19 Aralık 2021 Pazar

Wildfly Elytron Security System

Giriş
Açıklaması şöyle. Yani PicketBox'ın yerine geldi.
Elytron is a new security framework that ships with WildFly version 10 and Red Hat JBoss Enterprise Application Platform (EAP) 7.1. This project is a complete replacement of PicketBox and JAAS. 
Elytron İle Neler Yapılabilir
Açıklaması şöyle
- SSL/TLS
- Secure credential storage
- Authentication
- Authorization
Tüm komutlar jboss-cli ile çalıştırılır. Şöyle yaparız
$WildFly_Home/bin/jboss-cli 
SSL/TLS

Authorization
- Bir permission yaratılır
- Bu permission bir kullanıcıya atanır. Buna permission mapping deniliyor

Wildfly ile iki tane permission hazır geliyor. Bunlar
1. login-permission
2. default-permissions

Yeni permission yaratmanın  söz dizimi şöyle
/subsystem=elytron/permission-set=MyPermissionSetName:add(
  permissions=[{class-name="...", module="...", target-name="...", action="..."}...])
Açıklaması şöyle
In the above command, permissions consists of a set of permissions, where each permission can have the following attributes:
- class-name - the fully qualified class name of the permission (this is the only permission attribute that is required)
- module - the optional module to use to load the permission
- target-name - the optional target name to pass to the permission as it is constructed
- action - the optional action to pass to the permission as it is constructed

After a permission-set has been created, it can be referenced when creating a permission mapper in order to assign permissions to an identity.
Örnek
Şöyle yaparız
/subsystem=elytron/permission-set=run-as-principal-permission:add(
 permissions=[{class-name="org.wildfly.security.auth.permission.RunAsPrincipalPermission",
 target-name="*"}])
XML çıktısı şöyle olur. Burada "urn:wildfly:elytron:3.0" kullanılan sürüme göre değişir.
<subsystem xmlns="urn:wildfly:elytron:3.0" ...>
  ...
  <permission-sets>
    <permission-set name="login-permission">
      <permission class-name="org.wildfly.security.auth.permission.LoginPermission"/>
    </permission-set>
    <permission-set name="default-permissions">
      <permission class-name="org.wildfly.extension.batch.jberet.deployment.BatchPermission"         module="org.wildfly.extension.batch.jberet" target-name="*"/>
      <permission class-name="org.wildfly.transaction.client.RemoteTransactionPermission"         module="org.wildfly.transaction.client"/>
      <permission class-name="org.jboss.ejb.client.RemoteEJBPermission" module="org.jboss.ejb-client"/>
    </permission-set>
    <permission-set name="run-as-principal-permission">
      <permission class-name="org.wildfly.security.auth.permission.RunAsPrincipalPermission" target-name="*"/>
    </permission-set>
  </permission-sets>
  ...
</subsystem>
Şimdi permission'ları kullanıcıya atamak lazım. Yani permission mapping gerekiyor. Şöyle yaparız. Burada anonymous ve server1 isimli kullanıcılara permission atanıyor
/subsystem=elytron/simple-permission-mapper=my-simple-permission-mapper:add(
  permission-mappings=
  [
    {
      principals=["anonymous"]
    },
    {
      principals=
	["server1"], 
          permission-sets=[
            {permission-set=login-permission}, 
            {permission-set=default-permissions}, 
            {permission-set=run-as-principal-permission}]
    },
    {
      match-all=true,
        permission-sets=
	   [
	     {permission-set=login-permission}, 
             {permission-set=default-permissions}
	   ]
    }
 ]
)
Açıklaması şöyle
The above command creates a simple permission mapper that:
- Assigns no permissions to an anonymous user
-Assigns the permissions referenced in the login-permission, default-permissions, and run-as-principal-  permission permission sets to the server1 user
- Assigns the permissions referenced in the login-permission and default-permissions permission sets to all other users
XML çıktısı şöyle olur
<subsystem xmlns="urn:wildfly:elytron:3.0" ...>
  ...
  <mappers>
    ...
    <simple-permission-mapper name="my-simple-permission-mapper">
      <permission-mapping>
        <principal name="anonymous"/>
      </permission-mapping>
      <permission-mapping>
        <principal name="server1"/>
          <permission-set name="login-permission"/>
          <permission-set name="default-permissions"/>
          <permission-set name="run-as-principal-permission"/>
        </permission-mapping>
        <permission-mapping match-all="true">
          <permission-set name="login-permission"/>
          <permission-set name="default-permissions"/>
        </permission-mapping>
      </simple-permission-mapper>
      ...
  </mappers>
  ...
</subsystem>











Hiç yorum yok:

Yorum Gönder

Bean Validation @GroupSequence Anotasyonu

Örnek Elimizde şöyle bir kod olsun public class SampleRequest {   @NotNull   LocalDate startDate;   @NotNull   LocalDate endDate;   @AssertT...