New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Blog post for filesystem integrity #1716
Conversation
link: | ||
--- | ||
|
||
Previously, any data in the filesystem realm was not verified, this meant that anyone with access to the identity files, could tamper with the data without any way of knowing. Now filesystem integrity has been added by generating a signature through the use of a public-private key pair. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/Now filesystem integrity.../Now support for filesystem integrity checking has been added by adding signatures to identity files. This is done using a public-private key pair. (or something along those lines)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated
|
||
== A Complete Example | ||
|
||
In this post we go through an example of setting up a filesystem realm with integrity enabled on a web application. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/...with integrity enabled.../with integrity enabled and then we'll try accessing a web application that's secured using this realm.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated
filesystem realm and role decoder as follows: | ||
[source] | ||
---- | ||
/subsystem=elytron/simple-role-decoder=from-roles-attribute:add(attribute=Roles) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this role decoder can be removed since the default role decoder will use the Roles attribute.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated
|
||
NOTE: Creating an additional security domain (``fsDomain``in this case) is not necessary. | ||
We could alternatively take the default ``ApplicationDomain`` and add the | ||
FileSystem realm and role-decoder to it. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same here, I think the role-decoder reference can be dropped.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated
We could alternatively take the default ``ApplicationDomain`` and add the | ||
FileSystem realm and role-decoder to it. | ||
|
||
We then add our security domain mapping to the Undertow subsystem: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/add our security domain mapping to the Undertow subsystem/update the security domain mapping in the Undertow subsystem
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated
---- | ||
|
||
|
||
=== Deploying to app to WildFly |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/Deploying to/Deploying the
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed
---- | ||
|
||
=== Verifying Integrity | ||
Now you may navigate to ``http://localhost:8080/integrity-filesystem``, and when it prompt's you to enter a username and password, put in the credentials we specified earlier, ``quickstartUser``, and ``password123!``. This should authenticate you to a page that shows you the principal you're logged in with. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/prompt's/prompts
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @Ashpan!
I've only added some minor comments.
Just thinking, it might be good to mention the op for verifying the integrity of the whole realm and also how to update the key pair if needed.
|
||
* ``key-store``: This attribute specifies the key store resource where the key pair resides in. This key store must be configured prior to creating the filesystem realm. This attribute is optional and if not specified, the filesystem realm will not verify its integrity. | ||
|
||
* ``key-store-alias``: This attribute specifies the alias to the key pair in the key store to verify filesystem integrity. This attribute is required if the `key-store` attribute is specified. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Was just reviewing your documentation update and might be good to use the descriptions of the attributes from there here as well.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated
@Ashpan When you get a chance, would be good to include the link to the post from your fork in the description. |
Added a section |
e7ac667
to
1940d96
Compare
Requires ELY-2320 to be merged first
https://ashpan.github.io/wildfly-elytron/blog/filesystem-integrity/
#1709
https://github.com/Ashpan/wildfly-elytron/tree/ELY-2320