Giriş
Açıklaması şöyle. Yani PicketBox'ın yerine geldi.
Elytron İle Neler YapılabilirElytron is a new security framework that ships with WildFly version 10 and Red Hat JBoss Enterprise Application Platform (EAP) 7.1. This project is a complete replacement of PicketBox and JAAS.
Açıklaması şöyle
- SSL/TLS- Secure credential storage
- Authentication
- Authorization
Tüm komutlar jboss-cli ile çalıştırılır. Şöyle yaparız
$WildFly_Home/bin/jboss-cli
SSL/TLS
Wildfly Elytron Security System - SSL yazısına taşıdım
Authorization
- Bir permission yaratılır
- Bu permission bir kullanıcıya atanır. Buna permission mapping deniliyor
Wildfly ile iki tane permission hazır geliyor. Bunlar
1. login-permission
2. default-permissions
Yeni permission yaratmanın söz dizimi şöyle
/subsystem=elytron/permission-set=MyPermissionSetName:add( permissions=[{class-name="...", module="...", target-name="...", action="..."}...])
Açıklaması şöyle
In the above command, permissions consists of a set of permissions, where each permission can have the following attributes:
- class-name - the fully qualified class name of the permission (this is the only permission attribute that is required)
- module - the optional module to use to load the permission
- target-name - the optional target name to pass to the permission as it is constructed
- action - the optional action to pass to the permission as it is constructed
After a permission-set has been created, it can be referenced when creating a permission mapper in order to assign permissions to an identity.
Örnek
Şöyle yaparız
/subsystem=elytron/permission-set=run-as-principal-permission:add( permissions=[{class-name="org.wildfly.security.auth.permission.RunAsPrincipalPermission", target-name="*"}])XML çıktısı şöyle olur. Burada "urn:wildfly:elytron:3.0" kullanılan sürüme göre değişir.
<subsystem xmlns="urn:wildfly:elytron:3.0" ...> ... <permission-sets> <permission-set name="login-permission"> <permission class-name="org.wildfly.security.auth.permission.LoginPermission"/> </permission-set> <permission-set name="default-permissions"> <permission class-name="org.wildfly.extension.batch.jberet.deployment.BatchPermission" module="org.wildfly.extension.batch.jberet" target-name="*"/> <permission class-name="org.wildfly.transaction.client.RemoteTransactionPermission" module="org.wildfly.transaction.client"/> <permission class-name="org.jboss.ejb.client.RemoteEJBPermission" module="org.jboss.ejb-client"/> </permission-set> <permission-set name="run-as-principal-permission"> <permission class-name="org.wildfly.security.auth.permission.RunAsPrincipalPermission" target-name="*"/> </permission-set> </permission-sets> ... </subsystem>
Şimdi permission'ları kullanıcıya atamak lazım. Yani permission mapping gerekiyor. Şöyle yaparız. Burada anonymous ve server1 isimli kullanıcılara permission atanıyor
/subsystem=elytron/simple-permission-mapper=my-simple-permission-mapper:add( permission-mappings= [ { principals=["anonymous"] }, { principals= ["server1"], permission-sets=[ {permission-set=login-permission}, {permission-set=default-permissions}, {permission-set=run-as-principal-permission}] }, { match-all=true, permission-sets= [ {permission-set=login-permission}, {permission-set=default-permissions} ] } ] )
Açıklaması şöyle
The above command creates a simple permission mapper that:
- Assigns no permissions to an anonymous user
-Assigns the permissions referenced in the login-permission, default-permissions, and run-as-principal- permission permission sets to the server1 user
- Assigns the permissions referenced in the login-permission and default-permissions permission sets to all other users
XML çıktısı şöyle olur.
<subsystem xmlns="urn:wildfly:elytron:3.0" ...> ... <mappers> ... <simple-permission-mapper name="my-simple-permission-mapper"> <permission-mapping> <principal name="anonymous"/> </permission-mapping> <permission-mapping> <principal name="server1"/> <permission-set name="login-permission"/> <permission-set name="default-permissions"/> <permission-set name="run-as-principal-permission"/> </permission-mapping> <permission-mapping match-all="true"> <permission-set name="login-permission"/> <permission-set name="default-permissions"/> </permission-mapping> </simple-permission-mapper> ... </mappers> ... </subsystem>
Hiç yorum yok:
Yorum Gönder