Blog post for filesystem integrity #1716
Conversation
| link: | ||
| --- | ||
|
|
||
| Previously, any data in the filesystem realm was not verified, this meant that anyone with access to the identity files, could tamper with the data without any way of knowing. Now filesystem integrity has been added by generating a signature through the use of a public-private key pair. |
There was a problem hiding this comment.
s/Now filesystem integrity.../Now support for filesystem integrity checking has been added by adding signatures to identity files. This is done using a public-private key pair. (or something along those lines)
|
|
||
| == A Complete Example | ||
|
|
||
| In this post we go through an example of setting up a filesystem realm with integrity enabled on a web application. |
There was a problem hiding this comment.
s/...with integrity enabled.../with integrity enabled and then we'll try accessing a web application that's secured using this realm.
| filesystem realm and role decoder as follows: | ||
| [source] | ||
| ---- | ||
| /subsystem=elytron/simple-role-decoder=from-roles-attribute:add(attribute=Roles) |
There was a problem hiding this comment.
I think this role decoder can be removed since the default role decoder will use the Roles attribute.
|
|
||
| NOTE: Creating an additional security domain (``fsDomain``in this case) is not necessary. | ||
| We could alternatively take the default ``ApplicationDomain`` and add the | ||
| FileSystem realm and role-decoder to it. |
There was a problem hiding this comment.
Same here, I think the role-decoder reference can be dropped.
| We could alternatively take the default ``ApplicationDomain`` and add the | ||
| FileSystem realm and role-decoder to it. | ||
|
|
||
| We then add our security domain mapping to the Undertow subsystem: |
There was a problem hiding this comment.
s/add our security domain mapping to the Undertow subsystem/update the security domain mapping in the Undertow subsystem
| ---- | ||
|
|
||
|
|
||
| === Deploying to app to WildFly |
There was a problem hiding this comment.
s/Deploying to/Deploying the
| ---- | ||
|
|
||
| === Verifying Integrity | ||
| Now you may navigate to ``http://localhost:8080/integrity-filesystem``, and when it prompt's you to enter a username and password, put in the credentials we specified earlier, ``quickstartUser``, and ``password123!``. This should authenticate you to a page that shows you the principal you're logged in with. |
|
|
||
| * ``key-store``: This attribute specifies the key store resource where the key pair resides in. This key store must be configured prior to creating the filesystem realm. This attribute is optional and if not specified, the filesystem realm will not verify its integrity. | ||
|
|
||
| * ``key-store-alias``: This attribute specifies the alias to the key pair in the key store to verify filesystem integrity. This attribute is required if the `key-store` attribute is specified. |
There was a problem hiding this comment.
Was just reviewing your documentation update and might be good to use the descriptions of the attributes from there here as well.
|
@Ashpan When you get a chance, would be good to include the link to the post from your fork in the description. |
Added a section |
Ashpan
force-pushed
the
ELY-2320-blog
branch
2 times, most recently
from
e7ac667
to
1940d96
Compare
Requires ELY-2320 to be merged first
https://ashpan.github.io/wildfly-elytron/blog/filesystem-integrity/
#1709
https://github.com/Ashpan/wildfly-elytron/tree/ELY-2320