Wednesday, 12 June 2019

WildFly Elytron Aggregation of Attributes

One of the features developed during the development phase of Wildfly 17 was the addition of support for aggregating security realms to allow an identity's attributes to be aggregated from multiple realms.

https://issues.jboss.org/browse/WFCORE-4447

This feature was not quite ready as the code freeze for WildFly 17 arrived however the feature is now complete and is planned to be merged into WildFly 18 so will be available for use as soon as Wildfly 18 is released.

This enhancement has made use of the existing aggregate-security-realm resource, presently this resource supports two different attributes: -

  • authentication-realm - The realm to load credentials from and perform evidence verification against.
  • authorization-realm - The realm to use to load the identities attributes from for authorization decisions.

This enhancement is adding a new attribute authorization-realms to the resource which allows for multiple realms to be referenced.

A realm can then be defined with a CLI command: -

/subsystem=elytron/aggregate-realm=example:add(
    authentication-realm=ApplicationRealm, 
    authorization-realms=[RealmA, RealmB])

Attributes are aggregated on a 'first defined wins' basis, so as an example say an identity was assigned the following attributes from RealmA: -

  • groups = User, Supervisor
  • city = London
And from RealmB the following attributes were assigned: -
  • groups = Manager
  • telephone = 0000 0000 0000
After aggregation the identity would have the following attributes: -

  • groups = User, Supervisor
  • city = London
  • telephone = 0000 0000 0000



No comments:

Post a Comment