoginModule" flag="requisite">
<module-option name="storePass" value="true"/>
</login-module>
<login-module code="[custom class]" flag="required"/>
<login-module code="com.indus.core.common.utilities.auth.DomainRoleRetrievalLoginModule" flag="optional">
<module-option name="domain" value="passport"/>
</login-module>
<login-module code="com.indus.core.common.utilities.auth.SubjectProtectionLoginModule" flag="required"/>
</authentication>
</security-domain>
<security-domain name="encrypted-aaafa-ds" cache-type="default">
<authentication>
<login-module code="org.picketbox.datasource.security.SecureIdentityLoginModule" flag="required">
<module-option name="username" value="[value]"/>
<module-option name="password" value="[value]"/>
<module-option name="managedConnectionFactoryName" value="jboss.jca:service=LocalTxCM,name=aaaas_fa_ds"/>
</login-module>
</authentication>
</security-domain>
<security-domain name="encrypted-aaaas-ds" cache-type="default">
<authentication>
<login-module code="org.picketbox.datasource.security.SecureIdentityLoginModule" flag="required">
<module-option name="username" value="[value]"/>
<module-option name="password" value="[value]"/>
<module-option name="managedConnectionFactoryName" value="jboss.jca:service=LocalTxCM,name=aaaas_as_ds"/>
</login-module>
</authentication>
</security-domain>
<security-domain name="jboss-web-policy" cache-type="default">
<authorization>
<policy-module code="Delegating" flag="required"/>
</authorization>
</security-domain>
<security-domain name="jaspitest" cache-type="default">
<authentication-jaspi>
<login-module-stack name="dummy">
<login-module code="Dummy" flag="optional"/>
</login-module-stack>
<auth-module code="Dummy"/>
</authentication-jaspi>
</security-domain>
<security-domain name="jboss-ejb-policy" cache-type="default">
<authorization>
<policy-module code="Delegating" flag="required"/>
</authorization>
</security-domain>
</security-domains>
</subsystem>
-------------------------------------------------------
Any helps is really appreciated.
Regards,
Eka
Eka
Diana Krepinska
20 feb 2023, 11:23:0220/2/23
a WildFly
Hello, for starters take a look at the migration guide https://docs.wildfly.org/27/WildFly_Elytron_Security.html#Migrate_Legacy_Security_to_Elytron_Security . There are examples of migrating some picketbox configs to elytron configurations. Picketbox based login modules will have to be replaced by elytron security realms or custom security realms. Custom login modules can be replaced by jaas-realm or preferably by elytron security realms as well.
Responder a todos
Responder al autor
Reenviar
0 mensajes nuevos