[WildFly 25.0.1] Migrating the standalone.xml from WildFly 24.0.1
665 views
Skip to first unread message
Made Eka
Jan 30, 2023, 9:15:38 AM1/30/23
to WildFly
Hi all,
I am about to migrate/convert my WildFly 24.0.1 "standalone.xml" to match the 25.0.1 configuration.
I got difficulties in converting the <security-domains> configs below. Please advise.
-------------------------------------------------------
-------------------------------------------------------
<subsystem xmlns="urn:jboss:domain:security:2.0">
<security-domains>
<security-domain name="other" cache-type="default">
<authentication>
<login-module code="Remoting" flag="optional">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
<login-module code="RealmDirect" flag="required">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
</authentication>
</security-domain>
<security-domain name="AAAFA" cache-type="default">
<authentication>
<login-module code="com.indus.core.common.utilities.auth.DomainAuthLoginModule" flag="requisite">
<module-option name="storePass" value="true"/>
<module-option name="domain" value="passport"/>
</login-module>
<login-module code="[customClass]" flag="required"/>
<login-module code="com.indus.core.common.utilities.auth.DomainRoleRetrievalLoginModule" flag="optional">
<module-option name="domain" value="passport"/>
</login-module>
<login-module code="com.indus.core.common.utilities.auth.SubjectProtectionLoginModule" flag="required"/>
</authentication>
</security-domain>
<security-domain name="AAAFA_LDAP" cache-type="default">
<authentication>
<login-module code="com.indus.core.common.utilities.auth.LDAPAuthLoginModule" flag="requisite">
<module-option name="storePass" value="true"/>
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.provider.url" value="[ldap url]"/>
<module-option name="java.naming.security.authentication" value="simple"/>
<module-option name="ldap.loginNameAttribute" value="[value]"/>
<module-option name="ldap.userIdAttribute" value="[value]"/>
<module-option name="ldap.searchBase" value="[value]"/>
<module-option name="ldap.searchUserDN" value="[value]"/>
<module-option name="ldap.searchUserPass" value="value"/>
<module-option name="ldap.isSSL" value="false"/>
</login-module>
<login-module code="[customClass]" flag="required"/>
<login-module code="com.indus.core.common.utilities.auth.DomainRoleRetrievalLoginModule" flag="optional">
<module-option name="domain" value="passport"/>
</login-module>
<login-module code="com.indus.core.common.utilities.auth.SubjectProtectionLoginModule" flag="required"/>
</authentication>
</security-domain>
<security-domain name="AAAFA_WS_LDAP" cache-type="default">
<authentication>
<login-module code="com.indus.core.common.utilities.auth.LDAPAuthLoginModule" flag="requisite">
<module-option name="storePass" value="true"/>
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.provider.url" value="[ldap url]"/>
<module-option name="java.naming.security.authentication" value="simple"/>
<module-option name="ldap.loginNameAttribute" value="[value]"/>
<module-option name="ldap.userIdAttribute" value="[value]"/>
<module-option name="ldap.searchBase" value="[value]"/>
<module-option name="ldap.searchUserDN" value="[value]"/>
<module-option name="ldap.searchUserPass" value="[value]"/>
<module-option name="ldap.isSSL" value="false"/>
</login-module>
<login-module code="com.indus.core.common.utilities.auth.DomainRoleRetrievalLoginModule" flag="optional">
<module-option name="domain" value="passport"/>
</login-module>
<login-module code="com.indus.core.common.utilities.auth.SubjectProtectionLoginModule" flag="required"/>
</authentication>
</security-domain>
<security-domain name="AAAFA_SSO" cache-type="default">
<authentication>
<login-module code="com.indus.core.common.utilities.auth.SSOAuthLoginModule" flag="requisite">
<module-option name="storePass" value="true"/>
</login-module>
<login-module code="[custom class]" flag="required"/>
<login-module code="com.indus.core.common.utilities.auth.DomainRoleRetrievalLoginModule" flag="optional">
<module-option name="domain" value="passport"/>
</login-module>
<login-module code="com.indus.core.common.utilities.auth.SubjectProtectionLoginModule" flag="required"/>
</authentication>
</security-domain>
<security-domain name="encrypted-aaafa-ds" cache-type="default">
<authentication>
<login-module code="org.picketbox.datasource.security.SecureIdentityLoginModule" flag="required">
<module-option name="username" value="[value]"/>
<module-option name="password" value="[value]"/>
<module-option name="managedConnectionFactoryName" value="jboss.jca:service=LocalTxCM,name=aaaas_fa_ds"/>
</login-module>
</authentication>
</security-domain>
<security-domain name="encrypted-aaaas-ds" cache-type="default">
<authentication>
<login-module code="org.picketbox.datasource.security.SecureIdentityLoginModule" flag="required">
<module-option name="username" value="[value]"/>
<module-option name="password" value="[value]"/>
<module-option name="managedConnectionFactoryName" value="jboss.jca:service=LocalTxCM,name=aaaas_as_ds"/>
</login-module>
</authentication>
</security-domain>
<security-domain name="jboss-web-policy" cache-type="default">
<authorization>
<policy-module code="Delegating" flag="required"/>
</authorization>
</security-domain>
<security-domain name="jaspitest" cache-type="default">
<authentication-jaspi>
<login-module-stack name="dummy">
<login-module code="Dummy" flag="optional"/>
</login-module-stack>
<auth-module code="Dummy"/>
</authentication-jaspi>
</security-domain>
<security-domain name="jboss-ejb-policy" cache-type="default">
<authorization>
<policy-module code="Delegating" flag="required"/>
</authorization>
</security-domain>
</security-domains>
</subsystem>
<security-domains>
<security-domain name="other" cache-type="default">
