Questions regarding custom security realms

[Laura Schanno]

Hello!,

I am part of a project where we are attempting to migrate from Wildfly 17.0.1.Final to Wildfly.26.1.3.Final as part of an effort to move from Java 11 to Java 17. Part of our security configuration involves the use of custom login modules that are based off older picketbox modules. As a result, we need to create custom security realm equivalents.

I have a number of questions regarding implementation details. The past few months have effectively been a crash course in Wildfly, but I haven't been able to find that much documentation covering examples of custom security realms.

When it comes to configuring the security realm itself with whatever options I need to support, do I simply need to have the realm implement the following method?

public void initialize(Map<String,String> configuration)

Additionally, our users identify themselves through personal ssl certificates, and I need the security realm to be supplied with the user's certificate, not just their Principal. What is the recommended way to inject the user's keystore into the realm so that we can access it when performing the authentication via getRealmIdentity(Principal)?

Additionally, I am setting up a server-ssl-context like so:

/subsystem=elytron/key-store=serverKeyStore:add(path=${KEYSTORE},credential-reference={clear-text="${KEYSTORE_PASSWORD}"},type=${KEYSTORE_TYPE}) /subsystem=elytron/key-manager=serverKeyManager:add(key-store=serverKeyStore,credential-reference={clear-text=${KEYSTORE_PASSWORD}) /subsystem=elytron/key-store=serverTrustStore:add(path=${TRUSTSTORE},credential-reference={clear-text="${TRUSTSTORE_PASSWORD}"},type=${TRUSTSTORE_TYPE}) /subsystem=elytron/trust-manager=serverTrustManager:add(key-store=serverTrustStore) /subsystem=elytron/server-ssl-context=serverSSLContext:add(key-manager=serverKeyManager,trust-manager=serverTrustManager,protocols=["TLSv1.1","TLSv1.2"],need-client-auth=true,security-domain=myDomain)

I need to inject the server's keystore and truststore into the security realm to do some additional validation of the user's certificate. Previously we were able to access this through a JSSESecurityDomain that was injected into our module and configured via the following:

#/subsystem=security/security-domain=myDomain/jsse=classic:add(keystore={type="${KEYSTORE_TYPE}",password="${KEYSTORE_PASSWORD}",url="file://${KEYSTORE}"},truststore={type="${TRUSTSTORE_TYPE}",password="${TRUSTSTORE_PASSWORD}",url="file://${TRUSTSTORE}"})

What is the recommended way to inject and access the server's keystore/truststore in Elytron?

Thanks!

[Diana Krepinska]

Hi Laura, 

since the users authenticate with ssl certificates, you can maybe leverage the certificate to principal mapping like in these examples:

https://developer.jboss.org/people/fjuma/blog/2019/06/14/using-elytron-certificate-based-authentication-with-authorization 

https://developer.jboss.org/people/fjuma/blog/2019/06/11/mapping-an-x509-cert-to-an-identity-using-a-subject-alt-name 

There is an example of a simple custom realm here: https://github.com/wildfly-security-incubator/elytron-examples/blob/main/custom-realm

[Laura Schanno]

Hi Diana,

Thank you for the examples, I'll take a look at them and see if they suit my needs.