Giriş
Açıklaması şöyle. Yani PicketBox'ın yerine geldi.
Elytron İle Neler YapılabilirElytron is a new security framework that ships with WildFly version 10 and Red Hat JBoss Enterprise Application Platform (EAP) 7.1. This project is a complete replacement of PicketBox and JAAS.
Açıklaması şöyle
- SSL/TLS- Secure credential storage
- Authentication
- Authorization
Tüm komutlar jboss-cli ile çalıştırılır. Şöyle yaparız
$WildFly_Home/bin/jboss-cli
SSL/TLS
Wildfly Elytron Security System - SSL yazısına taşıdım
Authorization
- Bir permission yaratılır
- Bu permission bir kullanıcıya atanır. Buna permission mapping deniliyor
Wildfly ile iki tane permission hazır geliyor. Bunlar
1. login-permission
2. default-permissions
Yeni permission yaratmanın söz dizimi şöyle
/subsystem=elytron/permission-set=MyPermissionSetName:add(
permissions=[{class-name="...", module="...", target-name="...", action="..."}...])Açıklaması şöyle
In the above command, permissions consists of a set of permissions, where each permission can have the following attributes:
- class-name - the fully qualified class name of the permission (this is the only permission attribute that is required)
- module - the optional module to use to load the permission
- target-name - the optional target name to pass to the permission as it is constructed
- action - the optional action to pass to the permission as it is constructed
After a permission-set has been created, it can be referenced when creating a permission mapper in order to assign permissions to an identity.
Örnek
Şöyle yaparız
/subsystem=elytron/permission-set=run-as-principal-permission:add(
permissions=[{class-name="org.wildfly.security.auth.permission.RunAsPrincipalPermission",
target-name="*"}])XML çıktısı şöyle olur. Burada "urn:wildfly:elytron:3.0" kullanılan sürüme göre değişir.<subsystem xmlns="urn:wildfly:elytron:3.0" ...>
...
<permission-sets>
<permission-set name="login-permission">
<permission class-name="org.wildfly.security.auth.permission.LoginPermission"/>
</permission-set>
<permission-set name="default-permissions">
<permission class-name="org.wildfly.extension.batch.jberet.deployment.BatchPermission" module="org.wildfly.extension.batch.jberet" target-name="*"/>
<permission class-name="org.wildfly.transaction.client.RemoteTransactionPermission" module="org.wildfly.transaction.client"/>
<permission class-name="org.jboss.ejb.client.RemoteEJBPermission" module="org.jboss.ejb-client"/>
</permission-set>
<permission-set name="run-as-principal-permission">
<permission class-name="org.wildfly.security.auth.permission.RunAsPrincipalPermission" target-name="*"/>
</permission-set>
</permission-sets>
...
</subsystem>Şimdi permission'ları kullanıcıya atamak lazım. Yani permission mapping gerekiyor. Şöyle yaparız. Burada anonymous ve server1 isimli kullanıcılara permission atanıyor
/subsystem=elytron/simple-permission-mapper=my-simple-permission-mapper:add(
permission-mappings=
[
{
principals=["anonymous"]
},
{
principals=
["server1"],
permission-sets=[
{permission-set=login-permission},
{permission-set=default-permissions},
{permission-set=run-as-principal-permission}]
},
{
match-all=true,
permission-sets=
[
{permission-set=login-permission},
{permission-set=default-permissions}
]
}
]
)Açıklaması şöyle
The above command creates a simple permission mapper that:
- Assigns no permissions to an anonymous user
-Assigns the permissions referenced in the login-permission, default-permissions, and run-as-principal- permission permission sets to the server1 user
- Assigns the permissions referenced in the login-permission and default-permissions permission sets to all other users
XML çıktısı şöyle olur.
<subsystem xmlns="urn:wildfly:elytron:3.0" ...>
...
<mappers>
...
<simple-permission-mapper name="my-simple-permission-mapper">
<permission-mapping>
<principal name="anonymous"/>
</permission-mapping>
<permission-mapping>
<principal name="server1"/>
<permission-set name="login-permission"/>
<permission-set name="default-permissions"/>
<permission-set name="run-as-principal-permission"/>
</permission-mapping>
<permission-mapping match-all="true">
<permission-set name="login-permission"/>
<permission-set name="default-permissions"/>
</permission-mapping>
</simple-permission-mapper>
...
</mappers>
...
</subsystem>
Hiç yorum yok:
Yorum Gönder