<authentication>
<login-module code="Remoting" flag="optional">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
<login-module code="RealmDirect" flag="required">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
</authentication>
</security-domain>
<security-domain name="AAAFA" cache-type="default">
<authentication>
<login-module code="com.indus.core.common.utilities.auth.DomainAuthLoginModule" flag="requisite">
<module-option name="storePass" value="true"/>
<module-option name="domain" value="passport"/>
</login-module>
<login-module code="[customClass]" flag="required"/>
<login-module code="com.indus.core.common.utilities.auth.DomainRoleRetrievalLoginModule" flag="optional">
<module-option name="domain" value="passport"/>
</login-module>
<login-module code="com.indus.core.common.utilities.auth.SubjectProtectionLoginModule" flag="required"/>
</authentication>
</security-domain>
<security-domain name="AAAFA_LDAP" cache-type="default">
<authentication>
<login-module code="com.indus.core.common.utilities.auth.LDAPAuthLoginModule" flag="requisite">
<module-option name="storePass" value="true"/>
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.provider.url" value="[ldap url]"/>
<module-option name="java.naming.security.authentication" value="simple"/>
<module-option name="ldap.loginNameAttribute" value="[value]"/>
<module-option name="ldap.userIdAttribute" value="[value]"/>
<module-option name="ldap.searchBase" value="[value]"/>
<module-option name="ldap.searchUserDN" value="[value]"/>
<module-option name="ldap.searchUserPass" value="value"/>
<module-option name="ldap.isSSL" value="false"/>
</login-module>
<login-module code="[customClass]" flag="required"/>
<login-module code="com.indus.core.common.utilities.auth.DomainRoleRetrievalLoginModule" flag="optional">
<module-option name="domain" value="passport"/>
</login-module>
<login-module code="com.indus.core.common.utilities.auth.SubjectProtectionLoginModule" flag="required"/>
</authentication>
</security-domain>
<security-domain name="AAAFA_WS_LDAP" cache-type="default">
<authentication>
<login-module code="com.indus.core.common.utilities.auth.LDAPAuthLoginModule" flag="requisite">
<module-option name="storePass" value="true"/>
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.provider.url" value="[ldap url]"/>
<module-option name="java.naming.security.authentication" value="simple"/>
<module-option name="ldap.loginNameAttribute" value="[value]"/>
<module-option name="ldap.userIdAttribute" value="[value]"/>
<module-option name="ldap.searchBase" value="[value]"/>
<module-option name="ldap.searchUserDN" value="[value]"/>
<module-option name="ldap.searchUserPass" value="[value]"/>
<module-option name="ldap.isSSL" value="false"/>
</login-module>
<login-module code="com.indus.core.common.utilities.auth.DomainRoleRetrievalLoginModule" flag="optional">
<module-option name="domain" value="passport"/>
</login-module>
<login-module code="com.indus.core.common.utilities.auth.SubjectProtectionLoginModule" flag="required"/>
</authentication>
</security-domain>
<security-domain name="AAAFA_SSO" cache-type="default">
<authentication>
<login-module code="com.indus.core.common.utilities.auth.SSOAuthLoginModule" flag="requisite">
<module-option name="storePass" value="true"/>
</login-module>
<login-module code="[custom class]" flag="required"/>
<login-module code="com.indus.core.common.utilities.auth.DomainRoleRetrievalLoginModule" flag="optional">
<module-option name="domain" value="passport"/>
</login-module>
<login-module code="com.indus.core.common.utilities.auth.SubjectProtectionLoginModule" flag="required"/>
</authentication>
</security-domain>
<security-domain name="encrypted-aaafa-ds" cache-type="default">
<authentication>
<login-module code="org.picketbox.datasource.security.SecureIdentityLoginModule" flag="required">
<module-option name="username" value="[value]"/>
<module-option name="password" value="[value]"/>
<module-option name="managedConnectionFactoryName" value="jboss.jca:service=LocalTxCM,name=aaaas_fa_ds"/>
</login-module>
</authentication>
</security-domain>
<security-domain name="encrypted-aaaas-ds" cache-type="default">
<authentication>
<login-module code="org.picketbox.datasource.security.SecureIdentityLoginModule" flag="required">
<module-option name="username" value="[value]"/>
<module-option name="password" value="[value]"/>
<module-option name="managedConnectionFactoryName" value="jboss.jca:service=LocalTxCM,name=aaaas_as_ds"/>
</login-module>
</authentication>
</security-domain>
<security-domain name="jboss-web-policy" cache-type="default">
<authorization>
<policy-module code="Delegating" flag="required"/>
</authorization>
</security-domain>
<security-domain name="jaspitest" cache-type="default">
<authentication-jaspi>
<login-module-stack name="dummy">
<login-module code="Dummy" flag="optional"/>
</login-module-stack>
<auth-module code="Dummy"/>
</authentication-jaspi>
</security-domain>
<security-domain name="jboss-ejb-policy" cache-type="default">
<authorization>
<policy-module code="Delegating" flag="required"/>
</authorization>
</security-domain>
</security-domains>
</subsystem>
-------------------------------------------------------
Any helps is really appreciated.
Regards,
Eka
Eka
Diana Krepinska
Feb 20, 2023, 11:23:02 AM2/20/23
to WildFly
Hello, for starters take a look at the migration guide https://docs.wildfly.org/27/WildFly_Elytron_Security.html#Migrate_Legacy_Security_to_Elytron_Security . There are examples of migrating some picketbox configs to elytron configurations. Picketbox based login modules will have to be replaced by elytron security realms or custom security realms. Custom login modules can be replaced by jaas-realm or preferably by elytron security realms as well.
Reply all
Reply to author
Forward
0 new messages