New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add a use case driven guide for creating a credential store using elytron-tool for wildfly client configuration #2068
base: develop
Are you sure you want to change the base?
Conversation
f7e80d7
to
28e0441
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@PrarthonaPaul These blog posts are great! Very well explained and I think community will appreciate this as credential stores and encryption are common questions. I just added minor comments but I approved it. Thank you!
``` | ||
Now we can create a keystore using a plaintext password: | ||
``` | ||
/subsystem=elytron/key-store=serverKS:add(path=server.keystore, relative-to=jboss.server.config.dir, type=JKS, credential-reference={clear-text=secret}) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@PrarthonaPaul Just a total minor, we should now use PKCS12 type instead of JKS in these blogs as PKCS12 is default in Java 11
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed!
} | ||
} | ||
``` | ||
Notice how even though we specified the clear-text password when updating the credentials, it does not show up here. Instead, we can see the name of the credential-store and the alias listen under credential-reference. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/alias listen/alias listed
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed!
``` | ||
/subsystem=elytron/credential-store=myCredStore:remove-alias(alias=myalias) | ||
``` | ||
However, when deleting a alias, you must be careful, as if the alias is in use, it may still be removed successfully, leaving the resource's credential-reference pointing to a non-existent alias. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/deleting a alias/deleting an alias
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed!
If you navigate to WILDFLY_HOME/standalone/configuration, you will see a new file has been created there named mycredstore.cs. This file is used to store all the credentials in a credential-store. If you try to open it using Vim or another file viewer, you will see that the file is not human readable. As a result, the passwords are secured. It is possible to programmatically read the passwords, which is what WildFly does when dereferencing the credential reference to access a resource. | ||
|
||
== Add a Password to the Credential-Store | ||
Now in order to use the credential-store for our keystore, we need to add the keystore password to it: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@PrarthonaPaul Just a total minor, could be to mention that you can disable the management CLI history before running the commands that contain the clear text password, so "secret-value=secret" in this case and clear-text=secret below:
[standalone@localhost:9999 /] history --disable
After inputting the clear text password you can enable the saving of history again:
[standalone@localhost:9999 /] history --enable
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I noticed this is mentioned in the other blog, so we can mention it to this one also
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
added a section for this.
``` | ||
|
||
== About WildFly Client Configuration | ||
EJBs, also known as Enterprise JavaBeans are a collection of specifications that are used for building java applications and offer a set og APIs for developing anf running secured applications. When invoking ejbs using the WildFly server, we need to configure the WildFly client to specify revevant information about authentication to secure the application. This can be done using a file named wildfly-config.xml located inside the sec/main/resources folder of the application. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/anf running/and running
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/ejbs/EJBs
s/revevant/relevant
s/sec/src
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed!
Note that creating an additional security domain (fsSD in this case) is not necessary. We could alternatively take the default ApplicationDomain and add the FileSystem realm, role-decoder and permission-mapper to it. | ||
|
||
=== Create an Authentication Factory | ||
We now need to create a sasl-authentication factory and connect out security domain to it and specify a mechanism for the authentication: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/sasl-authentication factory/sasl-authentication-factory
s/connect out/ connect our
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed!
6f0079c
to
29a6d0c
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@PrarthonaPaul Can you please split this into three separate PRs and bring the dates up to date.
I think this would make sense to publish one per week and then it will become some regular content instead of it all going our at once.
29a6d0c
to
126d608
Compare
…tron-tool for wildfly client configuration
126d608
to
f668033
Compare
I have opened two other PRs for the other guides: #2121 and #2120 and updated the dates on all. |
``` | ||
|
||
== About WildFly Client Configuration | ||
EJBs, also known as Enterprise JavaBeans are a collection of specifications that are used for building java applications and offer a set og APIs for developing and running secured applications. When invoking EJBs using the WildFly server, we need to configure the WildFly client to specify relevant information about authentication to secure the application. This can be done using a file named wildfly-config.xml located inside the `src/main/resources` folder of the application. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just a minor, set og/set of
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just a minor, should this sentence be:
When invoking EJBs using the WildFly server, we need to configure the WildFly client to specify relevant information about authentication to the secured the application.
? Since we are not securing the application with this client config file, but we are supplying the required client authentication that should be used to authenticate the client to the secured app
$ mvn clean install wildfly:deploy | ||
``` | ||
|
||
Unlike other applications, this will not be a web application, rather something we can run on the terminal. If you examine the server logs, you will notice that instead of a `.war` deployment, we will be producing a `.jar` deployment file. We can access the application by running the client using the command below: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hm just a total minor suggestion that you can ignore, but since we are not mentioning other applications in this blog, and there are many kinds of applications other than web applications, and we can access .jar
with other apps or code and not just with the terminal, I would just write:
This will not be a web application, so we won't use a browser to access it, but instead we will use the terminal.
As you can see, it mentions that the secured bean has been accessed by our identity, quickstartUser and it does not have admin permissions, since we only assigned the `guest` role to it. | ||
|
||
== Summary | ||
This guide demonstrates how a `credential-store` can be used to add identity specification when configuring a WildFly client. This guide also demonstrates how the `elytron-tool` can be used to generate the credential store and add aliases to it. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@PrarthonaPaul Maybe this should be:
s/credential-store
can be used to add identity specification when configuring a WildFly client./credential-store
can be used to specify identity credentials when configuring a WildFly client.
@@ -0,0 +1,155 @@ | |||
--- | |||
layout: post | |||
title: 'Using Credential Stores on for WildFly Client' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
typo in title on for
@PrarthonaPaul Can pls you push this to your develop branch and link a preview here? To make it easy for other reviewers also, thank you! |
No description provided.