WildFly Elytron will be providing both SASL and HTTP authentication mechanisms for use within the application server, where possible stronger authentication mechanisms will be preferred over weaker mechanisms - there are challenges in achieving this but our ideal situation is to have no re-usable password representations transmitted over the network and also no passwords stored in reversible format on the local file system.
The 1.0.0.Alpha3 release has primarily been focussed on adding capabilities to the project to enable administrators to define policies to use when selecting SASL mechanisms and also some custom settings for when a mechanism is actually created.
- Ability to specify protocol passed into the mechanism.
- Ability to specify server-name passed into the mechanism.
- Definition of properties to pass into mechanism for available mechanism evaluation and mechanism creation.
- Filtering of mechanisms by name.
- Filtering of mechanisms by name and provider.
- Mechanism loading from a Provider
- Service loader based mechanism loading from a provided ClassLoader.
- Mechanism filtering based on supported credentials.
For the final item in that list at it's core the APIs that are being developers within WildFly Elytron are to enable a closer integration between the repositories that hold identity information and the authentication mechanisms. A SecurityRealm is essentially the API used to interact with the repository of identities, from this we also obtain a RealmIdentity to represent an individual identity: -
As you can see from the above example both of these interfaces have a getCredentialSupport method, this method allows us to verify which credential types are supported in different situations and subsequently the mechanism filtering added in this release allows us to tailor the available authentication mechanisms to those actually compatible with the underlying realms.
In addition to the work on SASL based mechanisms selection the following Jira issues have also been resolved this release.
Release Notes - WildFly Elytron - Version 1.0.0.Alpha3
- [ELY-247] - NullPointerException in SecurityProviderSaslServerFactory (Not all providers return services)
- [ELY-227] - Add attribute mapping to Jdbc Security Realm
- [ELY-175] - SASL mechanism availability should take into account credential support.
- [ELY-189] - Support One-Time-Password SASL Mechanism
- [ELY-197] - Add mechanism selection policies to the security domains.
- [ELY-237] - Make it possible to configure the realm used on the client
- [ELY-238] - Recognise realm callback on digest server, and make authorize callback come last
- [ELY-239] - Make Anonumous auth set the anonymous principal name
- [ELY-242] - Delegating SaslServerFactory supporting properties
- [ELY-250] - Release WildFly Elytron 1.0.0.Alpha3
- [ELY-33] - Identity Loading
- [ELY-198] - Allow the association of Provider with a security domain and add support for mechanism loading.
- [ELY-219] - Process subject roles in JaasAuthorizationIdentity
- [ELY-223] - Add tests for the filesystem-backed realm
- [ELY-244] - The properties map in the sasl factories should be Map<String, ?> not Map<String, Object>
- [ELY-246] - Add github references to the pom
The next release will be 1.0.0.Alpha4, the main feature to be included in that release will be the new APIs for HTTP authentication and an equivalent set of mechanism selection policies to allow an administrator control over HTTP authentication for their application server.